> ## Documentation Index
> Fetch the complete documentation index at: https://docs.enkryptai.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Scan a Hosted MCP Server

> Create a new hosted MCP server scan job. Connects to a live MCP server, discovers tools/resources/prompts, and runs security analysis on the metadata. The scan runs asynchronously in the background.



## OpenAPI

````yaml POST /mcp-hub/scan/hosted
openapi: 3.0.0
info:
  title: Enkrypt AI APIs
  version: 2.0.0
servers:
  - url: https://api.enkryptai.com
security:
  - apiKeyAuth: []
tags:
  - name: Guardrails
  - name: Code of Conduct
  - name: Endpoints
  - name: Datasets
  - name: Redteam
  - name: Deployments
  - name: AI Proxy
  - name: Leaderboard
  - name: Archived
  - name: MCP Hub
    description: >-
      MCP Hub vulnerability scanning APIs. Submitting scans (the POST endpoints)
      is open to all authenticated callers. The scan **retrieval** APIs — Get
      Scan Job Status, Get Complete Scan Results, List Scans, and Get MCP Hub
      Scan Statistics (the GET endpoints) — are an **enterprise data-license
      feature**: they require your organization to have MCP Hub API access
      enabled by Enkrypt, otherwise they return `403`. Contact us at
      support@enkryptai.com to enable access.
  - name: MCP Registry Servers
  - name: MCP Gateways
  - name: MCP Playground
paths:
  /mcp-hub/scan/hosted:
    post:
      tags:
        - MCP Hub
      summary: Scan a Hosted MCP Server
      description: >-
        Create a new hosted MCP server scan job. Connects to a live MCP server,
        discovers tools/resources/prompts, and runs security analysis on the
        metadata. The scan runs asynchronously in the background.
      operationId: mcp_hub_create_hosted_scan
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/MCPHubHostedScanRequest'
            examples:
              bearer-auth:
                summary: Hosted scan with bearer token auth
                value:
                  endpoint_url: https://mcp.example.com/sse
                  server_name: Example MCP Server
                  auth_config:
                    auth_type: bearer
                    bearer_token: your-token-here
              oauth2-client-credentials:
                summary: Hosted scan with OAuth 2.0 client-credentials
                value:
                  endpoint_url: https://mcp.example.com/sse
                  server_name: Example MCP Server
                  auth_config:
                    auth_type: oauth2_client_credentials
                    oauth_config:
                      client_id: your-client-id
                      client_secret: your-client-secret
                      token_url: https://idp.example.com/oauth/token
                      audience: https://mcp.example.com
                      scope: read:tools
              oauth2-gateway-aliases:
                summary: Hosted scan with gateway-style UPPERCASE OAuth keys
                value:
                  endpoint_url: https://mcp.example.com/sse
                  server_name: Example MCP Server
                  auth_config:
                    auth_type: oauth2_client_credentials
                    oauth_config:
                      OAUTH_CLIENT_ID: your-client-id
                      OAUTH_CLIENT_SECRET: your-client-secret
                      OAUTH_TOKEN_URL: https://idp.example.com/oauth/token
                      OAUTH_GRANT_TYPE: client_credentials
              no-auth:
                summary: Hosted scan without authentication
                value:
                  endpoint_url: https://mcp.example.com/sse
                  server_name: Public MCP Server
      responses:
        '202':
          description: Hosted scan job accepted
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/MCPHubHostedScanResponse'
        '401':
          $ref: '#/components/responses/MCPHubUnauthorized'
        '422':
          $ref: '#/components/responses/MCPHubValidationError'
components:
  schemas:
    MCPHubHostedScanRequest:
      title: MCPHubHostedScanRequest
      type: object
      required:
        - endpoint_url
      description: Request body for scanning a live, hosted MCP server endpoint.
      properties:
        endpoint_url:
          type: string
          description: URL of the hosted MCP server (e.g., https://mcp.example.com/sse)
          example: https://mcp.example.com/sse
        auth_config:
          allOf:
            - $ref: '#/components/schemas/MCPHubAuthConfig'
          nullable: true
          description: >-
            Authentication configuration used by the scanner when connecting to
            the hosted MCP server
        server_name:
          type: string
          nullable: true
          description: Display name for the server
          example: Example MCP Server
        expected_tools:
          type: array
          nullable: true
          items:
            type: string
          description: List of expected tool names for shadow-tool detection
        is_private:
          type: boolean
          default: false
          description: Mark this scan as private
    MCPHubHostedScanResponse:
      title: MCPHubHostedScanResponse
      type: object
      required:
        - job_id
        - endpoint_url
        - user_email
        - job_status
        - message
      description: Response returned when a hosted scan job is accepted.
      properties:
        job_id:
          type: string
          description: Unique identifier for the scan job
        endpoint_url:
          type: string
        user_email:
          type: string
        job_status:
          type: string
        message:
          type: string
          description: Human-readable status message
    MCPHubAuthConfig:
      title: MCPHubAuthConfig
      type: object
      description: >-
        Authentication configuration accepted by the hosted scan endpoint.
        Fields beyond `auth_type` are conditionally relevant based on the chosen
        `auth_type`.
      properties:
        auth_type:
          allOf:
            - $ref: '#/components/schemas/MCPHubAuthType'
          default: none
          description: Authentication type
        api_key:
          type: string
          nullable: true
          description: API key value (for `api_key` auth)
        api_key_header_name:
          type: string
          nullable: true
          default: Authorization
          description: Header name for the API key
        api_key_prefix:
          type: string
          nullable: true
          default: Bearer
          description: Prefix prepended to the API key value
        bearer_token:
          type: string
          nullable: true
          description: Bearer token value (for `bearer` auth)
        oauth_config:
          allOf:
            - $ref: '#/components/schemas/MCPHubOAuthConfig'
          nullable: true
          description: OAuth 2.0 configuration (for `oauth2_*` auth types)
        custom_headers:
          type: object
          nullable: true
          additionalProperties:
            type: string
          description: Custom headers map (for `custom_headers` auth)
        mtls_cert_path:
          type: string
          nullable: true
          description: Path to the mTLS client certificate (for `mtls` auth)
        mtls_key_path:
          type: string
          nullable: true
          description: Path to the mTLS client private key (for `mtls` auth)
      example:
        auth_type: bearer
        bearer_token: eyJhbGciOiJIUzI1NiIs...
    MCPHubAuthErrorResponse:
      title: MCPHubAuthErrorResponse
      type: object
      description: Error envelope returned by the MCP Hub auth/permission failures.
      properties:
        detail:
          type: string
    MCPHubValidationError:
      title: MCPHubValidationError
      type: object
      description: FastAPI-style validation error response.
      properties:
        detail:
          type: array
          items:
            type: object
            required:
              - loc
              - msg
              - type
            properties:
              loc:
                type: array
                items:
                  oneOf:
                    - type: string
                    - type: integer
              msg:
                type: string
              type:
                type: string
    MCPHubAuthType:
      title: MCPHubAuthType
      type: string
      description: >-
        Authentication type accepted by the hosted scan API. `oauth2_password`
        uses the Resource Owner Password Credentials grant for IAM systems that
        do not expose `client_credentials`.
      enum:
        - none
        - api_key
        - bearer
        - oauth2_client_credentials
        - oauth2_authorization_code
        - oauth2_password
        - custom_headers
        - mtls
    MCPHubOAuthConfig:
      title: MCPHubOAuthConfig
      type: object
      required:
        - client_id
        - token_url
      description: >-
        OAuth 2.0 configuration for hosted-scan authentication. Supports the
        `client_credentials` (machine-to-machine) and `password` (Resource Owner
        Password Credentials) grants.


        **Gateway-style aliases:** UPPERCASE field names from
        `secure-mcp-gateway` are accepted as drop-in aliases inside this block —
        `OAUTH_TOKEN_URL` → `token_url`, `OAUTH_CLIENT_ID` → `client_id`,
        `OAUTH_CLIENT_SECRET` → `client_secret`, `OAUTH_AUDIENCE` → `audience`,
        `OAUTH_SCOPE` → `scope`, `OAUTH_GRANT_TYPE` → `grant_type`,
        `OAUTH_USERNAME` → `username`, `OAUTH_PASSWORD` → `password`,
        `OAUTH_AUTHORIZATION_URL` → `authorization_url`, `OAUTH_REDIRECT_URI` →
        `redirect_uri`. If both an UPPERCASE key and its lowercase form are
        supplied, the lowercase value wins. Gateway-only toggles (`enabled`,
        `is_remote`, `OAUTH_VERSION`, `OAUTH_USE_PKCE`, …) are accepted and
        ignored; `enabled: false` disables OAuth (falls back to `auth_type:
        none`).
      properties:
        client_id:
          type: string
        client_secret:
          type: string
          nullable: true
          description: >-
            OAuth client secret. Optional for public clients or the password
            grant against IAM systems that do not require it.
        token_url:
          type: string
        authorization_url:
          type: string
          nullable: true
        redirect_uri:
          type: string
          nullable: true
        scope:
          type: string
          nullable: true
        audience:
          type: string
          nullable: true
        grant_type:
          type: string
          default: client_credentials
          description: >-
            OAuth grant type. Supported: `client_credentials` (default) or
            `password`.
        username:
          type: string
          nullable: true
          description: >-
            Resource owner username. Required only when `auth_type` is
            `oauth2_password`.
        password:
          type: string
          nullable: true
          description: >-
            Resource owner password. Required only when `auth_type` is
            `oauth2_password`.
  responses:
    MCPHubUnauthorized:
      description: Unauthorized — missing or invalid Authorization header
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/MCPHubAuthErrorResponse'
    MCPHubValidationError:
      description: Validation error
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/MCPHubValidationError'
  securitySchemes:
    apiKeyAuth:
      type: apiKey
      in: header
      name: apikey

````