What does the MCP server tester check?
The tester probes your live site with real JSON-RPC 2.0 requests — the same MCP checks as a full AgentGrade scan:
- Endpoint responds — an MCP endpoint exists at a standard path (
/mcp,/api/mcp,/.well-known/mcp.json), accepting 200, 405, or 406 as evidence of life. - Initialize handshake — the
initializemethod returnsprotocolVersion,capabilities, andserverInfo. - Tools listed —
tools/listreturns named tools with input schemas. - tools/call responds — the call pipeline works; even a structured JSON-RPC error proves it.
- Server name present — agents can identify what they're connected to.
- SSE / Streamable HTTP transport — streaming support, detected via
text/event-streamor the 406 pattern. - CORS enabled — the headers that decide whether browser-based MCP clients (MCP Inspector, extensions, web-embedded agents) can reach you. Claude.ai and ChatGPT connectors call server-to-server and don't need it.
What is an MCP server?
MCP (Model Context Protocol) is a JSON-RPC 2.0 protocol that lets AI agents discover and call tools on a remote server. A site exposing /mcp declares named tools — search_products, get_invoice — that an agent invokes programmatically instead of scraping pages. Specified by Anthropic in late 2024, supported by Claude, Cursor, Windsurf, and other agent runtimes. See the AgentGrade MCP guide for implementation details.
A minimal working MCP server
// Minimal Express JSON-RPC 2.0 handler at /mcp
app.post('/mcp', express.json(), (req, res) => {
const { id, method, params } = req.body || {};
if (method === 'initialize') {
return res.json({ jsonrpc: '2.0', id, result: {
protocolVersion: '2024-11-05',
capabilities: { tools: {} },
serverInfo: { name: 'example.com', version: '1.0.0' },
}});
}
if (method === 'tools/list') {
return res.json({ jsonrpc: '2.0', id, result: { tools: [
{ name: 'echo', description: 'Echoes its input',
inputSchema: { type: 'object',
properties: { text: { type: 'string' } }, required: ['text'] } },
]}});
}
res.json({ jsonrpc: '2.0', id, error: { code: -32601, message: 'Method not found' } });
});
Common MCP server mistakes
No CORS headers
Server-side clients — including Claude.ai and ChatGPT connectors, which call from Anthropic's and OpenAI's infrastructure — connect fine, so everything looks healthy. But browser-based clients like MCP Inspector and extensions silently can't reach the endpoint. Add Access-Control-Allow-Origin, allow POST and OPTIONS, and answer preflight with 204 or 200.
The SPA catch-all
A client-side router that returns the homepage HTML with status 200 for /mcp. It looks like an endpoint to a status check and fails the moment an agent sends JSON-RPC. The tester sends real requests, so this shows up as "endpoint responds" passing and "initialize handshake" failing.
tools/list without initialize
Real clients negotiate the protocol first. An endpoint that answers tools/list but errors on initialize fails Claude and every other conforming runtime at the handshake.
Missing server name
serverInfo.name is how agents identify and label your server in their tool lists. Leaving it empty makes your tools anonymous.
Frequently asked questions
Can I test a localhost MCP server here?
No — this tester probes public URLs from our servers, so your endpoint must be reachable from the internet. For local development, test against a tunnel (ngrok or similar) or deploy to staging first.
My endpoint returns 405 on GET — is that a failure?
No. 405 usually just means the endpoint only accepts POST, which is normal for JSON-RPC. The tester treats 405 and 406 as evidence an endpoint exists and continues with proper POST requests.
How is this different from a full AgentGrade scan?
This page runs the MCP slice of the full scan. The complete scan covers 70+ checks across payments, discovery files, OpenAPI, content negotiation, and infrastructure — same instant, no-signup report.