What is the AquilaX MCP Server?

The AquilaX MCP Server is a hosted Model Context Protocol server that lets AI assistants like Claude, Cursor, Windsurf, and VS Code Copilot perform security scanning, vulnerability management, and AI-powered code fixing by connecting to AquilaX.

Which AI clients are supported by AquilaX MCP?

AquilaX MCP supports Claude Desktop, Claude Code (CLI), Cursor, Windsurf, VS Code GitHub Copilot, Continue.dev, Zed, OpenAI Codex, and any other MCP-compatible AI client.

AquilaX MCP Server - AI Security Scanning via Model Context Protocol

01 · Setup

Get your credentials

Before configuring any AI client, you need three credentials from your AquilaX account. These are passed as HTTP headers with every MCP request - they are never stored on the MCP server.

Sign in at aquilax.ai and navigate to:

Dashboard → Settings → Account
https://aquilax.ai/app/dashboard/pages/settings/account

Credential	Header	Where to find it
API Key	X-AX-Key	API Settings section - click Generate API Key if you don't have one yet
Organization ID	X-AX-Org	Organization settings page, or visible in the URL when viewing your org
Group ID	X-AX-Group	Group settings page, or visible in the URL when viewing a group

0

install steps

7

MCP tools

8+

AI clients

Free

to connect

02 · Quick Start

Connect in under a minute

The AquilaX MCP server is fully hosted - no installation, no Docker, no infrastructure. Point your AI client at the URL below and pass your credentials as HTTP headers.

JSON - universal pattern

{ "mcpServers": { "aquilax": { "url": "https://mcp.aquilax.ai/mcp", "headers": { "X-AX-Key": "YOUR_AQUILAX_API_KEY", "X-AX-Org": "YOUR_ORG_ID", "X-AX-Group": "YOUR_GROUP_ID" } } } }

After connecting, your AI assistant sees all AquilaX security tools automatically - no manual tool selection needed. Just talk.

Example - Claude or Cursor

# You say: "Scan this file for security issues" # AI automatically calls: → scan_code(snippet="...") # Returns: ← Critical · SQL Injection · line 34 - unsanitised raw query ← Critical · Hardcoded Secret · line 12 - API key in source # You say: "Fix the SQL injection on line 34" # AI automatically calls: → fix_vulnerability(finding_id="ax-1234") ← Secure fix generated - ready to apply

03 · Configuration

Configure your AI client

AquilaX MCP uses Streamable HTTP transport - supported natively by all modern AI clients. Select yours below for the exact configuration snippet.

Claude Desktop uses the mcp-remote bridge, run automatically via npx - no installation needed.
Config file: macOS: ~/Library/Application Support/Claude/claude_desktop_config.json · Windows: %APPDATA%\Claude\claude_desktop_config.json

JSON

{ "mcpServers": { "aquilax": { "command": "npx", "args": [ "-y", "mcp-remote", "https://mcp.aquilax.ai/mcp", "--header", "X-AX-Key: YOUR_AQUILAX_API_KEY", "--header", "X-AX-Org: YOUR_ORG_ID", "--header", "X-AX-Group: YOUR_GROUP_ID" ] } } }

Restart Claude Desktop after saving - AquilaX tools appear in the tool list automatically.

Claude Code (CLI) supports HTTP transport natively via CLI command or JSON config.

Shell - Option A (CLI)

claude mcp add --transport http aquilax https://mcp.aquilax.ai/mcp \ -H "X-AX-Key: YOUR_AQUILAX_API_KEY" \ -H "X-AX-Org: YOUR_ORG_ID" \ -H "X-AX-Group: YOUR_GROUP_ID" # Verify claude mcp list

JSON - Option B (.claude/settings.json)

{ "mcpServers": { "aquilax": { "type": "http", "url": "https://mcp.aquilax.ai/mcp", "headers": { "X-AX-Key": "YOUR_AQUILAX_API_KEY", "X-AX-Org": "YOUR_ORG_ID", "X-AX-Group": "YOUR_GROUP_ID" } } } }

Edit ~/.cursor/mcp.json (global) or .cursor/mcp.json in your project root. Or: Settings → Cursor Settings → MCP → Add new MCP server.

JSON

{ "mcpServers": { "aquilax": { "url": "https://mcp.aquilax.ai/mcp", "headers": { "X-AX-Key": "YOUR_AQUILAX_API_KEY", "X-AX-Org": "YOUR_ORG_ID", "X-AX-Group": "YOUR_GROUP_ID" } } } }

Add .cursor/mcp.json to .gitignore - never commit credentials to version control.

Config: macOS/Linux: ~/.codeium/windsurf/mcp_config.json · Windows: %USERPROFILE%\.codeium\windsurf\mcp_config.json
Use env interpolation to keep secrets out of config files.

JSON - env variables (recommended)

{ "mcpServers": { "aquilax": { "url": "https://mcp.aquilax.ai/mcp", "headers": { "X-AX-Key": "${env:AQUILAX_API_KEY}", "X-AX-Org": "${env:AQUILAX_ORG_ID}", "X-AX-Group": "${env:AQUILAX_GROUP_ID}" } } } }

Restart Windsurf after saving the config. Set the env vars in your shell profile.

Create or edit .vscode/mcp.json in your workspace. VS Code securely prompts for each credential on first use - no secrets stored in the file.

JSON

{ "servers": { "aquilax": { "type": "http", "url": "https://mcp.aquilax.ai/mcp", "headers": { "X-AX-Key": "${input:aquilaxKey}", "X-AX-Org": "${input:aquilaxOrg}", "X-AX-Group": "${input:aquilaxGroup}" } } }, "inputs": [ { "type": "promptString", "id": "aquilaxKey", "description": "AquilaX API Key", "password": true }, { "type": "promptString", "id": "aquilaxOrg", "description": "AquilaX Organization ID" }, { "type": "promptString", "id": "aquilaxGroup", "description": "AquilaX Group ID" } ] }

For global config: open Command Palette (Ctrl+Shift+P) → MCP: Open User Configuration.

Edit ~/.continue/config.yaml. MCP tools are only available in Agent Mode.

YAML

mcpServers: - name: aquilax type: streamable-http url: https://mcp.aquilax.ai/mcp requestOptions: headers: X-AX-Key: "YOUR_AQUILAX_API_KEY" X-AX-Org: "YOUR_ORG_ID" X-AX-Group: "YOUR_GROUP_ID"

Open Settings (Cmd+, / Ctrl+,) and add to your settings.json. Or use the Agent Panel (✨) → Settings → Add Custom Server.

JSON

{ "context_servers": { "aquilax": { "url": "https://mcp.aquilax.ai/mcp", "headers": { "X-AX-Key": "YOUR_AQUILAX_API_KEY", "X-AX-Org": "YOUR_ORG_ID", "X-AX-Group": "YOUR_GROUP_ID" } } } }

Edit ~/.codex/config.toml or a project-scoped .codex/config.toml. Use env_http_headers to avoid committing secrets.

TOML

[mcp_servers.aquilax] url = "https://mcp.aquilax.ai/mcp" # Pull from environment variables (recommended) [mcp_servers.aquilax.env_http_headers] "X-AX-Key" = "AQUILAX_API_KEY" "X-AX-Org" = "AQUILAX_ORG_ID" "X-AX-Group" = "AQUILAX_GROUP_ID"

04 · MCP Tools

7 security tools, invoked automatically

AquilaX exposes a suite of purpose-built security tools via MCP. Your AI assistant reads the tool descriptions and calls the right one based on your natural language request - no manual selection needed.

list_organizations

List all organizations your account belongs to. Used as the first step before listing groups or vulnerabilities.

list_groups

List groups within an organization along with their metadata and IDs.

start_scan

Trigger a full repository security scan by supplying a Git URL. Returns a scan ID to track progress.

get_scan_status

Check the real-time status, progress, and result summary of a running or completed scan.

scan_code

Scan a code snippet or file contents immediately for SAST vulnerabilities, secrets, and insecure patterns.

list_vulnerabilities

List all findings with optional filters by severity, status, scanner type, or scan ID.

fix_vulnerability

Generate an AI-powered, context-aware secure code replacement for a specific finding using Securitron AI. Returns a drop-in code fix ready to apply or review.

05 · Usage

Example prompts

Once connected, describe what you need in plain English. Your AI assistant automatically selects and chains the correct AquilaX tools.

Scan this file for security issues

→ scan_code · analyzes snippet, returns findings with severity and remediation

List all critical vulnerabilities in my project

→ list_organizations → list_groups → list_vulnerabilities(severity: critical)

Fix this SQL injection vulnerability

→ fix_vulnerability(finding_id) · Securitron AI generates a secure, drop-in code block

Start a scan on my repo github.com/myorg/myapp

→ start_scan(git_uri) · triggers a full repo scan, returns scan ID

Show me all high-severity findings from the last scan

→ get_scan_status → list_vulnerabilities(severity: high)

What security issues are in this function?

→ scan_code · inline snippet scanning - SAST, secrets, dependency risks

06 · Authentication

Stateless. Secure. Zero credential storage.

Credentials are passed per-request via HTTP headers - they never touch the MCP server's storage. The server is fully stateless with respect to authentication. Every request is validated directly against the AquilaX API.

Header	Required	Description
X-AX-Key	Required	Your AquilaX API key from the account settings page
X-AX-Org	Recommended	Default Organization ID for all tool calls. If omitted, your AI must call `list_organizations` to discover it first.
X-AX-Group	Recommended	Default Group ID for all tool calls. Can also be passed as a tool parameter per-call.

Setting X-AX-Org and X-AX-Group as headers gives your AI assistant full context from the first message. Without them, it will discover your org/group IDs automatically using list_organizations and list_groups on the first relevant request.

07 · API Endpoints

Transport options

AquilaX MCP supports the modern Streamable HTTP transport (recommended) and legacy SSE for backward compatibility. The server is hosted at https://mcp.aquilax.ai.

Method	Path	Transport	Description
`POST`	/mcp	Recommended	Streamable HTTP - modern MCP transport for all clients
`GET`	/mcp	Recommended	Streamable HTTP SSE notifications stream
`GET`	/sse	Legacy SSE	SSE event stream for backward compatibility
`POST`	/messages	Legacy SSE	Message endpoint for legacy SSE sessions
`GET`	/health	HTTP	Health check - returns `{"status":"ok"}`

08 · Debugging

Inspect the MCP server

The MCP Inspector is a browser-based UI for browsing and testing all AquilaX MCP tools interactively - useful for validating your credentials, understanding tool schemas, and debugging before connecting an AI client.

Shell - launch Inspector (no install)

npx @modelcontextprotocol/inspector https://mcp.aquilax.ai/mcp

Adding auth headers in the Inspector UI

Once the browser UI opens, follow these steps to authenticate:

Click Headers or Connection Settings in the toolbar
Add header X-AX-Key → your AquilaX API key
Add header X-AX-Org → your Organization ID
Add header X-AX-Group → your Group ID
Click Connect - all 7 AquilaX tools appear in the sidebar
Click any tool, fill in parameters, and click Run to test it live

The Inspector is also an excellent way to confirm your credentials are valid before configuring Claude or Cursor - if tools load correctly here, they'll work in your AI client.

09 · Best Practices

Security best practices

Never commit credentials to version control. Add config files containing API keys to .gitignore: .cursor/mcp.json, .claude/settings.local.json, .codex/config.toml

Use environment variables where supported

Shell - add to .bashrc / .zshrc / PowerShell profile

export AQUILAX_API_KEY="your-api-key-here" export AQUILAX_ORG_ID="your-org-id-here" export AQUILAX_GROUP_ID="your-group-id-here"

Additional recommendations

Use project-scoped MCP config files in shared repos - instruct each team member to add their own credentials locally
Rotate your API key regularly from the AquilaX account settings page
Your API key grants access to all resources your user account can access - use the minimum necessary org/group scope
For VS Code users: the ${input:...} pattern prompts for secrets at runtime so nothing is stored on disk

AquilaX MCP · Free to connect

Add security to your AI workflow
in under a minute.

Get your API key, add two lines of config to Claude, Cursor, or any MCP client, and start scanning - no infrastructure, no installation.

Get API Key → Full Docs

Hosted MCP server No installation required Claude · Cursor · Windsurf · VS Code On-premises available

AquilaX MCP Server security for every AI assistant.

Get your credentials

Connect in under a minute

Configure your AI client

7 security tools, invoked automatically

Example prompts

Stateless. Secure. Zero credential storage.

Transport options

Inspect the MCP server

Security best practices

Add security to your AI workflowin under a minute.

AquilaX MCP Server
security for every
AI assistant.

Add security to your AI workflow
in under a minute.