Configure your MCP client to connect to Prowler MCP Server.
Step 1: Get Your API Key Authentication is optional : Prowler Hub and Prowler Documentation features work without authentication. An API key is only required for Prowler Cloud and Prowler App (Self-Managed) features.
To use Prowler Cloud or Prowler App (Self-Managed) features. To get the API key, please refer to the API Keys guide.
Keep the API key secure. Never share it publicly or commit it to version control.
Choose the configuration based on your deployment:
HTTP Mode : Prowler Cloud MCP Server or self-hosted Prowler MCP Server.STDIO Mode : Local installation only (runs as subprocess of your MCP client).
HTTP Mode Configuration: { "mcpServers" : { "prowler" : { "url" : "https://mcp.prowler.com/mcp" , // or your self-hosted Prowler MCP Server URL "headers" : { "Authorization" : "Bearer <your-api-key-here>" } } } }
Configuration: Avoid configuring MCP clients to run npx mcp-remote directly. npx can download and execute a new package version on each run. Install a reviewed version of mcp-remote in a dedicated local workspace, then point the MCP client to the installed binary.
mkdir -p ~/.local/share/prowler-mcp-bridge cd ~/.local/share/prowler-mcp-bridge npm init -y npm install --save-exact mcp-remote@0.1.38
{ "mcpServers" : { "prowler" : { "command" : "/absolute/path/to/.local/share/prowler-mcp-bridge/node_modules/.bin/mcp-remote" , "args" : [ "https://mcp.prowler.com/mcp" , // or your self-hosted Prowler MCP Server URL "--header" , "Authorization: Bearer ${PROWLER_APP_API_KEY}" ], "env" : { "PROWLER_APP_API_KEY" : "<your-api-key-here>" } } } }
The mcp-remote tool acts as a bridge for clients that don’t support HTTP natively. Learn more at mcp-remote on npm .
Open Claude Desktop settings
Go to “Developer” tab
Click in “Edit Config” button
Edit the claude_desktop_config.json file with your favorite editor
Install a reviewed version of mcp-remote in a dedicated local workspace:
mkdir -p ~/.local/share/prowler-mcp-bridge cd ~/.local/share/prowler-mcp-bridge npm init -y npm install --save-exact mcp-remote@0.1.38
Add the following configuration:
{ "mcpServers" : { "prowler" : { "command" : "/absolute/path/to/.local/share/prowler-mcp-bridge/node_modules/.bin/mcp-remote" , "args" : [ "https://mcp.prowler.com/mcp" , "--header" , "Authorization: Bearer ${PROWLER_APP_API_KEY}" ], "env" : { "PROWLER_APP_API_KEY" : "<your-api-key-here>" } } } }
Run the following command: export PROWLER_APP_API_KEY = "<your-api-key-here>" claude mcp add --transport http prowler https://mcp.prowler.com/mcp --header "Authorization: Bearer $PROWLER_APP_API_KEY " --scope user
Open Cursor settings
Go to “Tools & MCP”
Click in “New MCP Server” button
Add to the JSON Configuration the following:
{ "mcpServers" : { "prowler" : { "url" : "https://mcp.prowler.com/mcp" , "headers" : { "Authorization" : "Bearer <your-api-key-here>" } } } }
STDIO Mode STDIO mode is only available when running the MCP server locally.
Run from source or local installation { "mcpServers" : { "prowler" : { "command" : "uvx" , "args" : [ "/absolute/path/to/prowler/mcp_server/" ], "env" : { "PROWLER_APP_API_KEY" : "<your-api-key-here>" , "API_BASE_URL" : "https://api.prowler.com/api/v1" } } } }
Replace /absolute/path/to/prowler/mcp_server/ with the actual path. The API_BASE_URL is optional and defaults to Prowler Cloud API.
Run with Docker image { "mcpServers" : { "prowler" : { "command" : "docker" , "args" : [ "run" , "--rm" , "-i" , "--env" , "PROWLER_APP_API_KEY=<your-api-key-here>" , "--env" , "API_BASE_URL=https://api.prowler.com/api/v1" , "prowlercloud/prowler-mcp" ] } } }
The API_BASE_URL is optional and defaults to Prowler Cloud API.
Step 3: Start Using Prowler MCP Restart your MCP client and start asking questions:
“Show me all critical findings from my AWS accounts” “What does the S3 bucket public access check do?” “Onboard this new AWS account in my Prowler Organization”
Authentication Methods Prowler MCP Server supports two authentication methods to connect to Prowler Cloud or Prowler App (Self-Managed):
API Key (Recommended) Use your Prowler API key directly in the Bearer token:
Authorization: Bearer <your-api-key-here>
This is the recommended method for most users.
JWT Token Alternatively, obtain a JWT token from Prowler:
curl -X POST https://api.prowler.com/api/v1/tokens \ -H "Content-Type: application/vnd.api+json" \ -H "Accept: application/vnd.api+json" \ -d '{ "data": { "type": "tokens", "attributes": { "email": "your-email@example.com", "password": "your-password" } } }'
Use the returned JWT token in place of the API key:
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
JWT tokens are only valid for 30 minutes. You need to generate a new token if you want to continue using the MCP server.
Troubleshooting Server Not Detected
Restart your MCP client after configuration changes
Check the configuration file syntax (valid JSON)
Review client logs for specific error messages
Verify the server URL is correct
Authentication Failures Error: Unauthorized (401)
Verify your API key is correct
Ensure the key hasn’t expired
Check you’re using the right API endpoint
Connection Issues Cannot Reach Server:
Verify the server URL is correct
Check network connectivity
For local servers, ensure the server is running
Check firewall settings
Security Best Practices
Protect Your API Key
Never commit API keys to version control.
Use environment variables or secure vaults.
Rotate keys regularly.
Network Security
Use HTTPS for production deployments.
Restrict network access to the MCP server.
Consider VPN for remote access.
Least Privilege
API key gives the permission of the user who created the key, make sure to use the key with the minimal required permissions.
Review the tools that are gonna be used and how they are gonna be used to avoid prompt injections or unintended behavior.
Next Steps Now that your MCP server is configured:
Tools Reference Explore all available tools
Getting Help Need assistance with configuration?
About Us