MCP integration

AllyProof runs a hosted Model Context Protocol (MCP) server, so AI agents like Cursor, Claude Code, and Claude Desktop can scan pages and work with your accessibility data without leaving the editor. The endpoint is https://allyproof.com/api/mcp (Streamable HTTP transport).

What your agent can do

The tool surface expands once you add an API key. Without a key, the public scan_url tool is available to anyone; with a key, your agent also gets tools scoped to your own organization.

ToolNeeds key?What it does
scan_urlNoScan any single URL for WCAG 2.2 AA violations. Returns a score, severity breakdown, and up to 20 violations with WCAG criteria and fix guidance.
list_sitesYesList the sites registered in your organization.
scan_siteYesStart a full multi-page scan (a crawl) of one of your registered sites, by site_id or url.
list_violationsYesList your open violations with their WCAG criteria, affected pages, and AI-generated fix suggestions. Filter by site_id and impact.

Get an API key

Create a key at Settings → API Keys. It's shown once at creation — copy it before closing the dialog. The account-scoped tools require a plan with API access; the public scan_url tool works with no key.

Connect your agent

Claude Code (CLI)

Shell
claude mcp add --transport http allyproof https://allyproof.com/api/mcp \
  --header "x-api-key: ap_live_..."

Omit the --header flag for scan-only (public) access.

Cursor / Claude Desktop (config file)

Add AllyProof to the mcpServersblock of your client's MCP config:

JSON
{
  "mcpServers": {
    "allyproof": {
      "type": "http",
      "url": "https://allyproof.com/api/mcp",
      "headers": { "x-api-key": "ap_live_..." }
    }
  }
}

You can also generate these snippets pre-filled with your key from Settings → Integrations.

Try it

Once connected, ask your agent things like:

  • “Scan https://example.com/pricing for accessibility issues.”
  • “List my sites, then start a scan of the marketing site.”
  • “What are my open critical violations and how do I fix them?”

Limits & scope

  • scan_url is a single-page scan, rate-limited per IP and cached for 24h. For a full-site crawl, use scan_site (with a key) or the REST API.
  • Account-scoped tools read and write only your organization's data, scoped by the API key — exactly like the v1 REST API and CLI.
  • Automated scanning covers ~57-70% of WCAG criteria; full conformance also needs manual review. No tool can guarantee legal compliance.

Next steps