# Connect over MCP

Wire Whisper into your IDE or AI client over MCP, or call the graph directly with an API key. Most clients connect with just the URL.

## 1. Connect your client

Point your MCP client at `https://mcp.whisper.security`. The server supports OAuth (dynamic registration and PKCE), so most clients need only the URL.

![The Connect over MCP page: point your MCP client at the Whisper MCP URL, with a per-client tab strip (Claude Code, Claude Desktop, Cursor, VS Code, Windsurf, OpenAI Codex) and the six read-only tools a connection exposes.](/docs/shots/connect-mcp.png)

*One page to wire any MCP client to the graph. Most clients need only the URL; OAuth handles the rest.*

Claude Code:

```
claude mcp add --transport http whisper-graph https://mcp.whisper.security
```

Cursor (`.cursor/mcp.json`):

```
{
  "mcpServers": {
    "whisper-graph": { "url": "https://mcp.whisper.security" }
  }
}
```

VS Code (`.vscode/mcp.json`, Copilot):

```
{
  "servers": {
    "whisper-graph": { "type": "http", "url": "https://mcp.whisper.security" }
  }
}
```

Windsurf:

```
{
  "mcpServers": {
    "whisper-graph": { "serverUrl": "https://mcp.whisper.security" }
  }
}
```

OpenAI Codex (`~/.codex/config.toml`):

```
[mcp_servers.whisper-graph]
url = "https://mcp.whisper.security"
# then: codex mcp login whisper-graph
```

## 2. What your client gets

Six read-only tools, seven resources, and eleven prebuilt prompts. Clients read the graph but never mutate it. The tools are `query`, `list_labels`, `describe_label`, `explain_indicator`, `whisper_history`, and `domain_variants`.

## 3. Static key or call the graph directly

Add a Bearer header with a key from [your API keys](/docs/account-and-keys):

```
{
  "mcpServers": {
    "whisper-graph": {
      "url": "https://mcp.whisper.security",
      "headers": { "Authorization": "Bearer $WHISPER_API_KEY" }
    }
  }
}
```

Or call the query endpoint directly with a Bearer token or an `X-API-Key` header:

```
curl -X POST https://graph.whisper.security/api/query \
  -H "Authorization: Bearer $WHISPER_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"query": "CALL explain(\"google.com\")"}'
```

## 4. Three ways to authenticate

Anonymous needs no signup and gives a shallow, rate-limited read. An API key raises the limits to your plan and is the agent path. Signed-in is the full console in the browser. No code changes between them beyond the auth header.
