by postmanlabs
Postman MCP Server — connect AI agents (Claude Code, Cursor, VS Code Copilot, Gemini CLI) to your Postman collections, OpenAPI specs, and environments via Model Context Protocol (MCP)
# Add to your Claude Code skills
git clone https://github.com/postmanlabs/postman-mcp-serverGuides for using ai agents skills like postman-mcp-server.
Last scanned: 5/30/2026
{
"issues": [
{
"type": "npm-audit",
"message": "flatted: flatted vulnerable to unbounded recursion DoS in parse() revive phase",
"severity": "high"
},
{
"type": "npm-audit",
"message": "handlebars: Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block",
"severity": "critical"
},
{
"type": "npm-audit",
"message": "httpntlm: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "jose: jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "lodash: Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions",
"severity": "high"
},
{
"type": "npm-audit",
"message": "newman: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "node-forge: node-forge has ASN.1 Unbounded Recursion",
"severity": "high"
},
{
"type": "npm-audit",
"message": "postman-collection: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "postman-collection-transformer: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "postman-request: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "postman-runtime: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "postman-sandbox: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "qs: qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "serialised-error: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "underscore: Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack",
"severity": "high"
},
{
"type": "npm-audit",
"message": "uuid: uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "uvm: Vulnerability found",
"severity": "high"
}
],
"status": "FAILED",
"scannedAt": "2026-05-30T15:22:17.005Z",
"npmAuditRan": true,
"pipAuditRan": true
}postman-mcp-server is an open-source ai agents skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by postmanlabs. Postman MCP Server — connect AI agents (Claude Code, Cursor, VS Code Copilot, Gemini CLI) to your Postman collections, OpenAPI specs, and environments via Model Context Protocol (MCP). It has 280 GitHub stars.
postman-mcp-server failed SkillsLLM's automated security scan, which flagged one or more high-severity issues. Review the Security Report section carefully before using it.
Clone the repository with "git clone https://github.com/postmanlabs/postman-mcp-server" and add it to your Claude Code skills directory (see the Installation section above).
postman-mcp-server is primarily written in TypeScript. It is open-source under postmanlabs on GitHub, so you can review or fork the full source.
Yes. SkillsLLM lists many other AI Agents skills you can browse and compare side by side. Open the AI Agents category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh postman-mcp-server against similar tools.
No comments yet. Be the first to share your thoughts!
Requires a passing catalog security scan. Resolve the flagged issues and resubmit to enable featuring.
The Postman MCP Server implements the Model Context Protocol (MCP) to connect AI agents and coding assistants — including Claude Code, Cursor, VS Code Copilot, GitHub Copilot CLI, and Gemini CLI — directly to your Postman workspaces, collections, specifications, and environments.
Postman also offers the server as an npm package.
For the full installation guide with agent-specific setup, see Postman's MCP Server product page.
The Postman MCP Server collection is the quickest way to explore, test, and connect to the Postman MCP Server. Use it to:
For the best developer experience and fastest setup, use OAuth on the remote server (https://mcp.postman.com). OAuth is fully compliant with the MCP Authorization specification and requires no manual API key configuration.
The EU remote server and the local server support only Postman API key authentication.
Remote (any OAuth-compatible MCP host):
Add this URL to your MCP host's configuration:
https://mcp.postman.com/minimal
Change /minimal to /code or /mcp for Code or Full mode. For EU or API key auth, pass Authorization: Bearer <POSTMAN_API_KEY> as a header.
Local:
npx @postman/postman-mcp-server
Add --code or --full for Code or Full mode. Set POSTMAN_API_KEY as an environment variable.
For IDE-specific setup instructions, see the following table. For more information, see the Postman MCP Server docs.
| Agent / IDE | Remote | Local |
|---|---|---|
| Claude Code | Docs | Docs |
| Claude Desktop | — | Docs |
| Cursor | Docs | Docs |
| VS Code | Docs | Docs |
| Codex | Docs | Docs |
| Windsurf | Docs | Docs |
| Antigravity | Docs | Docs |
| GitHub Copilot CLI | Docs | Docs |
| Gemini CLI | Docs | Docs |
| Kiro | Docs | Docs |
| Docker | — | Docs |
The Postman MCP Server supports the EU region for remote and local servers:
https://mcp.eu.postman.com/mcp (Full), https://mcp.eu.postman.com/code, and https://mcp.eu.postman.com/minimal.--region eu flag, or set the POSTMAN_API_BASE_URL environment variable directly.For Docker setup and installation, see DOCKER.md.
Model Context Protocol · MCP Server · Postman · AI Agents · Claude Code · Cursor · VS Code · Specifications · REST API · API Testing · TypeScript · OpenAPI