Skip to main content
The Flare API MCP server is still in beta and is subject to change.
Flare provides a Model Context Protocol (MCP) server that exposes Flare’s search and platform APIs to any MCP-capable client. It lets agents query Flare’s threat-intel dataset, inspect a tenant’s monitored events, look up event-type schemas, and read the current user’s profile — without writing any code against the REST API. For a documentation-only companion server (search across the Flare API docs themselves), see the Documentation MCP .

Available Tools

ToolDescription
search_globalGlobal Search — executes a Lucene query against the entire Flare threat-intel dataset.
search_tenantTenant Search — executes a Lucene query scoped to events matching the caller’s monitored identifiers.
search_validate_search_queryValidates that a Lucene query complies with Flare’s search rules before running it. Useful when composing or debugging a query.
events_get_eventReturns the complete event payload (metadata + data) for a single uid.
events_get_event_typeReturns the documentation and searchable field list for a given event type (e.g. chat_message, forum_post, stealer_log).
profile_getReturns the current user’s profile, including tenants, permissions, feature flags, and default tenant id.
search_global requires the Global Search permission on the target tenant.

Search Parameters

The search_global and search_tenant tools accept the same parameters:
query
string
required
Lucene query.
date_range
string | object
Time window to restrict results to. Either a preset (last_24h, last_2d, last_7d, last_1m, last_3m, last_6m, all) or a { begin_at, end_at } object with ISO-8601 datetimes.
search_types
array of string
List of event types to scope the search. Defaults to all event types.
size
integer
default:"10"
Number of results to return. Between 1 and 10.
cursor
string
Opaque pagination cursor from a previous response.

Prompt Examples

  • What has Flare picked up on our monitored domain scatterholt.com in the last 24 hours?
  • Search the whole Flare dataset for chat messages mentioning "acme-corp" in the last 7 days.
  • Validate this query for me: author_name:/some_username_\d+/
  • What fields can I search on the stealer_log event type?
  • Which tenants do I currently have access to?

MCP Server Configuration

The MCP server is available at the following URL:
  • https://api.flare.io/mcp
To connect an MCP client to the server, see Client Setup.

Authentication

Every MCP request must include a Flare API key in the Authorization header. Follow the Authentication Guide to generate one.

Targeting a specific tenant

Requests default to your account’s default tenant. To scope MCP tool calls to a specific tenant, set the X-Flare-Tenant-Id header on the MCP connection to the target tenant id. You can find your tenant ids via the profile_get MCP tool, or on the Profile page under the “Tenants” section (also documented in the Authentication Guide ).

Client Setup

The X-Flare-Tenant-Id header is optional: omitting it uses your default tenant.

Claude Code

The quickest way to add the server to a project’s config is through the Claude Code CLI:
claude mcp add flare --transport http https://api.flare.io/mcp \
  --scope project \
  --header "Authorization: <api-key>" \
  --header "X-Flare-Tenant-Id: <tenant-id>"
The Flare API key is obtained from the Authentication Guide . Alternatively, you may create an .mcp.json file at the root of your project and restart Claude Code once the file is in place:
.mcp.json
{
  "mcpServers": {
    "flare": {
      "type": "http",
      "url": "https://api.flare.io/mcp",
      "headers": {
        "Authorization": "<api-key>",
        "X-Flare-Tenant-Id": "<tenant-id>"
      }
    }
  }
}
The Flare tools will appear under the flare server in the /mcp command output, and Claude will call them automatically when your prompts match their descriptions.
Store the API key outside version control. Claude Code also supports reading headers from environment variables — see the Claude Code MCP docs for details.

Claude Desktop

Claude Desktop’s configuration file only supports local (stdio) servers, so the connection goes through the mcp-remote bridge via npx (requires Node.js). The configuration file is located at:
  • macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
  • Windows: %APPDATA%\Claude\claude_desktop_config.json
The file is also reachable through Settings → Developer → Edit Config.
claude_desktop_config.json
{
  "mcpServers": {
    "flare": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote",
        "https://api.flare.io/mcp",
        "--header",
        "Authorization:<api-key>",
        "--header",
        "X-Flare-Tenant-Id:<tenant-id>"
      ]
    }
  }
}
Once the change is in place, you should fully quit and relaunch Claude Desktop.

Cursor

The server can be added to the .cursor/mcp.json in your project (or ~/.cursor/mcp.json to make it available in all projects).
.cursor/mcp.json
{
  "mcpServers": {
    "flare": {
      "url": "https://api.flare.io/mcp",
      "headers": {
        "Authorization": "<api-key>",
        "X-Flare-Tenant-Id": "<tenant-id>"
      }
    }
  }
}
Cursor picks up the change automatically: check Settings → MCP to confirm the MCP server is connected. See Cursor’s MCP docs for details.

Quotas & Rate Limits

  • Calls to search_global (Global Search) consume the tenant’s monthly Global Search quota. See Rate Limits and Quotas .
  • Calls to other tools do not consume the Global Search quota.
  • Standard API rate limits apply to all tools.