The Flare API MCP server is still in beta and is subject to change.
Available Tools
| Tool | Description |
|---|---|
search_global | Global Search — executes a Lucene query against the entire Flare threat-intel dataset. |
search_tenant | Tenant Search — executes a Lucene query scoped to events matching the caller’s monitored identifiers. |
search_validate_search_query | Validates that a Lucene query complies with Flare’s search rules before running it. Useful when composing or debugging a query. |
events_get_event | Returns the complete event payload (metadata + data) for a single uid. |
events_get_event_type | Returns the documentation and searchable field list for a given event type (e.g. chat_message, forum_post, stealer_log). |
profile_get | Returns the current user’s profile, including tenants, permissions, feature flags, and default tenant id. |
search_global requires the Global Search permission on the target tenant.Search Parameters
Thesearch_global and search_tenant tools accept the
same parameters:
Lucene query.
Time window to restrict results to. Either a preset (
last_24h, last_2d, last_7d,
last_1m, last_3m, last_6m, all) or a { begin_at, end_at } object with ISO-8601 datetimes.List of event types to scope the search. Defaults to all event types.
Number of results to return. Between
1 and 10.Opaque pagination cursor from a previous response.
Prompt Examples
What has Flare picked up on our monitored domain scatterholt.com in the last 24 hours?Search the whole Flare dataset for chat messages mentioning "acme-corp" in the last 7 days.Validate this query for me: author_name:/some_username_\d+/What fields can I search on the stealer_log event type?Which tenants do I currently have access to?
MCP Server Configuration
The MCP server is available at the following URL:https://api.flare.io/mcp
Authentication
Every MCP request must include a Flare API key in theAuthorization
header. Follow the
Authentication Guide
to generate one.
Targeting a specific tenant
Requests default to your account’s default tenant. To scope MCP tool calls to a specific tenant, set theX-Flare-Tenant-Id header on the MCP
connection to the target tenant id. You can find your tenant ids via the profile_get MCP tool, or on the Profile page under the “Tenants” section
(also documented in the
Authentication Guide ).
Client Setup
The
X-Flare-Tenant-Id header is optional: omitting it uses your default
tenant.Claude Code
The quickest way to add the server to a project’s config is through the Claude Code CLI:.mcp.json file at the root of your project and restart Claude Code once the file is in place:
.mcp.json
flare server in the /mcp command output, and Claude will call
them automatically when your prompts match their descriptions.
Store the API key outside version control. Claude Code also supports reading
headers from environment variables — see the Claude Code MCP
docs
for details.
Claude Desktop
Claude Desktop’s configuration file only supports local (stdio) servers, so the connection goes through themcp-remote bridge via npx (requires Node.js).
The configuration file is located at:
- macOS:
~/Library/Application Support/Claude/claude_desktop_config.json - Windows:
%APPDATA%\Claude\claude_desktop_config.json
claude_desktop_config.json
Cursor
The server can be added to the.cursor/mcp.json in your project (or
~/.cursor/mcp.json to make it available in all projects).
.cursor/mcp.json
Quotas & Rate Limits
- Calls to
search_global(Global Search) consume the tenant’s monthly Global Search quota. See Rate Limits and Quotas . - Calls to other tools do not consume the Global Search quota.
- Standard API rate limits apply to all tools.