---
title: "Configuration"
---
Configure your MCP client to connect to Prowler MCP Server.
## Step 1: Get Your API Key (Optional)
**Authentication is optional**: Prowler Hub and Prowler Documentation features work without authentication. An API key is only required for Prowler Cloud and Prowler App (Self-Managed) features.
To use Prowler Cloud or Prowler App (Self-Managed) features. To get the API key, please refer to the [API Keys](/user-guide/tutorials/prowler-app-api-keys) guide.
Keep the API key secure. Never share it publicly or commit it to version control.
## Step 2: Configure Your MCP Client
Choose the configuration based on your deployment:
- **STDIO Mode**: Local installation only (runs as subprocess).
- **HTTP Mode**: Prowler Cloud MCP Server or self-hosted Prowler MCP Server.
### HTTP Mode (Prowler Cloud MCP Server or self-hosted Prowler MCP Server)
**Clients that support HTTP with custom headers natively**
For example: Cursor, VSCode, LobeChat, etc.
**Configuration:**
```json
{
"mcpServers": {
"prowler": {
"url": "https://mcp.prowler.com/mcp", // or your self-hosted Prowler MCP Server URL
"headers": {
"Authorization": "Bearer pk_your_api_key_here"
}
}
}
}
```
**For clients without native HTTP support (like Claude Desktop)**
For example: Claude Desktop.
**Configuration:**
```json
{
"mcpServers": {
"prowler": {
"command": "npx",
"args": [
"mcp-remote",
"https://mcp.prowler.com/mcp", // or your self-hosted Prowler MCP Server URL
"--header",
"Authorization: Bearer ${PROWLER_APP_API_KEY}"
],
"env": {
"PROWLER_APP_API_KEY": "pk_your_api_key_here"
}
}
}
}
```
The `mcp-remote` tool acts as a bridge for clients that don't support HTTP natively. Learn more at [mcp-remote on npm](https://www.npmjs.com/package/mcp-remote).
### STDIO Mode (Local Installation Only)
STDIO mode is only available when running the MCP server locally.
**Run from source or local installation**
```json
{
"mcpServers": {
"prowler": {
"command": "uvx",
"args": ["/absolute/path/to/prowler/mcp_server/"],
"env": {
"PROWLER_APP_API_KEY": "pk_your_api_key_here",
"PROWLER_API_BASE_URL": "https://api.prowler.com"
}
}
}
}
```
Replace `/absolute/path/to/prowler/mcp_server/` with the actual path. The `PROWLER_API_BASE_URL` is optional and defaults to Prowler Cloud API.
**Run with Docker image**
```json
{
"mcpServers": {
"prowler": {
"command": "docker",
"args": [
"run",
"--rm",
"-i",
"--env",
"PROWLER_APP_API_KEY=pk_your_api_key_here",
"--env",
"PROWLER_API_BASE_URL=https://api.prowler.com",
"prowlercloud/prowler-mcp"
]
}
}
}
```
The `PROWLER_API_BASE_URL` is optional and defaults to Prowler Cloud API.
## Step 3: Start Using Prowler MCP
Restart your MCP client and start asking questions:
- *"Show me all critical findings from my AWS accounts"*
- *"What does the S3 bucket public access check do?"*
- *"Onboard this new AWS account in my Prowler Organization"*
## Authentication Methods
Prowler MCP Server supports two authentication methods to connect to Prowler Cloud or Prowler App (Self-Managed):
### API Key (Recommended)
Use your Prowler API key directly in the Bearer token:
```
Authorization: Bearer pk_your_api_key_here
```
This is the recommended method for most users.
### JWT Token
Alternatively, obtain a JWT token from Prowler:
```bash
curl -X POST https://api.prowler.com/api/v1/tokens \
-H "Content-Type: application/vnd.api+json" \
-H "Accept: application/vnd.api+json" \
-d '{
"data": {
"type": "tokens",
"attributes": {
"email": "your-email@example.com",
"password": "your-password"
}
}
}'
```
Use the returned JWT token in place of the API key:
```
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
```
JWT tokens are only valid for 30 minutes. You need to generate a new token if you want to continue using the MCP server.
## Troubleshooting
### Server Not Detected
- Restart your MCP client after configuration changes
- Check the configuration file syntax (valid JSON)
- Review client logs for specific error messages
- Verify the server URL is correct
### Authentication Failures
**Error: Unauthorized (401)**
- Verify your API key is correct
- Ensure the key hasn't expired
- Check you're using the right API endpoint
### Connection Issues
**Cannot Reach Server:**
- Verify the server URL is correct
- Check network connectivity
- For local servers, ensure the server is running
- Check firewall settings
## Security Best Practices
1. **Protect Your API Key**
- Never commit API keys to version control.
- Use environment variables or secure vaults.
- Rotate keys regularly.
2. **Network Security**
- Use HTTPS for production deployments.
- Restrict network access to the MCP server.
- Consider VPN for remote access.
3. **Least Privilege**
- API key gives the permission of the user who created the key, make sure to use the key with the minimal required permissions.
- Review the tools that are gonna be used and how they are gonna be used to avoid prompt injections or unintended behavior.
## Next Steps
Now that your MCP server is configured:
Explore all available tools
## Getting Help
Need assistance with configuration?
- Search for existing [GitHub issues](https://github.com/prowler-cloud/prowler/issues)
- Ask for help in our [Slack community](https://goto.prowler.com/slack)
- Report a new issue on [GitHub](https://github.com/prowler-cloud/prowler/issues/new)