Whisper · Docs
Console

Connect over MCP

Wire Whisper into your IDE or AI client over MCP, or call the graph directly with an API key. Most clients connect with just the URL.

1 · Connect your client

Point your MCP client at https://mcp.whisper.security. The server supports OAuth (RFC 7591 dynamic registration and PKCE), so most clients need only the URL. The page carries a tab per client; the one-liners below are what each tab shows.

The Connect over MCP page: point your MCP client at the Whisper MCP URL, with a per-client tab strip (Claude Code, Claude Desktop, Cursor, VS Code, Windsurf, OpenAI Codex) and the six read-only tools a connection exposes.
One page to wire any MCP client to the graph. Most clients need only the URL; OAuth handles the rest.

Claude Code

claude mcp add --transport http whisper-graph https://mcp.whisper.security

Claude Desktop

Settings -> Connectors -> Add custom connector
# enter https://mcp.whisper.security, then Connect and sign in with OAuth

Cursor (.cursor/mcp.json)

{
  "mcpServers": {
    "whisper-graph": { "url": "https://mcp.whisper.security" }
  }
}

VS Code (.vscode/mcp.json, Copilot)

{
  "servers": {
    "whisper-graph": { "type": "http", "url": "https://mcp.whisper.security" }
  }
}

Windsurf

{
  "mcpServers": {
    "whisper-graph": { "serverUrl": "https://mcp.whisper.security" }
  }
}

OpenAI Codex (~/.codex/config.toml)

[mcp_servers.whisper-graph]
url = "https://mcp.whisper.security"
# then: codex mcp login whisper-graph

2 · What your client gets

A complete connection exposes six read-only tools, seven resources, and eleven prebuilt investigation prompts. Clients can read the graph but never mutate it. The tools are query, list_labels, describe_label, explain_indicator, whisper_history, and domain_variants.

3 · Static key or call the graph directly

For CI, headless agents, or clients that would rather not use OAuth, add a Bearer header with a key from your API keys.

{
  "mcpServers": {
    "whisper-graph": {
      "url": "https://mcp.whisper.security",
      "headers": { "Authorization": "Bearer $WHISPER_API_KEY" }
    }
  }
}

Or skip MCP and call the query endpoint directly. It accepts your key as a Bearer token or an X-API-Key header.

curl -X POST https://graph.whisper.security/api/query \
  -H "Authorization: Bearer $WHISPER_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"query": "CALL explain(\"google.com\")"}'

4 · Three ways to authenticate

There are three tiers, and no code changes between them beyond the auth header. Anonymous needs no signup and gives a shallow, rate-limited read for trying the graph. An API key raises the limits to your plan and is the agent path. Signed-in is the full console in the browser.