Command Palette

Search for a command to run...

UnylyUnyly
Browse all

LaunchTrust

FreeNot checked

Scans public URLs for compliance and security issues such as leaked API keys, exposed files, missing privacy pages, and security headers, helping developers ide

GitHubEmbed

About

Scans public URLs for compliance and security issues such as leaked API keys, exposed files, missing privacy pages, and security headers, helping developers identify gaps before launch.

README

Run a compliance + security scan on your app — without leaving Claude Code.

MCP Transport Hosted

LaunchTrust scans a public URL for the compliance and security gaps that get indie apps rejected or fined — leaked frontend API keys, exposed .env/.git, missing privacy/terms pages, absent security headers, undisclosed AI interactions, tracker/cookie issues — mapped to 39 jurisdictions (EU AI Act, GDPR, US state privacy laws, app-store policies).

It's a remote, hosted MCP server — nothing to install, build, or run. Add the URL and go.

⚖️ Compliance aid, not legal advice. Not a certification of compliance.

Install (Claude Code)

claude mcp add --transport http launchtrust https://mcp.launchtrust.co/mcp

Then ask Claude:

"Scan https://my-app.com for compliance and security issues."

Works in any MCP client that supports remote Streamable HTTP servers (Claude Code, Claude Desktop, …).

What the free scan checks

scan_url runs a focused, high-signal subset of detectors against any public URL — no account needed:

  • 🔑 Leaked frontend API keys / secrets
  • 📂 Exposed .env / .git / config files
  • 🛡️ Security headers (CSP, HSTS, X-Frame-Options, …) + HTTPS/HSTS
  • 📄 Missing privacy / terms pages
  • 🤖 Undisclosed AI interactions
  • 🍪 Trackers / cookie-consent

The result is plain text, unsigned and not stored.

Tools

Free — no account

Tool Description
scan_url Quick compliance + security scan of any public URL.
list_jurisdictions Jurisdictions & categories covered (EU AI Act, GDPR, US states, app stores).
get_compliance_rules Sourced compliance rule snapshots, filterable by jurisdiction.
verify_record Independently verify the ES256 signature on a LaunchTrust signed record.

Account — needs a token

The full version runs all 27 detectors across 39 jurisdictions, stores a signed, dated evidence record, and monitors continuously. Connect with your LaunchTrust token:

claude mcp add --transport http launchtrust https://mcp.launchtrust.co/mcp \
  --header "Authorization: Bearer lt_pat_..."
Tool Description
register_app Register a web app to scan & monitor (idempotent).
scan_app Full 27-detector signed scan of a registered app.
get_scan_history Recent scans for an app.
get_market_report Findings annotated by your target-market jurisdictions.
list_my_apps Your registered apps + latest status.

Get a token at launchtrust.co.

Use in other MCP clients

LaunchTrust is a standard remote (Streamable HTTP) MCP server — it works in any MCP-compatible client, not just Claude Code.

Codex CLI — add to ~/.codex/config.toml:

[mcp_servers.launchtrust]
url = "https://mcp.launchtrust.co/mcp"

Gemini CLI — add to ~/.gemini/settings.json:

{
  "mcpServers": {
    "launchtrust": { "httpUrl": "https://mcp.launchtrust.co/mcp" }
  }
}

Cursor, Windsurf, and others — point them at the remote URL https://mcp.launchtrust.co/mcp (Streamable HTTP).

For the account-gated tools, pass your token as an Authorization: Bearer lt_pat_... header (Claude Code: --header; Codex: http_headers = { Authorization = "Bearer lt_pat_..." }; Gemini: "headers": { "Authorization": "Bearer lt_pat_..." }).

How it works

  • Transport: stateless Streamable HTTP (MCP spec 2025-11-25) at POST /mcp.
  • Privacy: the free scan stores nothing — it fetches your URL, runs detectors, returns findings. Premium scans store a signed record under your account only.
  • Honesty: it never invents findings. Every result traces to what was actually on the page, and it reports mechanical signals (detected / not_detected) — never a verdict of "compliant".

Links

Development

Zero-dependency Cloudflare Worker; a thin client over the LaunchTrust API.

npm install
npm run typecheck
npm run dev        # wrangler dev — POST http://localhost:8787/mcp
npm run deploy     # wrangler deploy (custom domain in wrangler.toml)

LaunchTrust is a compliance aid, not legal advice, and is not a certification of compliance with any law.

from github.com/mustafasalimerek-bit/launchtrust-mcp

Installing LaunchTrust

This server has no published package — it is built from source. Open the repository and follow its README.

▸ github.com/mustafasalimerek-bit/launchtrust-mcp

FAQ

Is LaunchTrust MCP free?

Yes, LaunchTrust MCP is free — one-click install via Unyly at no cost.

Does LaunchTrust need an API key?

No, LaunchTrust runs without API keys or environment variables.

Is LaunchTrust hosted or self-hosted?

A hosted option is available: Unyly runs the server in the cloud, no local setup required.

How do I install LaunchTrust in Claude Desktop, Claude Code or Cursor?

Open LaunchTrust on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.

Related MCPs

Compare LaunchTrust with

Not sure what to pick?

Find your stack in 60 seconds

Author?

Embed badge for your README

Browse similar

All development MCPs