Semaphore
FreeNot checkedReads login-walled web pages by replaying cookies from your browser, returning clean markdown via MCP tools.
About
Reads login-walled web pages by replaying cookies from your browser, returning clean markdown via MCP tools.
README
A read-only MCP server that reads login-walled web pages by replaying cookies
clipped from your own browser. You log into a site normally; a browser extension
sends that site's cookies to a local server; an LLM agent calls read_page over
MCP and gets clean markdown back. Credentials never reach the agent — only the
server holds the cookies, and it can only read (GET), never submit.
Binds 127.0.0.1:8931. Runs in Docker. Fetches with a plain HTTP GET first and
falls back to headless Playwright Firefox only when a page needs JavaScript.
Requirements
- Docker + Docker Compose
- A Firefox-based browser (Firefox / Zen) that can load an unsigned extension
- An MCP client that speaks streamable HTTP (e.g. Claude Code)
1. Run the server
docker compose up -d --build
docker logs semaphore | grep "shared secret" # copy this value
The shared secret is generated on first boot and printed to the logs. Cookies,
the secret, and the Playwright profile live in the semaphore-data Docker volume,
so they survive restarts. The secret is the auth token for both endpoints — treat
it as a credential.
2. Load the Cookie Clip extension
In Firefox/Zen, open about:debugging#/runtime/this-firefox → Load Temporary
Add-on → select extension/manifest.json. (Temporary add-ons unload when the
browser restarts. To keep it, package extension/ as an unsigned .xpi — this
requires xpinstall.signatures.required = false. See extension/README.md.)
Open the extension popup once and paste the shared secret into it. It is stored in
browser.storage.local and reused for every clip.
3. Clip cookies for a site
- Log into the target site in your browser as normal.
- Open the Cookie Clip popup. It shows the active tab's registrable domain.
- Confirm or edit the domain, then click Clip cookies.
This sends the domain's cookies (including HttpOnly) plus your browser's
user-agent to POST /api/cookies. Re-clip whenever a session expires.
The domain box defaults to the last two labels of the hostname, which is wrong for multi-part TLDs like
example.co.uk— edit it by hand in that case.
4. Register the server with your MCP client
claude mcp add --transport http semaphore http://localhost:8931/mcp \
--header "X-Semaphore-Secret: <secret>"
Both /mcp and /api/cookies require the X-Semaphore-Secret header.
Tools
read_page({ url, format? })
Fetches url and returns it as text. format:
auto(default) — detects article vs link-list pages and renders each well (Readability for articles, link-preserving markdown for search/result lists).markdown— force pure Readability article extraction.aria— accessibility-tree snapshot (Playwright). Use this ifautomisclassifies a list page and drops its links.html— Readability's cleaned HTML.
On a login wall it returns a structured error instead of page content:
{ "error": "auth_required", "domain": "…", "reason": "no_cookies" | "session_expired", "action": "…" }
no_cookies = nothing clipped for that domain; session_expired = clipped
cookies no longer authenticate. Re-clip and retry — do not treat the logged-out
page as the answer.
session_status({ domain? })
Reports stored domains, cookie counts, earliest cookie expiry, and stored
user-agent. Never returns cookie values. Omit domain for all domains.
Remote access over a tailnet (optional)
Keep the server bound to localhost. On the host running Tailscale, expose only the
/mcp path over HTTPS:
tailscale serve --bg --set-path /mcp http://localhost:8931/mcp
(Flag names vary by Tailscale version — check tailscale serve --help.) Then
point a remote MCP client at https://<machine>.<tailnet>.ts.net/mcp with the
same secret header. /api/cookies stays local, so cookies never leave the host,
and all fetches egress from the host's IP. Restrict reach with Tailscale ACLs.
Configuration
SEMAPHORE_DATA_DIR— data directory (default/datain the container).SEMAPHORE_HOST— bind address (default127.0.0.1). Do not bind0.0.0.0; usetailscale servefor remote access instead.- Port is fixed at
8931. - Rotate the secret by deleting
/data/secretand restarting; re-enter it in the extension and MCP client.
Layout (for modifying)
| Path | What it does |
|---|---|
server/index.ts |
HTTP server; /api/cookies + /mcp routing; shared-secret auth |
server/mcp.ts |
MCP tool definitions (read_page, session_status) |
server/fetcher/index.ts |
Two-tier fetch (HTTP → Playwright Firefox), SSRF guard, rate limiter, auth_required |
server/fetcher/extract.ts |
Readability + link-preserving extraction; article-vs-list classifier |
server/cookies.ts |
Per-domain cookie store (/data/cookies.json) |
server/rate-limiter.ts |
Per-domain serial queue |
extension/ |
The Cookie Clip WebExtension |
SPEC.md |
Full design spec and rationale |
Local dev without Docker: npm install, then npm run dev (needs Node 22; set
SEMAPHORE_DATA_DIR to a writable path). npm run build type-checks.
Limitations
- Cookies are frozen at clip time — there is no server-side session refresh. When a site rotates or expires its session, re-clip.
- Read-only by design: no form submission, clicking, or applying. Discovery works
because most search is GET (
?keywords=…); the final action stays manual. - The
autoclassifier misses list pages whose item URLs have no numeric/hex id (pure slugs) — useformat: "aria"for those. - Self-hosted: no proxy rotation or anti-bot handling. It is meant for reading your own authenticated sessions, from your own IP.
- Automated reading of authenticated content may violate a site's terms. Use it for sessions you are entitled to, and within those terms.
Installing Semaphore
This server has no published package — it is built from source. Open the repository and follow its README.
▸ github.com/CandeliteKey/semaphoreFAQ
Is Semaphore MCP free?
Yes, Semaphore MCP is free — one-click install via Unyly at no cost.
Does Semaphore need an API key?
No, Semaphore runs without API keys or environment variables.
Is Semaphore hosted or self-hosted?
Self-hosted: the server runs locally on your machine via the install command above.
How do I install Semaphore in Claude Desktop, Claude Code or Cursor?
Open Semaphore on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.
Related MCPs
Playwright
Browser automation, scraping, screenshots
by MicrosoftPuppeteer
Browser automation and web scraping.
by modelcontextprotocolopentabs-dev/opentabs
Plugin-based MCP server + Chrome extension that gives AI agents access to web applications through the user's authenticated browser session. 100+ plugins with a
by opentabs-devrobhunter/agentdeals
1,500+ developer infrastructure deals, free tiers, and startup programs across 54 categories. Search deals, compare vendors, plan stacks, and track pricing chan
by robhunterCompare Semaphore with
Not sure what to pick?
Find your stack in 60 seconds
Author?
Embed badge for your README
Browse similar
All browse MCPs
