Skip to main content

Connect an AI client over MCP

Requires the next NullReport release

The nullreport-mcp program is published on npm and runs today, but connecting it needs an access token from the in-app Settings → MCP Access card. That card, and the endpoint behind it, ship in the next NullReport image release. The current image (v1.0.0) does not include them yet, so you cannot generate a token from it. The steps below describe the flow as it works once you are on a release that has the card.

NullReport ships a local MCP server, nullreport-mcp, that lets an AI client such as Claude Desktop, Cursor, or Claude Code drive your own instance in natural language. It can browse and search your reports and finding library, create and edit findings and sections, and export to DOCX.

It runs on your own machine and talks only to your NullReport backend, authenticated with a token you generate. It cannot delete anything; deletion stays in the web app.

Because it is a thin wrapper over the same API the web app uses, it inherits all of NullReport's rules: your role, your tier, and every validation are enforced exactly as in the browser.

1. Generate a token

In NullReport, open Settings → MCP Access and click Generate MCP token. Copy the config block it shows you. The token is displayed once for your security; generating a new one invalidates the old.

2. Add it to your AI client

Paste the config into your client's MCP settings. For Claude Desktop that is its claude_desktop_config.json:

{
  "mcpServers": {
    "nullreport": {
      "command": "npx",
      "args": ["-y", "nullreport-mcp"],
      "env": {
        "NULLREPORT_URL": "http://localhost:3000",
        "NULLREPORT_TOKEN": "<your token>",
        "NULLREPORT_OUTPUT_DIR": "~/nullreport-exports"
      }
    }
  }
}

NULLREPORT_URL is the address you open NullReport at, the same one in your browser's address bar. A standard install serves it on http://localhost:3000, and the /api path is proxied to the backend from there, so you do not need to expose the backend port separately. If you put NullReport behind a custom domain, use that domain instead.

NULLREPORT_OUTPUT_DIR is where exported DOCX files are written (it defaults to ~/nullreport-exports). The export tool saves the file there and returns the path, rather than passing the document through the AI client.

3. Use it

Restart your client. You can now ask it to do things like:

  • "List my reports" (each report's details are under the data field of the result)
  • "Create a high-severity SQL injection finding in the Acme report from the library template"
  • "Add an Executive Summary section to report X"
  • "Export the Acme report to DOCX"

Revoking access

To turn off access, open Settings → MCP Access and click Revoke. The current token stops working immediately. Generating a new token also invalidates the previous one, so there is only ever one active token per user.