How do I install Vantagate?

Vantagate is a local plugin. Install it using npm package: @vantagate/mcp-server and add the generated configuration snippet to your AI app's MCP config file. Then restart your AI app.

What credentials does Vantagate need?

Vantagate requires the following credentials or environment variables: VANTA_API_KEY. You can find setup instructions on the server detail page.

What AI apps work with Vantagate?

Vantagate uses the Model Context Protocol (MCP) and works with any MCP-compatible AI app, including Claude, ChatGPT / Codex, Gemini, Copilot, Cursor, and more.

Back to Browse

Vantagate MCP Server

by Aderix

Developer ToolsModerate6.2MCP RegistryLocal

Free

Server data from the Official MCP Registry

VantaGate MCP Server & OpenAPI integration - Human-in-the-Loop for AI Agents

About

VantaGate MCP Server & OpenAPI integration - Human-in-the-Loop for AI Agents

Security Report

6.2

Moderate6.2Moderate Risk

This MCP server is well-engineered with strong security fundamentals. Authentication is properly required via API key in environment variables, input validation is comprehensive using Zod schemas, and dangerous operations are absent. The codebase demonstrates good error handling, timeout protections, and payload size limits. Minor concerns around broad error message details in some edge cases and verbose output do not materially impact security. Supply chain analysis found 2 known vulnerabilities in dependencies (0 critical, 2 high severity). Package verification found 1 issue.

3 files analyzed · 6 issues found

Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.

Permissions Required

This plugin requests these system permissions. Most are normal for its category.

env_vars

Check that this permission is expected for this type of plugin.

HTTP Network Access

Connects to external APIs or services over the internet.

What You'll Need

Set these up before or after installing:

Your VantaGate API Key (Format: vg_123...)Required

Environment variable: VANTA_API_KEY

How to Install

Add this to your MCP configuration file:

{
  "mcpServers": {
    "io-github-aderix-vantagate-mcp-server": {
      "env": {
        "VANTA_API_KEY": "your-vanta-api-key-here"
      },
      "args": [
        "-y",
        "@vantagate/mcp-server"
      ],
      "command": "npx"
    }
  }
}

Documentation

View on GitHub

From the project's GitHub README.

VantaGate MCP Server & OpenAPI Integration

Human-in-the-Loop authorization for AI Agents. VantaGate intercepts high-risk actions, routes them to a human approver via Slack or Email, and returns a cryptographically-signed decision - so your agent resumes or halts with a full audit trail.

What is VantaGate?

AI agents are increasingly capable of executing consequential real-world actions: sending emails to thousands of users, deleting database records, moving money, deploying to production. VantaGate is the trust layer that ensures humans remain in control.

Agent hits risky action
        ↓
POST /v1/checkpoint  ──→  Human receives Slack/Email notification
        ↓                          ↓
   id and status              Human reviews payload & decides
        ↓                          ↓
Poll GET /v1/checkpoint/{id}  ←──  Decision recorded + payload purged
        ↓
   APPROVED → Resume workflow
   REJECTED → Halt + report reason

Key Guarantees

< 100ms API response - your agent is never blocked waiting for I/O
AES-256 payload encryption at rest - payload is permanently destroyed after the decision
Zero-Retention polling - GET /checkpoint/{id} never returns the original payload
Cryptographic audit trail - every decision is HMAC-SHA256 signed
Stateless protocol - no SDK required; plain HTTP from any language

This Package

This package ships two integration artifacts for connecting any AI agent to VantaGate:

Artifact	File	Best for
OpenAPI 3.0 Spec	`vanta-gate-openapi.json`	No-code tools, OpenAI GPTs, Alice, n8n, Zapier
MCP Server	`src/index.ts` / `dist/index.js`	Claude Desktop, Cursor, Cline, any MCP-compatible agent

Prerequisites

Node.js >= 20
A VantaGate account: https://vanta-gate.com
A VantaGate API key (Dashboard → Projects → New Project)

Quick Start

Option A: Use the MCP Server with Claude Desktop

The fastest path. No manual setup required.

Step 1: Get your API key from https://vanta-gate.com/dashboard/projects

Step 2: Add VantaGate to your Claude Desktop config.

Open your claude_desktop_config.json:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "vantagate": {
      "command": "npx",
      "args": ["-y", "@vantagate/mcp-server"],
      "env": {
        "VANTA_API_KEY": "YOUR_API_KEY_HERE"
      }
    }
  }
}

Step 3: Restart Claude Desktop. The tools create_vantagate_checkpoint and check_vantagate_status will appear in Claude's tool list.

Step 4: Ask Claude to do something that requires approval:

"Delete all records from the staging database where created_at < 2024-01-01"

Claude will automatically pause, create a checkpoint, and tell you to check your email or Slack for the approval notification.

Option B: Use the OpenAPI Spec (No-Code / Low-Code)

Import vanta-gate-openapi.json directly into your tool of choice.

OpenAI GPTs / Custom Actions

Open your GPT editor at https://platform.openai.com/gpts
Click "Add actions" → "Import from URL" or paste the JSON
Set Authentication → API Key → Header: X-API-KEY
Enter your VantaGate API key

The GPT will now pause before high-risk tool calls and ask for human approval.

Alice (AI Agent Platform)

Go to Integrations → Import OpenAPI
Upload or paste vanta-gate-openapi.json
Set header X-API-KEY to your VantaGate API key in the credential store
Map create_vantagate_checkpoint to your agent's "before high-risk action" trigger

n8n / Zapier

Add an HTTP Request node
Import the OpenAPI spec to auto-populate endpoints
Set X-API-KEY header in the credential configuration

LangChain / LlamaIndex

from langchain.tools import OpenAPITool

vanta_tool = OpenAPITool.from_openapi_spec(
    spec_path="./vanta-gate-openapi.json",
    headers={"X-API-KEY": os.environ["VANTA_API_KEY"]}
)
agent = initialize_agent([vanta_tool], llm, agent=AgentType.OPENAI_FUNCTIONS)

Available MCP Tools

`create_vantagate_checkpoint`

Pauses the agent workflow and routes a human approval request.

When Claude uses it: Before any high-risk action - financial operations, data deletion, production deployments, bulk communications.

Parameter	Type	Required	Description
`title`	string	✅	Short title shown to approver. Max 200 chars.
`payload`	object	✅	Full JSON context for the decision. Encrypted + purged after decision.
`description`	string	❌	Additional context below the title. Max 1000 chars.
`options`	string[]	❌	Decision options. First = approve action. Default: `["Approve", "Reject"]`. Min 2, max 5.
`timeout`	string	❌	Auto-expire duration: `30m`, `4h`, `2d`. Default: `24h`.
`notify_email`	string	❌	Email address for magic-link notification.
`slack_webhook_url`	string	❌	Slack webhook URL (Pro/Scale plans). From Dashboard → Add to Slack.
`callback_url`	string	❌	Your HTTPS endpoint for signed decision webhook.

Returns: checkpoint_id and step-by-step instructions for the agent.

`check_vantagate_status`

Polls the decision status of a pending checkpoint.

Parameter	Type	Required	Description
`checkpoint_id`	string	✅	The ID from `create_vantagate_checkpoint`.

Returns: status (PENDING / APPROVED / REJECTED / RESOLVED / EXPIRED), selected_option, reject_reason, and the full audit trail.

API Reference Summary

Base URL: https://api.vanta-gate.com/v1
Authentication: X-API-KEY header

Method	Endpoint	Description
`POST`	`/checkpoint`	Create a checkpoint - pauses agent
`GET`	`/checkpoint/{id}`	Poll for human decision
`GET`	`/checkpoint/secure/{token}`	Decision UI (internal - magic link)
`POST`	`/checkpoint/secure/{token}/decide`	Submit decision (internal - decision UI)

Checkpoint Status Lifecycle

PENDING → APPROVED   (human chose first/positive option)
        → REJECTED   (human rejected with optional reason)
        → RESOLVED   (human chose non-primary option)
        → EXPIRED    (timeout elapsed, no decision)

Error Codes

HTTP	Code	Description
400	`Invalid_Webhook_URL`	`slack_webhook_url` must start with `https://hooks.slack.com/`
400	`Invalid_Callback_URL`	`callback_url` is malformed or points to private IP
400	`Invalid_Decision`	Decision value not in checkpoint's options array
400	`Validation_Error`	Request body field validation failure
401	`Unauthorized`	Missing, invalid, or rotated API key
402	`Upgrade_Required`	Feature requires Pro or Scale plan
403	`Forbidden`	API key doesn't match the checkpoint's project
404	`Not_Found`	Checkpoint ID or token does not exist
409	`Already_Decided`	Decision already recorded for this checkpoint
410	`Checkpoint_Expired`	Timeout window has passed
429	`Rate_Limited`	Too many requests - back off and retry

All errors follow the envelope:

{
  "statusCode": 400,
  "error": "Machine_Readable_Code",
  "message": "Human-readable description."
}

Subscription Tiers

Feature	Free	Pro ($49/mo)	Scale ($199/mo)
Checkpoints/month	50	2,500	25,000
Email notifications	✅	✅	✅
Slack notifications	❌	✅	✅
Webhook callbacks	✅	✅	✅
Max timeout	24h	7 days	30 days
Log retention	7 days	90 days	365 days

Timeout values are silently clamped to your plan's maximum. A Free plan request with timeout: "7d" will be capped to 24h.

Webhooks

When a human decides, VantaGate sends a signed HTTPS POST to your callback_url (up to 5 retry attempts with exponential back-off).

Request headers:

Content-Type: application/json
X-Vanta-Signature: sha256=<HMAC-SHA256 of body>
User-Agent: VantaGate-Webhook/1.0

Signature verification (Node.js):

const crypto = require('crypto')

function verifyVantaSignature(rawBody, signature, projectSecret) {
  const expected = 'sha256=' + crypto
    .createHmac('sha256', projectSecret)
    .update(rawBody)
    .digest('hex')
  return crypto.timingSafeEqual(
    Buffer.from(expected),
    Buffer.from(signature)
  )
}

app.post('/webhook/vanta', express.raw({ type: 'application/json' }), (req, res) => {
  const sig = req.headers['x-vanta-signature']
  if (!verifyVantaSignature(req.body, sig, process.env.VANTA_PROJECT_SECRET)) {
    return res.status(401).json({ error: 'Invalid signature' })
  }
  const event = JSON.parse(req.body)
  if (event.status === 'APPROVED') {
    // ✅ Resume agent workflow
  } else if (event.status === 'REJECTED') {
    // ❌ Halt - check event.reject_reason
  }
  res.json({ received: true })
})

Your Webhook Signing Secret (VANTA_PROJECT_SECRET) is distinct from your API key. Find it in Dashboard → Project Settings.

Building from Source

# Install dependencies
npm install

# Build TypeScript
npm run build

# Run the server directly
VANTA_API_KEY=YOUR_API_KEY_HERE npm start

Advanced: MCP Config for Other Clients

Cursor / Cline / Windsurf

{
  "mcpServers": {
    "vantagate": {
      "command": "npx",
      "args": ["-y", "@vantagate/mcp-server"],
      "env": {
        "VANTA_API_KEY": "YOUR_API_KEY_HERE"
      }
    }
  }
}

With local build (development)

{
  "mcpServers": {
    "vantagate": {
      "command": "node",
      "args": ["/absolute/path/to/dist/index.js"],
      "env": {
        "VANTA_API_KEY": "YOUR_API_KEY_HERE"
      }
    }
  }
}

Security

Your X-API-KEY is hashed server-side - VantaGate never stores plaintext keys.
Your slack_webhook_url is sent per-request and purged atomically after the decision. Zero retention.
All payload data is encrypted at rest with AES-256 and destroyed after the human decision. It cannot be reconstructed.
callback_url is validated against private IP ranges (SSRF prevention).
All webhook deliveries are signed with HMAC-SHA256. Always verify signatures.

License

MIT - see LICENSE

Reviews

No reviews yet

Be the first to review this server!

More Developer Tools MCP Servers

Fetch

Free

by Modelcontextprotocol · Developer Tools

Web content fetching and conversion for efficient LLM usage

Toleno

Free

by Toleno · Developer Tools

Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.

mcp-creator-python

Free

by mcp-marketplace · Developer Tools

Create, build, and publish Python MCP servers to PyPI — conversationally.

Vantagate MCP Server

About

Security Report

Findings (6)Action required

Permissions Required

What You'll Need

How to Install

Documentation

VantaGate MCP Server & OpenAPI Integration

What is VantaGate?

Key Guarantees

This Package

Prerequisites

Quick Start

Option A: Use the MCP Server with Claude Desktop

Option B: Use the OpenAPI Spec (No-Code / Low-Code)

OpenAI GPTs / Custom Actions

Alice (AI Agent Platform)

n8n / Zapier

LangChain / LlamaIndex

Available MCP Tools

create_vantagate_checkpoint

check_vantagate_status

API Reference Summary

Checkpoint Status Lifecycle

Error Codes

Subscription Tiers

Webhooks

Building from Source

Advanced: MCP Config for Other Clients

Cursor / Cline / Windsurf

With local build (development)

Security

License

Links

Reviews

No reviews yet

More Developer Tools MCP Servers

Fetch

Toleno

mcp-creator-python

MarkItDown

FinAgent

mcp-creator-typescript

`create_vantagate_checkpoint`

`check_vantagate_status`