Claude Code (CLI) (One command)
`claude mcp add domainscan --transport http https://mcp.domainscan.in/mcp --header "Authorization: Bearer $DS_KEY"`. Runs immediately — no config file editing.
MCP server — plug DomainScan into Claude, Cursor, Windsurf, or any MCP-compatible AI agent.
DomainScan exposes every domain, DNS, SSL, email-auth, IP and security check as a remote MCP server at `https://mcp.domainscan.in/mcp`. Streamable HTTP transport, JSON-RPC 2.0 wire, bearer-token auth on the same `ds_live_*` / `ds_test_*` key that powers the REST API. No install, no separate credential, no OAuth round-trip. Plug one URL into your client config and your AI agent gets live access to the entire DomainScan toolkit.
01 · QUICK SETUP
Connect any MCP client in under a minute.
Same shape across every client: paste a JSON server block referencing the remote URL with a bearer token in the Authorization header.
Claude Desktop (JSON config)
Edit `claude_desktop_config.json`, add a `domainscan` entry under `mcpServers` with `url` and `headers.Authorization`. Restart Claude Desktop and the 🔌 panel shows every DomainScan tool.
Cursor (Settings UI)
Settings → MCP → Add new. Paste the same JSON server block. Composer agent picks up every tool on the next prompt.
Windsurf (Cascade)
Edit `~/.codeium/windsurf/mcp_config.json`. Add the server block with `serverUrl`. Restart Windsurf; Cascade gets the new tools.
VS Code (Cline / GitHub Copilot) (Workspace)
`code --add-mcp '{"name":"domainscan","url":"https://mcp.domainscan.in/mcp","headers":{"Authorization":"Bearer $DS_KEY"}}'` or paste into `.vscode/mcp.json`.
Any MCP client (raw) (JSON-RPC)
Wire is JSON-RPC 2.0 over HTTP. Accept header should include `application/json, text/event-stream`. No SDK needed — `curl` works for testing.
02 · TOOL CATALOG
Every DomainScan check, exposed as an MCP tool.
The agent calls `tools/list` once and sees the full surface. Each tool has typed input + structured output — the model can chain them.
Domain (WHOIS / Trust)
`domain_lookup` (WHOIS/RDAP, registrar, dates, NS, DNSSEC), `domain_health` (legitimacy + trust aggregate), `domain_snapshot` (live PNG/JPEG screenshot), `domain_ai_readiness` (llms.txt + AI crawler audit).
DNS (Resolution)
`dns_query` (A/AAAA/MX/TXT/CNAME/NS/SOA), `dns_propagation` (resolvers across continents), `dns_reverse` (PTR), `dns_ns` (authoritative nameservers).
Email authentication (Deliverability)
`domain_spf` (parsed + expanded), `domain_dmarc` (policy + reports), `domain_dkim` (selector lookup), `email_sec` (one-shot SPF + DKIM + DMARC aggregate).
IP intelligence (Network)
`ip_lookup` (geo + ASN + ISP), `ip_reverse`, `isp`, `open_ports`, `traceroute`, `ping`, `subnet`.
Security (Posture)
`ssl_info`, `ssl_chain`, `ip_blacklist` (47 RBLs), `mac_lookup`, `mac_vendor`, `sec_header` (HSTS/CSP/X-Frame/etc.).
Sources (Live data)
IANA + RDAP, MaxMind GeoIP2, 47 RBL databases, ICANN-accredited registrars, Playwright real-browser screenshots, worldwide DNS resolver grid.
03 · AUTH & SCOPES
Bearer-token auth, per-tool scopes.
Every request carries `Authorization: Bearer ds_live_…` or `ds_test_…`. Each tool requires one of four read scopes. Tools the key cannot reach still appear in `tools/list` — but with a `[LOCKED — ...]` description prefix and the portal URL — so the agent can ask the user to enable them.
read:domain (Default)
WHOIS, RDAP, domain health, snapshot, AI readiness, IP tools (lookup, reverse, isp, ports, traceroute, ping, subnet).
read:dns (Default)
DNS query, propagation, reverse, NS, plus SPF/DMARC/DKIM and the email_sec aggregate.
read:ssl (Default)
SSL info + chain, IP blacklist, MAC tools, security headers.
read:ai-readiness (Default)
AI-readiness audit (robots.txt AI directives, llms.txt validity, structured data, rendering, sitemap).
04 · ERRORS
Errors agents can act on.
Transport-level errors return JSON-RPC error envelopes. Tool-level errors return content blocks with `isError: true` and a structured body — including `action_url` and `instructions` where the agent can guide the user.
-32001 · Unauthorized (Auth)
Bearer token missing or invalid. HTTP 401 with JSON-RPC error envelope. Agent prompts user to mint a key.
-32002 · Insufficient scope (Authorization)
Tool requires a scope the key lacks. Body includes `required_scope`, `current_scopes`, `action_url` and `instructions`. Agent shows action_url to user.
-32003 · Quota exhausted (Quota)
Monthly credit limit reached. Body includes upgrade URL and `reset_date`. Agent surfaces upgrade flow or waits.
-32602 · Invalid params (Input)
Zod validation failed on tool arguments. Body includes the issues array. Agent retries with corrected input.
-32604 · Tool failure (Upstream)
Upstream WHOIS / DNS / SSL service unreachable or timed out. Retry with backoff or fall back to a related tool.
-32603 · Internal (Server)
Unexpected server-side failure. Rare. Retry once with backoff; check status page if persistent.
05 · RATE LIMITS
Per-key, per-minute, plan-aware.
MCP shares the per-key monthly credit budget with the REST API. Per-minute rate limit is plan-aware and isolated by key, so one heavy user can't starve others.
FREE — 60 calls/min (Free tier)
100 monthly credits. Per-key isolation means heavy use on one key never blocks another.
STARTER — 300 calls/min (Starter)
2,000 monthly credits. Live keys (`ds_live_*`) available.
PRO — 600 calls/min (Pro)
10,000 monthly credits. Higher concurrency for agent fleets.
BUSINESS — 1,200 calls/min (Business)
50,000 monthly credits. Highest concurrency. SLA-backed.
06 · EXAMPLE PROMPTS
Try these in your agent after connecting.
Natural-language prompts that route through DomainScan tools. The agent decides which to call and in what order.
Is stripe.com safe and legit to share my card with? (domain_health)
Aggregates WHOIS age, SSL validity, blacklist standing, ISP, email-auth posture, exposed ports — one trust report.
Why are my emails to gmail going to spam? (email_sec)
SPF + DKIM + DMARC checked against live records. Returns the failing mechanism and the fix.
Show me what airbnb.com looks like on mobile. (domain_snapshot)
Live PNG rendered server-side at mobile viewport. Inline image content block.
Has my DNS for x.com propagated globally? (dns_propagation)
Probes resolvers across four continents. Returns propagation % by region.
Investigate the IP 185.199.108.153. (ip_lookup + chain)
Geolocation, ASN, ISP, reverse DNS, blacklist — joined into one summary in a single call chain.
Compare github.com and gitlab.com on security. (ssl_info × 2)
Side-by-side SSL chain, security headers, email auth, port exposure — two domains, one prompt.