Live, not cached in a model (Freshness)
Every call resolves WHOIS, DNS, SSL, blacklists, and email auth in real time against the actual source — IANA, MaxMind, RBLs, real registrars. No staleness window. No training cutoff.
DomainScan MCP — domain intelligence for AI agents. WHOIS, DNS, SSL, email auth, IP, and security checks, live from source, in any MCP-compatible client.
Plug one URL into Claude Desktop, Claude Code, Cursor, Windsurf, Cline, or any client that speaks the Model Context Protocol. From that moment, your AI assistant stops guessing about the internet and starts reading the live source — current WHOIS dates, valid SSL chains, real DNS resolution across continents, today's blacklist standing. The same bearer key that powers the DomainScan REST API authenticates the MCP. No new credential, no separate quota, no install. Streamable HTTP transport, scoped per-key, fully audited.
01 · WHY MCP
Your AI agent has been guessing about the internet. We just gave it the answers.
When you ask Claude or Cursor "is this domain safe", "why are my emails going to spam", or "did my DNS propagate", the model usually answers from training data months out of date, a web search of someone's blog post, or sheer guesswork. The DomainScan MCP swaps that out for live, structured facts.
Structured outputs the agent can chain (Reasoning)
Every tool returns typed JSON. The model parses, decides, and chains: scan → interpret → recommend. Not a paragraph of prose it has to re-extract.
One bearer key, every tool (Auth)
Same `ds_live_*` / `ds_test_*` key that already powers your REST account. One credential, one quota, one place to revoke. No OAuth round-trip, no separate MCP credential.
Remote — zero install (Operations)
We host the MCP server. No local process to keep running. New tools we add show up automatically in your agent's `tools/list`. You ship the config once; we evolve the surface.
02 · WHAT IT UNLOCKS
Questions your agent can finally answer.
Real prompts that route through DomainScan tools. The agent decides which to call, in what order, and how to combine results.
Is stripe.com safe to share my card with? (Trust)
Aggregates domain age (WHOIS), SSL validity, blacklist standing, ISP, email auth posture, and exposed ports into a single trust report — in one call.
Why are my emails going to spam? (Email)
Runs SPF, DKIM, and DMARC checks against live records. Returns the failing mechanism, the offending value, and the fix to publish.
Show me what acme.com looks like right now. (Visual)
Live PNG screenshot rendered server-side at desktop, tablet, or mobile viewport. Inline image content block — no browser tab, no leaving the chat.
Did my DNS for x.com propagate yet? (Migration)
Probes resolvers across four continents and reports the percentage of the world seeing the new record, region by region.
Investigate the IP 185.199.108.153. (Triage)
Geolocation, ASN, ISP, reverse DNS, blacklist standing — joined into one readable summary. What used to be five tabs and forty-five minutes.
Compare github.com and gitlab.com on security. (Audit)
Side-by-side SSL chain, security headers, email auth, port exposure, blacklist standing. Two domains, one prompt.
03 · TOOL CATALOG
Every DomainScan check, exposed as an MCP tool.
The agent gets the full toolbox across five categories — each with typed inputs, structured outputs, and clear semantics for when to call.
Domain (WHOIS / Trust)
domain_lookup (WHOIS/RDAP), domain_health (legitimacy + trust aggregate), domain_snapshot (live screenshot), domain_ai_readiness (llms.txt + AI crawler audit).
DNS (Resolution)
dns_query (A/AAAA/MX/TXT/CNAME/NS/SOA/etc.), dns_propagation (across continents), dns_reverse (PTR), dns_ns (authoritative nameservers).
Email authentication (Deliverability)
domain_spf (parsed + expanded), domain_dmarc (policy + reports), domain_dkim (selector lookup), email_sec (one-shot SPF + DKIM + DMARC aggregate).
IP intelligence (Network)
ip_lookup (geo + ASN + ISP), ip_reverse, isp (lightweight), open_ports, traceroute, ping, subnet calculator.
Security (Posture)
ssl_info (cert + TLS version), ssl_chain (full chain-of-trust), ip_blacklist (47 RBLs), mac_lookup, mac_vendor, sec_header (HSTS/CSP/X-Frame/etc.).
Live data sources (Sources)
IANA + RDAP bootstrap, MaxMind GeoIP2, 47 RBL databases, ICANN-accredited registrars, Playwright real-browser screenshots, worldwide DNS resolver grid.
04 · CLIENT COMPATIBILITY
Works with every major MCP client.
Streamable HTTP transport. Standard JSON-RPC 2.0 wire protocol. No custom SDK to install — if your tool speaks MCP, it works.
Claude Desktop (Verified)
Add to `claude_desktop_config.json` under `mcpServers`. Restart Claude Desktop. The 🔌 panel shows DomainScan with every tool listed.
Claude Code (Verified)
`claude mcp add domainscan --transport http https://mcp.domainscan.in/mcp --header "Authorization: Bearer $DS_KEY"`.
Cursor (Verified)
Settings → MCP → Add new. Paste the JSON server block. Composer agent gets all tools immediately.
Windsurf (Compatible)
Edit `~/.codeium/windsurf/mcp_config.json`. Add the server block with `serverUrl`. Cascade picks it up on restart.
VS Code (Cline / GitHub Copilot) (Compatible)
`code --add-mcp '{"name":"domainscan","url":"https://mcp.domainscan.in/mcp","headers":{"Authorization":"Bearer $DS_KEY"}}'` or paste into `.vscode/mcp.json`.
Zed, Cline, any custom agent (Compatible)
Anything that implements MCP's Streamable HTTP transport over JSON-RPC. Raw `curl` works too — no SDK required.
05 · SECURITY & AUDIT
Scoped, revocable, fully audited.
Bearer-token auth over HTTPS. Keys are SHA-256 hashed at rest. Every MCP call is logged with key id, user id, tool, duration, and source — visible in the same analytics pipeline as the REST API.
Per-tool scopes (Authorization)
Each MCP tool requires one scope: `read:domain`, `read:dns`, `read:ssl`, or `read:ai-readiness`. Tools the key cannot reach appear in `tools/list` with a `[LOCKED — ...]` prefix and the portal URL to enable them — so the agent can ask the user to unlock, not silently fail.
Plan-aware rate limits (Rate limits)
Per-key bucket, per-minute. FREE 60, STARTER 300, PRO 600, BUSINESS 1200. One heavy user can't starve others. On hit, JSON-RPC `-32003` with `retryAfter` seconds — clients back off cleanly.
Soft monthly cap (Quota)
Monthly credit budget mirrors the REST plan. First overflow allowed (atomic increment, no race); subsequent calls return `QUOTA_EXHAUSTED` with action_url and reset date. Agent surfaces upgrade flow to the user.
Full request audit (Audit)
Every call recorded with `source: 'mcp'`, `keyId`, `userId`, tool, duration, response size. Searchable from your portal. Revoke a key at any time to disconnect every agent that uses it.
06 · ERRORS
Errors agents can act on.
JSON-RPC error codes for transport errors. Tool-level errors come back as content blocks with `isError: true` and a structured body — including, where useful, an action URL the agent can show the user.
-32001 · Unauthorized (Auth)
Bearer token missing or invalid. Agent prompts user to mint a key.
-32002 · Insufficient scope (Authorization)
Tool requires a scope the key lacks. Response includes `action_url` pointing at `https://domainscan.in/account/api-keys/<keyId>` so the agent can guide the user to enable it.
-32003 · Quota exhausted (Quota)
Monthly limit reached. Response includes upgrade URL and `reset_date`. Agent shows pricing or waits.
-32602 · Invalid params (Input)
Zod validation failed on tool input. Issues list surfaced — agent retries with corrected args.
-32604 · Tool failure (Upstream)
Upstream WHOIS / DNS / SSL service failed or timed out. Retry with backoff.
-32603 · Internal error (Server)
Unexpected server-side failure. Rare. Retry once with backoff; if persistent, check status page.
07 · GET STARTED
Connected in under a minute.
Three steps — generate a key, paste one line of config, start asking.
1. Grab your API key (Step 1)
Use any existing DomainScan key, or mint a fresh one in seconds. Free plan includes 100 calls per month — no card required. The same key powers REST and MCP.
2. Add the remote URL (Step 2)
Paste one server block into your client config. Remote — nothing to install, nothing to run locally. Authorization header carries the bearer key.
3. Ask in plain English (Step 3)
Your agent now sees every tool. Ask "is acme.com safe to email?" or "trace the route to github.com" — it picks the right tool and runs it.