Connect over MCP
Wire Whisper into your IDE or AI client over MCP, or call the graph directly with an API key. Most clients connect with just the URL.
1 · Connect your client
Point your MCP client at https://mcp.whisper.security. The server supports OAuth (RFC 7591 dynamic registration and PKCE), so most clients need only the URL. The page carries a tab per client; the one-liners below are what each tab shows.
Claude Code
claude mcp add --transport http whisper-graph https://mcp.whisper.securityClaude Desktop
Settings -> Connectors -> Add custom connector
# enter https://mcp.whisper.security, then Connect and sign in with OAuthCursor (.cursor/mcp.json)
{
"mcpServers": {
"whisper-graph": { "url": "https://mcp.whisper.security" }
}
}VS Code (.vscode/mcp.json, Copilot)
{
"servers": {
"whisper-graph": { "type": "http", "url": "https://mcp.whisper.security" }
}
}Windsurf
{
"mcpServers": {
"whisper-graph": { "serverUrl": "https://mcp.whisper.security" }
}
}OpenAI Codex (~/.codex/config.toml)
[mcp_servers.whisper-graph]
url = "https://mcp.whisper.security"
# then: codex mcp login whisper-graph
2 · What your client gets
A complete connection exposes six read-only tools, seven resources, and eleven prebuilt investigation prompts. Clients can read the graph but never mutate it. The tools are query, list_labels, describe_label, explain_indicator, whisper_history, and domain_variants.
3 · Static key or call the graph directly
For CI, headless agents, or clients that would rather not use OAuth, add a Bearer header with a key from your API keys.
{
"mcpServers": {
"whisper-graph": {
"url": "https://mcp.whisper.security",
"headers": { "Authorization": "Bearer $WHISPER_API_KEY" }
}
}
}Or skip MCP and call the query endpoint directly. It accepts your key as a Bearer token or an X-API-Key header.
curl -X POST https://graph.whisper.security/api/query \
-H "Authorization: Bearer $WHISPER_API_KEY" \
-H "Content-Type: application/json" \
-d '{"query": "CALL explain(\"google.com\")"}'
4 · Three ways to authenticate
There are three tiers, and no code changes between them beyond the auth header. Anonymous needs no signup and gives a shallow, rate-limited read for trying the graph. An API key raises the limits to your plan and is the agent path. Signed-in is the full console in the browser.