LaunchTrust MCP
Run a compliance + security scan on your app — without leaving Claude Code.
LaunchTrust scans a public URL for the compliance and security gaps that get indie apps rejected or fined — leaked frontend API keys, exposed .env/.git, missing privacy/terms pages, absent security headers, undisclosed AI interactions, tracker/cookie issues — mapped to 39 jurisdictions (EU AI Act, GDPR, US state privacy laws, app-store policies).
It's a remote, hosted MCP server — nothing to install, build, or run. Add the URL and go.
⚖️ Compliance aid, not legal advice. Not a certification of compliance.
Install (Claude Code)
claude mcp add --transport http launchtrust https://mcp.launchtrust.co/mcp
Then ask Claude:
"Scan https://my-app.com for compliance and security issues."
Works in any MCP client that supports remote Streamable HTTP servers (Claude Code, Claude Desktop, …).
What the free scan checks
scan_url runs a focused, high-signal subset of detectors against any public URL — no account needed:
- 🔑 Leaked frontend API keys / secrets
- 📂 Exposed
.env/.git/ config files - 🛡️ Security headers (CSP, HSTS, X-Frame-Options, …) + HTTPS/HSTS
- 📄 Missing privacy / terms pages
- 🤖 Undisclosed AI interactions
- 🍪 Trackers / cookie-consent
The result is plain text, unsigned and not stored.
Tools
Free — no account
| Tool | Description |
|---|---|
scan_url | Quick compliance + security scan of any public URL. |
list_jurisdictions | Jurisdictions & categories covered (EU AI Act, GDPR, US states, app stores). |
get_compliance_rules | Sourced compliance rule snapshots, filterable by jurisdiction. |
verify_record | Independently verify the ES256 signature on a LaunchTrust signed record. |
Account — needs a token
The full version runs all 27 detectors across 39 jurisdictions, stores a signed, dated evidence record, and monitors continuously. Connect with your LaunchTrust token:
claude mcp add --transport http launchtrust https://mcp.launchtrust.co/mcp \
--header "Authorization: Bearer lt_pat_..."
| Tool | Description |
|---|---|
register_app | Register a web app to scan & monitor (idempotent). |
scan_app | Full 27-detector signed scan of a registered app. |
get_scan_history | Recent scans for an app. |
get_market_report | Findings annotated by your target-market jurisdictions. |
list_my_apps | Your registered apps + latest status. |
Get a token at launchtrust.co.
Use in other MCP clients
LaunchTrust is a standard remote (Streamable HTTP) MCP server — it works in any MCP-compatible client, not just Claude Code.
Codex CLI — add to ~/.codex/config.toml:
[mcp_servers.launchtrust]
url = "https://mcp.launchtrust.co/mcp"
Gemini CLI — add to ~/.gemini/settings.json:
{
"mcpServers": {
"launchtrust": { "httpUrl": "https://mcp.launchtrust.co/mcp" }
}
}
Cursor, Windsurf, and others — point them at the remote URL https://mcp.launchtrust.co/mcp (Streamable HTTP).
For the account-gated tools, pass your token as an Authorization: Bearer lt_pat_... header (Claude Code: --header; Codex: http_headers = { Authorization = "Bearer lt_pat_..." }; Gemini: "headers": { "Authorization": "Bearer lt_pat_..." }).
How it works
- Transport: stateless Streamable HTTP (MCP spec
2025-11-25) atPOST /mcp. - Privacy: the free scan stores nothing — it fetches your URL, runs detectors, returns findings. Premium scans store a signed record under your account only.
- Honesty: it never invents findings. Every result traces to what was actually on the page, and it reports mechanical signals (
detected/not_detected) — never a verdict of "compliant".
Links
- 🌐 Website — https://launchtrust.co
- ✅ Verify a signed record — https://launchtrust.co/verify
Development
Zero-dependency Cloudflare Worker; a thin client over the LaunchTrust API.
npm install
npm run typecheck
npm run dev # wrangler dev — POST http://localhost:8787/mcp
npm run deploy # wrangler deploy (custom domain in wrangler.toml)
LaunchTrust is a compliance aid, not legal advice, and is not a certification of compliance with any law.