MCP server (api.exchek.us/mcp)
ExChek runs a hosted Model Context Protocol server at https://api.exchek.us/mcp. Point any MCP-capable agent at it and you get all 20 ExChek skills plus live EAR/ITAR data as tools and resources β no local install, no auth, no API key. The client supplies its own LLM; we supply the content and the data.
https://api.exchek.us/mcp/mcp β free, public, edge-cached. The exceptions: get_classification_pdf_contract and create_classification_pdf are Enterprise tools. Authenticate either by signing in (add /mcp/pro as a connector β claude.ai, Claude Desktop) or with an API key header (Claude Code, Cursor, SDKs). See Enterprise below.When to use this vs. the local plugin
| Situation | Use |
|---|---|
| Claude Code / Desktop / Cowork / Cursor user, can install plugins | Local plugin install β faster, offline, includes the local DOCX converter and audit-log signing |
| Manus, OpenAI Codex with HTTP tools, custom in-house agents, or any platform that canβt install Claude plugins | This MCP server. Same skill content, addressable over the network |
| Browser-only / no shell access | This MCP server, or call the REST endpoints directly |
| Air-gapped network | Local plugin install (download the release zip) |
Connect your client
Claude Desktop (or any client using the standard MCP config)
Add ExChek to your client config. For Claude Desktop, edit ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):
{
"mcpServers": {
"exchek": {
"url": "https://api.exchek.us/mcp",
"transport": "streamable-http"
}
}
}Restart Claude Desktop. ExChek tools and resources will appear in the tool picker.
Cursor
Open Settings β MCP, add a new server with name exchek, URL https://api.exchek.us/mcp, transport streamable-http.
Codex CLI
codex mcp add exchek --url https://api.exchek.us/mcpMCP Inspector (debug + try it out)
npx @modelcontextprotocol/inspector --uri https://api.exchek.us/mcpOpens a UI where you can list resources, browse tools, and run calls interactively. Best way to verify the connection works before wiring it into a real agent.
Raw curl (for testing or shell scripts)
# initialize
curl -sS -X POST https://api.exchek.us/mcp \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-06-18","capabilities":{},"clientInfo":{"name":"test","version":"1.0"}}}'
# list available skills
curl -sS -X POST https://api.exchek.us/mcp \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"list_skills","arguments":{}}}'
# fetch one skill's SKILL.md
curl -sS -X POST https://api.exchek.us/mcp \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","id":3,"method":"tools/call","params":{"name":"get_skill","arguments":{"name":"exchek-csl"}}}'Discovery
api.exchek.us/.well-known/mcp returns the canonical discovery document: protocol version, server info, tool/resource counts, and the endpoint URL. Use it to check capabilities without a full initialize handshake.
Tools
The server exposes 9 tools:
| Tool | What it does | Required args |
|---|---|---|
list_skills | Returns all 20 skills with name + description + upstream link. | β |
get_skill | Fetches the SKILL.md (markdown) for one skill. Load this into your LLMβs context to run the skill. | name (string) |
get_skill_bundle | SKILL.md plus every template, reference, and prompt file for one skill in a single JSON payload. Use for skills youβll fully execute (csl, license, classify) to skip N round-trips. | name (string) |
get_ecfr_part | Full hierarchical structure of a CFR part. Sourced live from eCFR, edge-cached 1h. | part (integer) |
get_ecfr_sections | Flat list of sections within a CFR part β useful for indexes/pickers. | part (integer) |
search_ecfr_part | Full-text search scoped to one CFR part. Returns ranked hits with section refs and highlighted excerpts. | part, query |
search_ecfr_title | Full-text search across an entire CFR title (15 EAR or 22 ITAR). | title, query |
get_classification_pdf_contract (Enterprise) | The payload schema + authoring rules for the memorandum renderer. Enterprise β requires the same bearer-key header; fetch before building a payload. | β |
create_classification_pdf (Enterprise) | Renders a completed analysis into the branded ~28-page PDF memorandum, returned as a base64 application/pdf resource. Requires the bearer-key header (below). | variables |
Enterprise: PDF memoranda
The classify β memo flow, end to end: run the exchek-classify skill (free), then β with your Enterprise account β fetch get_classification_pdf_contract, fill it from your analysis, call create_classification_pdf β and hand your user a branded, audit-ready PDF in the same conversation. Two ways to authenticate, by client type:
Option A β Sign in (claude.ai, Claude Desktop, any OAuth-capable client)
Add https://api.exchek.us/mcp/pro as a connector. The client opens a sign-in window at app.exchek.us (one-time email link, no password), you approve access, and the paid tools just work β no API key ever touches the conversation or the client config. Manage and revoke connected apps anytime at app.exchek.us.
Option B β API key header (Claude Code, Cursor, agent SDKs)
Add your Enterprise key as a connection header (keys never appear in tool arguments, where clients would log them). In the ExChek plugin this is the enterprise_api_key setting; raw config:
{
"mcpServers": {
"exchek": {
"url": "https://api.exchek.us/mcp",
"transport": "streamable-http",
"headers": { "Authorization": "Bearer exk_live_β¦" }
}
}
}Without credentials the paid tools return purchase information instead of failing the protocol β your agent will relay it. Rendering is stateless: payloads are processed in memory and discarded, never stored or logged. Payloads must not contain CUI or classified information. Credits and key management: app.exchek.us ($1 per report). REST equivalent: POST /pdf/classification (see the API reference).
Resources
The server enumerates 147 resources under the exchek:// scheme β one per SKILL.md plus every template, reference, and prompt file across all 20 skills. (The PDF payload contract is not a resource β it is part of the Enterprise product, available via the get_classification_pdf_contract tool with a key.) Clients that prefer the resource-based pattern (MCPβs read-only, URI-addressed surface) can use these instead of tools.
| URI template | What you get |
|---|---|
exchek://skills/{name} | Full SKILL.md |
exchek://skills/{name}/templates/{filename} | Report or memo template (with {{PLACEHOLDER}} fields) |
exchek://skills/{name}/references/{filename} | Regulatory / best-practice reference |
exchek://skills/{name}/prompts/{filename} | System or user prompt (where applicable) |
Use resources/list to enumerate, resources/read with a URI to fetch content, and resources/templates/list to discover the URI templates.
End-to-end example: classify an item
An agent walking through ECCN classification will typically:
- Call
list_skillsto discover whatβs available. - Call
get_skillwithname: "exchek-classify"; load the SKILL.md into its system prompt. - Follow the flow in SKILL.md β including the mandatory CUI/Classified gate at step 0.
- Call
get_ecfr_partwithpart: 774to load the Commerce Control List. - Optionally call
search_ecfr_partwith the item description to narrow ECCN candidates. - Fill out the classification memo template (also fetchable via
get_skill_bundleor theexchek://skills/exchek-classify/templates/Classification%20Report.mdresource). - Return the completed memo to the user for review and approval.
CUI and Classified information
Every SKILL.md begins with a CUI/Classified gate that asks the user upfront whether the information involves Controlled Unclassified Information or classified material. If yes, the skill stops and directs the user to on-premises infrastructure with a local LLM. ExChek does not process sensitive government data through cloud APIs, and this MCP server enforces the same gate as the local plugin β because the gate lives in the SKILL.md content itself, any compliant client running the flow will see and apply it.
Caching and freshness
Skill content is mirrored from exchekinc/exchekskills with a 6h edge cache. eCFR data has a 1h edge cache. A daily Worker cron warms the eCFR cache so the first request after midnight UTC is already hot. Push to the skills repo β cache expires within 6h β all MCP clients see the new content automatically.
What this MCP does not do (yet)
- No server-side LLM execution. The MCP serves content and data; your clientβs LLM does the reasoning. Weβre intentionally Tier 1 β fast, free, zero session state.
- No CSL search. Trade.govβs Consolidated Screening List API requires a free per-user key. Get one at developer.trade.gov and call the CSL endpoints directly; see the CSL skill for the call pattern.
- No DOCX rendering. The local plugin includes a Node-based markdownβdocx converter. Over MCP you get markdown β or, for Enterprise customers, the branded PDF memorandum via
create_classification_pdf(see above). - No persistent state. The MCP doesnβt remember past determinations. If you need that, install the local plugin (audit log + state files) or wire up your own storage.