Security

Never paste API keys, OAuth tokens, or private credentials into Registry submissions.

We use HTTP-only session cookies for web auth and keep service-to-service internal endpoints behind signed requests.

If you find a vulnerability in mcphub.app or the Registry API, email samanhappy@gmail.com with reproduction details.

Please avoid public disclosure until we have confirmed and remediated the issue.