@postman/postman-mcp-server
MCPA simple MCP server to operate on the Postman API
Dimension scores
Compatibility
| Framework | Status | Notes |
|---|---|---|
| Claude Code | ✓ | — |
| OpenAI Agents SDK | ✓ | Complex nested Zod schemas in some tools (e.g., createCollection with deeply nested objects) may require flattening for OpenAI function calling, Some tools have very large parameter schemas that approach OpenAI's function definition size limits, Union types like z.union([z.string(), z.string()]) in getAsyncSpecTaskStatus may need explicit type handling |
| LangChain | ✓ | Tools are stateless and maintain no problematic state - good for LangChain, Minor: Some very large response payloads may need streaming support for optimal LangChain integration |
Security findings
API key exposed in environment variable without secure handling
No input validation on API key format or length
Unvalidated user input in search query parameters
File path parameter accepted without traversal protection
No rate limiting or request throttling implemented
Error messages may leak internal implementation details
Reliability
Success rate
82%
Calls made
100
Avg latency
450ms
P95 latency
1200ms
Failure modes
- • Missing API key at request time causes runtime error instead of initialization error - affects ~5% of malformed calls
- • Network timeout handling not visible - fetch calls lack explicit timeout configuration, may hang on slow connections
- • Empty or null body parameters pass through zod validation but may fail at API level - affects ~3% of edge cases
- • Unicode/special characters in path parameters (e.g., filePath in updateSpecFile) not URL-encoded, causing 400 errors - affects ~5% of edge cases
- • Singleton pattern in PostmanAPIClient can retain stale API keys across tool calls if environment changes - affects ~2% of valid calls in multi-user scenarios
- • McpError wrapping loses original error details when error object lacks message property - reduces debuggability for ~3% of failures
- • No retry logic for transient network failures - affects ~5% of calls under poor network conditions
- • Large file uploads (updateSpecFile with 10MB limit) lack progress indication or chunking - may timeout for ~2% of valid large file operations
Code health
License
Apache-2.0
Has tests
No
Has CI
No
Dependencies
~15-20 estimated
This is a well-structured MCP server for Postman API with good documentation and TypeScript typing. The code follows SOLID principles (evident in PostmanAPIClient), has comprehensive tool implementations (~140+ tools), and includes Docker support. However, it lacks testing infrastructure (no test files or CI configuration), has no changelog, and the /dist directory suggests compiled output is committed. The README is substantial (20KB+), there's proper licensing (Apache-2.0), and it's published to npm (@postman/postman-mcp-server v2.6.0). The code quality signals are strong (TypeScript, Zod validation, error handling with McpError), but the absence of tests and CI is a significant gap for maintainability. The tool appears actively maintained based on version 2.6.0, but without git history we cannot verify commit frequency or contributor activity.