@ivotoby/openapi-mcp-server 1.12.5 → 1.13.0

package/README.md

@@ -36,7 +36,6 @@ The server supports two transport methods:
 No need to clone this repository. Simply configure Claude Desktop to use this MCP server:
 
 1. Locate or create your Claude Desktop configuration file:
-
    - On macOS: `~/Library/Application Support/Claude/claude_desktop_config.json`
 
 2. Add the following configuration:
@@ -120,6 +119,11 @@ The server can be configured through environment variables or command line argum
 - `OPENAPI_SPEC_FROM_STDIN` - Set to "true" to read OpenAPI spec from standard input
 - `OPENAPI_SPEC_INLINE` - Provide OpenAPI spec content directly as a string
 - `API_HEADERS` - Comma-separated key:value pairs for API headers
+- `CLIENT_CERT_PATH` - Path to client certificate PEM file for mutual TLS
+- `CLIENT_KEY_PATH` - Path to client private key PEM file for mutual TLS
+- `CA_CERT_PATH` - Path to custom CA certificate PEM file for private/internal CAs
+- `CLIENT_KEY_PASSPHRASE` - Passphrase for an encrypted client private key
+- `REJECT_UNAUTHORIZED` - Whether to reject untrusted server certificates (default: `true`)
 - `SERVER_NAME` - Name for the MCP server (default: "mcp-openapi-server")
 - `SERVER_VERSION` - Version of the server (default: "1.0.0")
 - `TRANSPORT_TYPE` - Transport type to use: "stdio" or "http" (default: "stdio")
@@ -140,6 +144,8 @@ npx @ivotoby/openapi-mcp-server \
   --api-base-url https://api.example.com \
   --openapi-spec https://api.example.com/openapi.json \
   --headers "Authorization:Bearer token123,X-API-Key:your-api-key" \
+  --client-cert ./certs/client.pem \
+  --client-key ./certs/client-key.pem \
   --name "my-mcp-server" \
   --server-version "1.0.0" \
   --transport http \
@@ -149,6 +155,42 @@ npx @ivotoby/openapi-mcp-server \
   --disable-abbreviation true
 ```
 
+## Mutual TLS (mTLS)
+
+If your upstream API requires client certificate authentication, you can attach TLS credentials directly to outbound requests.
+
+```bash
+npx @ivotoby/openapi-mcp-server \
+  --api-base-url https://secure-api.example.com \
+  --openapi-spec https://secure-api.example.com/openapi.json \
+  --client-cert ./certs/client.pem \
+  --client-key ./certs/client-key.pem \
+  --headers "Authorization:Bearer token123"
+```
+
+This is orthogonal to HTTP-level auth, so mTLS can be combined with static headers or an `AuthProvider`.
+
+TLS-related options only apply when `--api-base-url` uses `https://`.
+
+For private CAs or encrypted keys:
+
+```bash
+npx @ivotoby/openapi-mcp-server \
+  --api-base-url https://internal-api.example.com \
+  --openapi-spec ./openapi.yaml \
+  --client-cert ./certs/client.pem \
+  --client-key ./certs/client-key.pem \
+  --client-key-passphrase "$CLIENT_KEY_PASSPHRASE" \
+  --ca-cert ./certs/internal-ca.pem \
+  --reject-unauthorized false
+```
+
+- `--client-cert` / `CLIENT_CERT_PATH`: client certificate PEM file
+- `--client-key` / `CLIENT_KEY_PATH`: client private key PEM file
+- `--client-key-passphrase` / `CLIENT_KEY_PASSPHRASE`: passphrase for encrypted private keys
+- `--ca-cert` / `CA_CERT_PATH`: custom CA bundle for private/internal certificate authorities
+- `--reject-unauthorized` / `REJECT_UNAUTHORIZED`: set to `false` only when you intentionally want to allow self-signed or otherwise untrusted server certificates
+
 ## OpenAPI Specification Loading
 
 The MCP server supports multiple methods for loading OpenAPI specifications, providing flexibility for different deployment scenarios:
@@ -286,11 +328,11 @@ In addition to exposing OpenAPI endpoints as **tools**, this server can expose *
 
 ### What Are Prompts and Resources?
 
-| Feature | Purpose | Use Case |
-|---------|---------|----------|
-| **Tools** | API endpoints for the AI to execute | Making API calls |
-| **Prompts** | Templated messages with argument substitution | Reusable workflow templates |
-| **Resources** | Read-only content for context | API documentation, schemas |
+| Feature       | Purpose                                       | Use Case                    |
+| ------------- | --------------------------------------------- | --------------------------- |
+| **Tools**     | API endpoints for the AI to execute           | Making API calls            |
+| **Prompts**   | Templated messages with argument substitution | Reusable workflow templates |
+| **Resources** | Read-only content for context                 | API documentation, schemas  |
 
 ### Loading Prompts
 
@@ -434,11 +476,13 @@ curl http://localhost:3000/health
 ```
 
 **Health Response Fields:**
+
 - `status`: Always returns "healthy" when server is running
 - `activeSessions`: Number of active MCP sessions
 - `uptime`: Server uptime in seconds
 
 **Key Features:**
+
 - No authentication required
 - Works with any HTTP method (GET, POST, etc.)
 - Ideal for load balancers, Kubernetes probes, and monitoring systems
@@ -470,7 +514,6 @@ HEALTHCHECK --interval=30s --timeout=3s \
 To see debug logs:
 
 1. When using stdio transport with Claude Desktop:
-
    - Logs appear in the Claude Desktop logs
 
 2. When using HTTP transport:
@@ -630,15 +673,16 @@ if (resourcesManager) {
 
 ```typescript
 interface PromptDefinition {
-  name: string            // Unique identifier
-  title?: string          // Human-readable display title
-  description?: string    // Description of the prompt
-  arguments?: {           // Template arguments
+  name: string // Unique identifier
+  title?: string // Human-readable display title
+  description?: string // Description of the prompt
+  arguments?: {
+    // Template arguments
     name: string
     description?: string
     required?: boolean
   }[]
-  template: string        // Template with {{argName}} placeholders
+  template: string // Template with {{argName}} placeholders
 }
 ```
 
@@ -646,14 +690,14 @@ interface PromptDefinition {
 
 ```typescript
 interface ResourceDefinition {
-  uri: string             // Unique URI identifier
-  name: string            // Resource name
-  title?: string          // Human-readable display title
-  description?: string    // Description of the resource
-  mimeType?: string       // Content MIME type
-  text?: string           // Static text content
-  blob?: string           // Static binary content (base64)
-  contentProvider?: () => Promise<string | { blob: string }>  // Dynamic content
+  uri: string // Unique URI identifier
+  name: string // Resource name
+  title?: string // Human-readable display title
+  description?: string // Description of the resource
+  mimeType?: string // Content MIME type
+  text?: string // Static text content
+  blob?: string // Static binary content (base64)
+  contentProvider?: () => Promise<string | { blob: string }> // Dynamic content
 }
 ```
 

package/dist/bundle.js

@@ -11659,6 +11659,8 @@ import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js"
 
 // src/server.ts
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { readFileSync } from "node:fs";
+import { Agent as HttpsAgent } from "node:https";
 import {
   ListToolsRequestSchema,
   CallToolRequestSchema,
@@ -19061,8 +19063,9 @@ var ApiClient = class {
    * @param baseUrl - Base URL for the API
    * @param authProviderOrHeaders - AuthProvider instance or static headers for backward compatibility
    * @param specLoader - Optional OpenAPI spec loader for dynamic meta-tools
+   * @param options - Optional HTTP client configuration
    */
-  constructor(baseUrl, authProviderOrHeaders, specLoader) {
+  constructor(baseUrl, authProviderOrHeaders, specLoader, options) {
     this.axiosInstance = axios_default.create({
       baseURL: baseUrl.endsWith("/") ? baseUrl : `${baseUrl}/`,
       timeout: 3e4,
@@ -19071,8 +19074,9 @@ var ApiClient = class {
       // 50MB response body limit
       maxBodyLength: 50 * 1024 * 1024,
       // 50MB request body limit
-      maxRedirects: 5
+      maxRedirects: 5,
       // Limit redirect chains to prevent abuse
+      httpsAgent: options?.httpsAgent
     });
     if (!authProviderOrHeaders) {
       this.authProvider = new StaticAuthProvider();
@@ -19787,19 +19791,60 @@ var OpenAPIServer = class {
     if (this.resourcesManager) {
       capabilities.resources = {};
     }
-    this.server = new Server(
-      { name: config.name, version: config.version },
-      { capabilities }
-    );
+    this.server = new Server({ name: config.name, version: config.version }, { capabilities });
     this.toolsManager = new ToolsManager(config);
     const authProviderOrHeaders = config.authProvider || new StaticAuthProvider(config.headers);
-    this.apiClient = new ApiClient(
+    const apiClientOptions = this.createApiClientOptions();
+    this.apiClient = apiClientOptions ? new ApiClient(
       config.apiBaseUrl,
       authProviderOrHeaders,
-      this.toolsManager.getSpecLoader()
-    );
+      this.toolsManager.getSpecLoader(),
+      apiClientOptions
+    ) : new ApiClient(config.apiBaseUrl, authProviderOrHeaders, this.toolsManager.getSpecLoader());
     this.initializeHandlers();
   }
+  createApiClientOptions() {
+    const hasClientCert = !!this.config.clientCertPath;
+    const hasClientKey = !!this.config.clientKeyPath;
+    if (hasClientCert !== hasClientKey) {
+      throw new Error("clientCertPath and clientKeyPath must be provided together");
+    }
+    if (this.config.clientKeyPassphrase && !hasClientKey) {
+      throw new Error("clientKeyPassphrase requires clientKeyPath and clientCertPath");
+    }
+    const rejectUnauthorized = this.config.rejectUnauthorized ?? true;
+    const shouldConfigureHttpsAgent = hasClientCert || hasClientKey || !!this.config.caCertPath || rejectUnauthorized === false;
+    if (!shouldConfigureHttpsAgent) {
+      return void 0;
+    }
+    let apiUrl;
+    try {
+      apiUrl = new URL(this.config.apiBaseUrl.trim());
+    } catch {
+      throw new Error("TLS options require apiBaseUrl to be a valid https:// URL");
+    }
+    if (apiUrl.protocol !== "https:") {
+      throw new Error("TLS options require apiBaseUrl to use https://");
+    }
+    const httpsAgentOptions = {
+      rejectUnauthorized
+    };
+    if (this.config.clientCertPath) {
+      httpsAgentOptions.cert = readFileSync(this.config.clientCertPath, "utf8");
+    }
+    if (this.config.clientKeyPath) {
+      httpsAgentOptions.key = readFileSync(this.config.clientKeyPath, "utf8");
+    }
+    if (this.config.caCertPath) {
+      httpsAgentOptions.ca = readFileSync(this.config.caCertPath, "utf8");
+    }
+    if (this.config.clientKeyPassphrase) {
+      httpsAgentOptions.passphrase = this.config.clientKeyPassphrase;
+    }
+    return {
+      httpsAgent: new HttpsAgent(httpsAgentOptions)
+    };
+  }
   /**
    * Initialize request handlers
    */
@@ -19856,10 +19901,7 @@ var OpenAPIServer = class {
         prompts: this.promptsManager.getAllPrompts()
       }));
       this.server.setRequestHandler(GetPromptRequestSchema, async (request) => {
-        return this.promptsManager.getPrompt(
-          request.params.name,
-          request.params.arguments
-        );
+        return this.promptsManager.getPrompt(request.params.name, request.params.arguments);
       });
     }
     if (this.resourcesManager) {
@@ -20211,7 +20253,7 @@ function sync_default(start, callback) {
 
 // node_modules/yargs/lib/platform-shims/esm.mjs
 import { inspect } from "util";
-import { readFileSync as readFileSync3 } from "fs";
+import { readFileSync as readFileSync4 } from "fs";
 import { fileURLToPath } from "url";
 
 // node_modules/yargs-parser/build/lib/index.js
@@ -21154,7 +21196,7 @@ function stripQuotes(val) {
 }
 
 // node_modules/yargs-parser/build/lib/index.js
-import { readFileSync } from "fs";
+import { readFileSync as readFileSync2 } from "fs";
 var _a;
 var _b;
 var _c;
@@ -21181,7 +21223,7 @@ var parser = new YargsParser({
     if (typeof __require !== "undefined") {
       return __require(path2);
     } else if (path2.match(/\.json$/)) {
-      return JSON.parse(readFileSync(path2, "utf8"));
+      return JSON.parse(readFileSync2(path2, "utf8"));
     } else {
       throw Error("only .json config files are supported in ESM");
     }
@@ -21233,12 +21275,12 @@ var YError = class _YError extends Error {
 };
 
 // node_modules/y18n/build/lib/platform-shims/node.js
-import { readFileSync as readFileSync2, statSync as statSync2, writeFile } from "fs";
+import { readFileSync as readFileSync3, statSync as statSync2, writeFile } from "fs";
 import { format as format2 } from "util";
 import { resolve as resolve3 } from "path";
 var node_default2 = {
   fs: {
-    readFileSync: readFileSync2,
+    readFileSync: readFileSync3,
     writeFile
   },
   format: format2,
@@ -21462,7 +21504,7 @@ var esm_default = {
     nextTick: process.nextTick,
     stdColumns: typeof process.stdout.columns !== "undefined" ? process.stdout.columns : null
   },
-  readFileSync: readFileSync3,
+  readFileSync: readFileSync4,
   require: () => {
     throw new YError(REQUIRE_ERROR);
   },
@@ -24765,6 +24807,25 @@ function parseHeaders(headerStr) {
   }
   return headers;
 }
+function parseOptionalBoolean(value, optionName) {
+  if (value === void 0 || value === null || value === "") {
+    return void 0;
+  }
+  if (typeof value === "boolean") {
+    return value;
+  }
+  if (typeof value !== "string") {
+    throw new Error(`${optionName} must be a boolean value`);
+  }
+  const normalized = value.trim().toLowerCase();
+  if (["true", "1", "yes", "on"].includes(normalized)) {
+    return true;
+  }
+  if (["false", "0", "no", "off"].includes(normalized)) {
+    return false;
+  }
+  throw new Error(`${optionName} must be one of: true, false, 1, 0, yes, no, on, off`);
+}
 function loadConfig() {
   const argv = yargs_default(hideBin(process.argv)).option("transport", {
     alias: "t",
@@ -24799,6 +24860,21 @@ function loadConfig() {
     alias: "H",
     type: "string",
     description: "API headers in format 'key1:value1,key2:value2'"
+  }).option("client-cert", {
+    type: "string",
+    description: "Path to client certificate PEM file for mutual TLS"
+  }).option("client-key", {
+    type: "string",
+    description: "Path to client private key PEM file for mutual TLS"
+  }).option("ca-cert", {
+    type: "string",
+    description: "Path to custom CA certificate PEM file"
+  }).option("client-key-passphrase", {
+    type: "string",
+    description: "Passphrase for encrypted client private key"
+  }).option("reject-unauthorized", {
+    type: "string",
+    description: "Whether to reject untrusted server certificates"
   }).option("name", {
     alias: "n",
     type: "string",
@@ -24893,15 +24969,17 @@ function loadConfig() {
     if (normalized === "all" || normalized === "dynamic" || normalized === "explicit") {
       toolsMode = normalized;
     } else {
-      throw new Error(
-        "Invalid tools mode. Expected one of: all, dynamic, explicit"
-      );
+      throw new Error("Invalid tools mode. Expected one of: all, dynamic, explicit");
     }
   }
   if (!apiBaseUrl) {
     throw new Error("API base URL is required (--api-base-url or API_BASE_URL)");
   }
   const headers = parseHeaders(argv.headers || process.env.API_HEADERS);
+  const rejectUnauthorizedInput = parseOptionalBoolean(
+    argv["reject-unauthorized"] ?? process.env.REJECT_UNAUTHORIZED,
+    "--reject-unauthorized/REJECT_UNAUTHORIZED"
+  );
   return {
     name: argv.name || process.env.SERVER_NAME || "mcp-openapi-server",
     version: argv["server-version"] || process.env.SERVER_VERSION || "1.0.0",
@@ -24910,6 +24988,11 @@ function loadConfig() {
     specInputMethod,
     inlineSpecContent,
     headers,
+    clientCertPath: argv["client-cert"] || process.env.CLIENT_CERT_PATH,
+    clientKeyPath: argv["client-key"] || process.env.CLIENT_KEY_PATH,
+    caCertPath: argv["ca-cert"] || process.env.CA_CERT_PATH,
+    clientKeyPassphrase: argv["client-key-passphrase"] || process.env.CLIENT_KEY_PASSPHRASE,
+    rejectUnauthorized: rejectUnauthorizedInput ?? true,
     transportType,
     httpPort,
     httpHost,

package/dist/cli.js

@@ -11659,6 +11659,8 @@ import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js"
 
 // src/server.ts
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { readFileSync } from "node:fs";
+import { Agent as HttpsAgent } from "node:https";
 import {
   ListToolsRequestSchema,
   CallToolRequestSchema,
@@ -19061,8 +19063,9 @@ var ApiClient = class {
    * @param baseUrl - Base URL for the API
    * @param authProviderOrHeaders - AuthProvider instance or static headers for backward compatibility
    * @param specLoader - Optional OpenAPI spec loader for dynamic meta-tools
+   * @param options - Optional HTTP client configuration
    */
-  constructor(baseUrl, authProviderOrHeaders, specLoader) {
+  constructor(baseUrl, authProviderOrHeaders, specLoader, options) {
     this.axiosInstance = axios_default.create({
       baseURL: baseUrl.endsWith("/") ? baseUrl : `${baseUrl}/`,
       timeout: 3e4,
@@ -19071,8 +19074,9 @@ var ApiClient = class {
       // 50MB response body limit
       maxBodyLength: 50 * 1024 * 1024,
       // 50MB request body limit
-      maxRedirects: 5
+      maxRedirects: 5,
       // Limit redirect chains to prevent abuse
+      httpsAgent: options?.httpsAgent
     });
     if (!authProviderOrHeaders) {
       this.authProvider = new StaticAuthProvider();
@@ -19787,19 +19791,60 @@ var OpenAPIServer = class {
     if (this.resourcesManager) {
       capabilities.resources = {};
     }
-    this.server = new Server(
-      { name: config.name, version: config.version },
-      { capabilities }
-    );
+    this.server = new Server({ name: config.name, version: config.version }, { capabilities });
     this.toolsManager = new ToolsManager(config);
     const authProviderOrHeaders = config.authProvider || new StaticAuthProvider(config.headers);
-    this.apiClient = new ApiClient(
+    const apiClientOptions = this.createApiClientOptions();
+    this.apiClient = apiClientOptions ? new ApiClient(
       config.apiBaseUrl,
       authProviderOrHeaders,
-      this.toolsManager.getSpecLoader()
-    );
+      this.toolsManager.getSpecLoader(),
+      apiClientOptions
+    ) : new ApiClient(config.apiBaseUrl, authProviderOrHeaders, this.toolsManager.getSpecLoader());
     this.initializeHandlers();
   }
+  createApiClientOptions() {
+    const hasClientCert = !!this.config.clientCertPath;
+    const hasClientKey = !!this.config.clientKeyPath;
+    if (hasClientCert !== hasClientKey) {
+      throw new Error("clientCertPath and clientKeyPath must be provided together");
+    }
+    if (this.config.clientKeyPassphrase && !hasClientKey) {
+      throw new Error("clientKeyPassphrase requires clientKeyPath and clientCertPath");
+    }
+    const rejectUnauthorized = this.config.rejectUnauthorized ?? true;
+    const shouldConfigureHttpsAgent = hasClientCert || hasClientKey || !!this.config.caCertPath || rejectUnauthorized === false;
+    if (!shouldConfigureHttpsAgent) {
+      return void 0;
+    }
+    let apiUrl;
+    try {
+      apiUrl = new URL(this.config.apiBaseUrl.trim());
+    } catch {
+      throw new Error("TLS options require apiBaseUrl to be a valid https:// URL");
+    }
+    if (apiUrl.protocol !== "https:") {
+      throw new Error("TLS options require apiBaseUrl to use https://");
+    }
+    const httpsAgentOptions = {
+      rejectUnauthorized
+    };
+    if (this.config.clientCertPath) {
+      httpsAgentOptions.cert = readFileSync(this.config.clientCertPath, "utf8");
+    }
+    if (this.config.clientKeyPath) {
+      httpsAgentOptions.key = readFileSync(this.config.clientKeyPath, "utf8");
+    }
+    if (this.config.caCertPath) {
+      httpsAgentOptions.ca = readFileSync(this.config.caCertPath, "utf8");
+    }
+    if (this.config.clientKeyPassphrase) {
+      httpsAgentOptions.passphrase = this.config.clientKeyPassphrase;
+    }
+    return {
+      httpsAgent: new HttpsAgent(httpsAgentOptions)
+    };
+  }
   /**
    * Initialize request handlers
    */
@@ -19856,10 +19901,7 @@ var OpenAPIServer = class {
         prompts: this.promptsManager.getAllPrompts()
       }));
       this.server.setRequestHandler(GetPromptRequestSchema, async (request) => {
-        return this.promptsManager.getPrompt(
-          request.params.name,
-          request.params.arguments
-        );
+        return this.promptsManager.getPrompt(request.params.name, request.params.arguments);
       });
     }
     if (this.resourcesManager) {
@@ -20211,7 +20253,7 @@ function sync_default(start, callback) {
 
 // node_modules/yargs/lib/platform-shims/esm.mjs
 import { inspect } from "util";
-import { readFileSync as readFileSync3 } from "fs";
+import { readFileSync as readFileSync4 } from "fs";
 import { fileURLToPath } from "url";
 
 // node_modules/yargs-parser/build/lib/index.js
@@ -21154,7 +21196,7 @@ function stripQuotes(val) {
 }
 
 // node_modules/yargs-parser/build/lib/index.js
-import { readFileSync } from "fs";
+import { readFileSync as readFileSync2 } from "fs";
 var _a;
 var _b;
 var _c;
@@ -21181,7 +21223,7 @@ var parser = new YargsParser({
     if (typeof __require !== "undefined") {
       return __require(path2);
     } else if (path2.match(/\.json$/)) {
-      return JSON.parse(readFileSync(path2, "utf8"));
+      return JSON.parse(readFileSync2(path2, "utf8"));
     } else {
       throw Error("only .json config files are supported in ESM");
     }
@@ -21233,12 +21275,12 @@ var YError = class _YError extends Error {
 };
 
 // node_modules/y18n/build/lib/platform-shims/node.js
-import { readFileSync as readFileSync2, statSync as statSync2, writeFile } from "fs";
+import { readFileSync as readFileSync3, statSync as statSync2, writeFile } from "fs";
 import { format as format2 } from "util";
 import { resolve as resolve3 } from "path";
 var node_default2 = {
   fs: {
-    readFileSync: readFileSync2,
+    readFileSync: readFileSync3,
     writeFile
   },
   format: format2,
@@ -21462,7 +21504,7 @@ var esm_default = {
     nextTick: process.nextTick,
     stdColumns: typeof process.stdout.columns !== "undefined" ? process.stdout.columns : null
   },
-  readFileSync: readFileSync3,
+  readFileSync: readFileSync4,
   require: () => {
     throw new YError(REQUIRE_ERROR);
   },
@@ -24765,6 +24807,25 @@ function parseHeaders(headerStr) {
   }
   return headers;
 }
+function parseOptionalBoolean(value, optionName) {
+  if (value === void 0 || value === null || value === "") {
+    return void 0;
+  }
+  if (typeof value === "boolean") {
+    return value;
+  }
+  if (typeof value !== "string") {
+    throw new Error(`${optionName} must be a boolean value`);
+  }
+  const normalized = value.trim().toLowerCase();
+  if (["true", "1", "yes", "on"].includes(normalized)) {
+    return true;
+  }
+  if (["false", "0", "no", "off"].includes(normalized)) {
+    return false;
+  }
+  throw new Error(`${optionName} must be one of: true, false, 1, 0, yes, no, on, off`);
+}
 function loadConfig() {
   const argv = yargs_default(hideBin(process.argv)).option("transport", {
     alias: "t",
@@ -24799,6 +24860,21 @@ function loadConfig() {
     alias: "H",
     type: "string",
     description: "API headers in format 'key1:value1,key2:value2'"
+  }).option("client-cert", {
+    type: "string",
+    description: "Path to client certificate PEM file for mutual TLS"
+  }).option("client-key", {
+    type: "string",
+    description: "Path to client private key PEM file for mutual TLS"
+  }).option("ca-cert", {
+    type: "string",
+    description: "Path to custom CA certificate PEM file"
+  }).option("client-key-passphrase", {
+    type: "string",
+    description: "Passphrase for encrypted client private key"
+  }).option("reject-unauthorized", {
+    type: "string",
+    description: "Whether to reject untrusted server certificates"
   }).option("name", {
     alias: "n",
     type: "string",
@@ -24893,15 +24969,17 @@ function loadConfig() {
     if (normalized === "all" || normalized === "dynamic" || normalized === "explicit") {
       toolsMode = normalized;
     } else {
-      throw new Error(
-        "Invalid tools mode. Expected one of: all, dynamic, explicit"
-      );
+      throw new Error("Invalid tools mode. Expected one of: all, dynamic, explicit");
     }
   }
   if (!apiBaseUrl) {
     throw new Error("API base URL is required (--api-base-url or API_BASE_URL)");
   }
   const headers = parseHeaders(argv.headers || process.env.API_HEADERS);
+  const rejectUnauthorizedInput = parseOptionalBoolean(
+    argv["reject-unauthorized"] ?? process.env.REJECT_UNAUTHORIZED,
+    "--reject-unauthorized/REJECT_UNAUTHORIZED"
+  );
   return {
     name: argv.name || process.env.SERVER_NAME || "mcp-openapi-server",
     version: argv["server-version"] || process.env.SERVER_VERSION || "1.0.0",
@@ -24910,6 +24988,11 @@ function loadConfig() {
     specInputMethod,
     inlineSpecContent,
     headers,
+    clientCertPath: argv["client-cert"] || process.env.CLIENT_CERT_PATH,
+    clientKeyPath: argv["client-key"] || process.env.CLIENT_KEY_PATH,
+    caCertPath: argv["ca-cert"] || process.env.CA_CERT_PATH,
+    clientKeyPassphrase: argv["client-key-passphrase"] || process.env.CLIENT_KEY_PASSPHRASE,
+    rejectUnauthorized: rejectUnauthorizedInput ?? true,
     transportType,
     httpPort,
     httpHost,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ivotoby/openapi-mcp-server",
-  "version": "1.12.5",
+  "version": "1.13.0",
   "description": "An MCP server that exposes OpenAPI endpoints as resources",
   "license": "MIT",
   "type": "module",