creditkarma-mcp 2.0.5 → 2.0.7

package/README.md

@@ -65,7 +65,7 @@ cp .env.example .env
       "command": "node",
       "args": ["/absolute/path/to/creditkarma-mcp/dist/index.js"],
       "env": {
-        "CK_COOKIES": "your-ckat-value-here"
+        "CK_COOKIES": "CKTRKID=...; CKAT=eyJ...%3BeyJ...; ..."
       }
     }
   }
@@ -85,11 +85,11 @@ Credit Karma uses short-lived JWTs. This server handles automatic token refresh
 #### Option A — scripted (recommended)
 
 ```bash
-npm run auth               # prints the CKAT value to the console
-npm run auth -- .env       # writes CK_COOKIES=<ckat> to .env
+npm run auth               # prints the Cookie header to the console
+npm run auth -- .env       # writes CK_COOKIES=<header> to .env
 ```
 
-Launches Chrome with a dedicated profile at `~/.creditkarma-mcp/chrome-profile`, waits for you to sign in at creditkarma.com, then captures the `CKAT` cookie (the URL-encoded bundle of access + refresh JWTs). Either prints it (for pasting into Claude Desktop / MCPB) or writes it to the env file you pass. Requires Google Chrome installed locally; the script installs `puppeteer-core` on first run (~1 MB).
+Launches Chrome with a dedicated profile at `~/.creditkarma-mcp/chrome-profile`, waits for you to sign in at creditkarma.com, then captures the full session Cookie header (CKAT carries the access + refresh JWTs; CKTRKID and friends are needed by the refresh endpoint). Either prints it (for pasting into Claude Desktop / MCPB) or writes it to the env file you pass at mode 0600 (owner-only). Requires Google Chrome installed locally; on first run the script installs `puppeteer-core`, `puppeteer-extra`, and `puppeteer-extra-plugin-stealth` (a few MB, not added to `package.json`).
 
 #### Option B — manual paste (secure prompt)
 
@@ -98,40 +98,34 @@ npm run auth -- --manual           # prompts for the cookie, prints CK_COOKIES
 npm run auth -- --manual .env      # prompts for the cookie, writes to .env
 ```
 
-Use this if the scripted flow hits Intuit/Akamai bot detection (sign-in returns "A technical issue has unexpectedly occurred"). Grab the cookie from your normal Chrome (Option C below), then paste it at the prompt. Input is **not echoed** — paste, press Enter. Accepts the raw CKAT value, `CKAT=<value>`, or a full Cookie header.
+Use this if the scripted flow hits Intuit/Akamai bot detection (sign-in returns "A technical issue has unexpectedly occurred"). Grab the Cookie header from your normal Chrome (Option C below), then paste it at the prompt. Input is **not echoed** — paste, press Enter.
 
 #### Option C — manual (DevTools)
 
 1. Log in to [creditkarma.com](https://www.creditkarma.com) in Chrome
-2. Open DevTools → **Application** → **Cookies** → `https://www.creditkarma.com`
-3. Find the `CKAT` cookie and copy its value
+2. Open DevTools → **Network** → click any request to creditkarma.com → **Request Headers**
+3. Right-click the `cookie` header → **Copy value**
 
 ### Setting credentials
 
 Either of these works:
 
-- Paste the value from `npm run auth` (or your CKAT cookie) into `CK_COOKIES` in your `.env` or Claude config
-- Or call `ck_set_session` from within Claude with the cookie value — it accepts any of:
+- Paste the value from `npm run auth` into `CK_COOKIES` in your `.env` or Claude config
+- Or call `ck_set_session` from within Claude with the Cookie header value
 
-| Format | Example |
-|--------|---------|
-| Raw CKAT value | `eyJraWQ...%3BeyJraWQ...` |
-| `CKAT=<value>` | `CKAT=eyJraWQ...%3BeyJraWQ...` |
-| Full Cookie header | *(what `npm run auth` prints)* |
-
-The server automatically extracts both the access token and refresh token from the CKAT cookie, and refreshes the access token as needed.
+The server extracts the access and refresh JWTs from the `CKAT` cookie inside the header and refreshes the access token automatically as needed.
 
 ### Session expiry
 
 - **Access token**: ~15 minutes (auto-refreshed transparently)
 - **Refresh token**: ~8 hours
-- When the refresh token expires, re-run `npm run auth` (or grab the new CKAT cookie from DevTools) and either update `CK_COOKIES` or call `ck_set_session`
+- When the refresh token expires, re-run `npm run auth` (or grab a fresh Cookie header from DevTools) and either update `CK_COOKIES` or call `ck_set_session`
 
 ## Available tools
 
 | Tool | What it does |
 |------|-------------|
-| `ck_set_session` | Store credentials from your browser cookies (auto-extracts tokens from CKAT) |
+| `ck_set_session` | Store credentials from your browser Cookie header (auto-extracts JWTs from the CKAT cookie) |
 | `ck_sync_transactions` | Sync transactions into the local SQLite database |
 | `ck_list_transactions` | List transactions with filters (date, account, category, merchant, amount) |
 | `ck_get_recent_transactions` | Fetch the N most recent transactions |
@@ -162,14 +156,14 @@ sync_state   (key, value)
 
 | Env var | Description | Default |
 |---------|-------------|---------|
-| `CK_COOKIES` | CKAT value, `CKAT=<value>`, or full Cookie header | *(required)* |
+| `CK_COOKIES` | Full Cookie header from a signed-in creditkarma.com request | *(required)* |
 | `CK_DB_PATH` | Path to SQLite database file | `~/.creditkarma-mcp/transactions.db` |
 
 ## Troubleshooting
 
-**"TOKEN_EXPIRED"** — your refresh token has expired. Re-run `npm run auth` (or grab a new CKAT cookie) and update `CK_COOKIES` or call `ck_set_session`.
+**"TOKEN_EXPIRED"** — your refresh token has expired. Re-run `npm run auth` (or grab a fresh Cookie header) and update `CK_COOKIES` or call `ck_set_session`.
 
-**Sync returns 0 transactions** — check that your `CK_COOKIES` value is fresh. CKAT cookies expire after ~8 hours.
+**Sync returns 0 transactions** — check that your `CK_COOKIES` value is fresh. The refresh token inside the CKAT cookie expires after ~8 hours.
 
 **Tools not appearing** — fully quit and relaunch Claude Desktop. In Claude Code, run `/mcp` to check server status.
 
@@ -178,33 +172,48 @@ sync_state   (key, value)
 ## Security
 
 - Credentials are stored only in your local `.env` file (gitignored) or Claude config
-- The server never logs credentials
-- Only SELECT queries are permitted via `ck_query_sql` — no writes to Credit Karma
+- `.env` is written at mode 0600 (owner read/write only) by both `npm run auth` and `ck_set_session`
+- `ck_set_session` refuses to save a refresh token whose JWT `exp` is already in the past — prevents stale credentials from polluting `.env`
+- The server never logs credentials; warnings go to stderr only (stdout is reserved for the MCP JSON-RPC stream)
+- Only `SELECT` queries are permitted via `ck_query_sql` — no writes to Credit Karma; the underlying `node:sqlite` `prepare()` also rejects multi-statement input
 
 ## Development
 
 ```bash
-npm test            # run the test suite
-npm run build       # compile TypeScript → dist/
-npm run test:watch  # watch mode
+npm test               # run the test suite (vitest)
+npm run build          # compile TypeScript → dist/, copy transaction.graphql, bundle for MCPB
+npm run test:watch     # watch mode
+npm run test:coverage  # coverage report (CI enforces 100% on src/**)
 ```
 
+Versions are bumped automatically by the **Tag & Bump** GitHub Action (`.github/workflows/tag-and-bump.yml`). Do not bump manually.
+
+### Pull requests
+
+Changes land via PR, including for solo work — release notes are generated from merged PRs only (config in `.github/release.yml`). Apply one of these labels to every PR: `enhancement`, `bug`, `security`, `refactor`, `documentation`, `test`, `dependencies`, `ci`, or `ignore-for-release` (excludes from notes). The PR title becomes the changelog bullet, so write it like a user-facing entry.
+
 ### Project structure
 
 ```
 src/
-  client.ts             Credit Karma GraphQL client with auto-refresh
-  index.ts              MCP server entry point
-  db.ts                 SQLite schema and upsert helpers
-  transaction.graphql   GraphQL query for transactions
+  client.ts             Credit Karma GraphQL client (auto-refresh, JWT helpers, cookie parser)
+  index.ts              MCP server entry point; bootstraps tokens from CK_COOKIES
+  db.ts                 SQLite schema, migrations, and upsert helpers
+  transaction.graphql   GraphQL query for transactions (copied to dist/ at build time)
   tools/
-    auth.ts             ck_set_session
-    sync.ts             ck_sync_transactions
-    query.ts            ck_list_transactions, ck_get_recent_transactions, etc.
-    sql.ts              ck_query_sql
+    auth.ts             ck_set_session — refuses stale refresh tokens, writes .env at 0600
+    sync.ts             ck_sync_transactions — incremental sync with resume-on-failure
+    query.ts            ck_list_transactions, ck_get_recent_transactions,
+                        ck_get_spending_by_category, ck_get_spending_by_merchant,
+                        ck_get_account_summary
+    sql.ts              ck_query_sql — SELECT-only escape hatch
+scripts/
+  setup-auth.mjs        npm run auth — Puppeteer flow + manual paste fallback
 tests/
+  helpers.ts            Shared test helpers (fakeServer, makeJwt)
   client.test.ts
   db.test.ts
+  setup-auth.test.ts
   tools/
     auth.test.ts
     sync.test.ts

package/SKILL.md

@@ -23,7 +23,7 @@ Add to `.mcp.json` in your project or `~/.claude/mcp.json`:
       "command": "npx",
       "args": ["-y", "creditkarma-mcp"],
       "env": {
-        "CK_COOKIES": "your-ckat-value-here"
+        "CK_COOKIES": "CKTRKID=...; CKAT=eyJ...%3BeyJ...; ..."
       }
     }
   }
@@ -47,7 +47,7 @@ Then add to `.mcp.json`:
       "command": "node",
       "args": ["/path/to/creditkarma-mcp/dist/index.js"],
       "env": {
-        "CK_COOKIES": "your-ckat-value-here"
+        "CK_COOKIES": "CKTRKID=...; CKAT=eyJ...%3BeyJ...; ..."
       }
     }
   }
@@ -60,33 +60,31 @@ Or use a `.env` file in the project directory with `CK_COOKIES=<value>`.
 
 **Scripted (recommended — source install):**
 ```bash
-npm run auth               # prints the CKAT value to the console
-npm run auth -- .env       # writes CK_COOKIES=<ckat> to .env
+npm run auth               # prints the Cookie header to the console
+npm run auth -- .env       # writes CK_COOKIES=<header> to .env
 ```
 
-Launches Chrome with a dedicated profile, waits for sign-in at creditkarma.com, then captures the `CKAT` cookie (the URL-encoded bundle of access + refresh JWTs). Use the printed value with Claude Desktop / MCPB, or the `.env` form when running from source.
+Launches Chrome with a dedicated profile, waits for sign-in at creditkarma.com, then captures the full session Cookie header (CKAT carries the access + refresh JWTs; CKTRKID and friends are needed by the refresh endpoint). Use the printed value with Claude Desktop / MCPB, or the `.env` form when running from source.
 
 **Manual (DevTools):**
 1. Log in to [creditkarma.com](https://www.creditkarma.com) in Chrome
-2. DevTools → **Application** → **Cookies** → `creditkarma.com`
-3. Copy the `CKAT` cookie value
-
-Accepts: raw CKAT value, `CKAT=<value>`, or the full Cookie header string from any CK network request.
+2. DevTools → **Network** → any creditkarma.com request → **Request Headers**
+3. Right-click the `cookie` header → **Copy value**
 
 ## Authentication
 
-Call `ck_set_session` with your cookie value to store credentials and enable auto-refresh.
+Call `ck_set_session` with your Cookie header to store credentials and enable auto-refresh.
 
 - Access token: ~15 min TTL, auto-refreshed transparently
 - Refresh token: ~8 hours TTL
-- When expired: re-run `npm run auth` (or grab a new CKAT cookie) and call `ck_set_session`
+- When expired: re-run `npm run auth` (or grab a fresh Cookie header) and call `ck_set_session`
 
 ## Tools
 
 ### Auth
 | Tool | Description |
 |------|-------------|
-| `ck_set_session(cookies)` | Store credentials — accepts CKAT value, `CKAT=<value>`, or full Cookie header |
+| `ck_set_session(cookies)` | Store credentials — paste the full Cookie header from a signed-in creditkarma.com request |
 
 ### Sync
 | Tool | Description |
@@ -106,7 +104,7 @@ Call `ck_set_session` with your cookie value to store credentials and enable aut
 ## Workflows
 
 **First-time setup:**
-1. Run `npm run auth` (or grab the `CKAT` cookie manually from creditkarma.com DevTools)
+1. Run `npm run auth` (or grab the Cookie header manually from a creditkarma.com request in DevTools)
 2. Paste into `CK_COOKIES` env var, or call `ck_set_session(cookies)` from within Claude
 3. `ck_sync_transactions` → initial full sync
 

package/dist/bundle.js

@@ -3104,6 +3104,9 @@ var require_utils = __commonJS({
     "use strict";
     var isUUID = RegExp.prototype.test.bind(/^[\da-f]{8}-[\da-f]{4}-[\da-f]{4}-[\da-f]{4}-[\da-f]{12}$/iu);
     var isIPv4 = RegExp.prototype.test.bind(/^(?:(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)$/u);
+    var isHexPair = RegExp.prototype.test.bind(/^[\da-f]{2}$/iu);
+    var isUnreserved = RegExp.prototype.test.bind(/^[\da-z\-._~]$/iu);
+    var isPathCharacter = RegExp.prototype.test.bind(/^[\da-z\-._~!$&'()*+,;=:@/]$/iu);
     function stringArrayToHexStripped(input) {
       let acc = "";
       let code = 0;
@@ -3296,27 +3299,77 @@ var require_utils = __commonJS({
       }
       return output.join("");
     }
-    function normalizeComponentEncoding(component, esc2) {
-      const func = esc2 !== true ? escape : unescape;
-      if (component.scheme !== void 0) {
-        component.scheme = func(component.scheme);
-      }
-      if (component.userinfo !== void 0) {
-        component.userinfo = func(component.userinfo);
-      }
-      if (component.host !== void 0) {
-        component.host = func(component.host);
+    var HOST_DELIMS = { "@": "%40", "/": "%2F", "?": "%3F", "#": "%23", ":": "%3A" };
+    var HOST_DELIM_RE = /[@/?#:]/g;
+    var HOST_DELIM_NO_COLON_RE = /[@/?#]/g;
+    function reescapeHostDelimiters(host, isIP) {
+      const re = isIP ? HOST_DELIM_NO_COLON_RE : HOST_DELIM_RE;
+      re.lastIndex = 0;
+      return host.replace(re, (ch) => HOST_DELIMS[ch]);
+    }
+    function normalizePercentEncoding(input, decodeUnreserved = false) {
+      if (input.indexOf("%") === -1) {
+        return input;
       }
-      if (component.path !== void 0) {
-        component.path = func(component.path);
+      let output = "";
+      for (let i = 0; i < input.length; i++) {
+        if (input[i] === "%" && i + 2 < input.length) {
+          const hex3 = input.slice(i + 1, i + 3);
+          if (isHexPair(hex3)) {
+            const normalizedHex = hex3.toUpperCase();
+            const decoded = String.fromCharCode(parseInt(normalizedHex, 16));
+            if (decodeUnreserved && isUnreserved(decoded)) {
+              output += decoded;
+            } else {
+              output += "%" + normalizedHex;
+            }
+            i += 2;
+            continue;
+          }
+        }
+        output += input[i];
       }
-      if (component.query !== void 0) {
-        component.query = func(component.query);
+      return output;
+    }
+    function normalizePathEncoding(input) {
+      let output = "";
+      for (let i = 0; i < input.length; i++) {
+        if (input[i] === "%" && i + 2 < input.length) {
+          const hex3 = input.slice(i + 1, i + 3);
+          if (isHexPair(hex3)) {
+            const normalizedHex = hex3.toUpperCase();
+            const decoded = String.fromCharCode(parseInt(normalizedHex, 16));
+            if (decoded !== "." && isUnreserved(decoded)) {
+              output += decoded;
+            } else {
+              output += "%" + normalizedHex;
+            }
+            i += 2;
+            continue;
+          }
+        }
+        if (isPathCharacter(input[i])) {
+          output += input[i];
+        } else {
+          output += escape(input[i]);
+        }
       }
-      if (component.fragment !== void 0) {
-        component.fragment = func(component.fragment);
+      return output;
+    }
+    function escapePreservingEscapes(input) {
+      let output = "";
+      for (let i = 0; i < input.length; i++) {
+        if (input[i] === "%" && i + 2 < input.length) {
+          const hex3 = input.slice(i + 1, i + 3);
+          if (isHexPair(hex3)) {
+            output += "%" + hex3.toUpperCase();
+            i += 2;
+            continue;
+          }
+        }
+        output += escape(input[i]);
       }
-      return component;
+      return output;
     }
     function recomposeAuthority(component) {
       const uriTokens = [];
@@ -3331,7 +3384,7 @@ var require_utils = __commonJS({
           if (ipV6res.isIPV6 === true) {
             host = `[${ipV6res.escapedHost}]`;
           } else {
-            host = component.host;
+            host = reescapeHostDelimiters(host, false);
           }
         }
         uriTokens.push(host);
@@ -3345,7 +3398,10 @@ var require_utils = __commonJS({
     module.exports = {
       nonSimpleDomain,
       recomposeAuthority,
-      normalizeComponentEncoding,
+      reescapeHostDelimiters,
+      normalizePercentEncoding,
+      normalizePathEncoding,
+      escapePreservingEscapes,
       removeDotSegments,
       isIPv4,
       isUUID,
@@ -3569,12 +3625,12 @@ var require_schemes = __commonJS({
 var require_fast_uri = __commonJS({
   "node_modules/fast-uri/index.js"(exports, module) {
     "use strict";
-    var { normalizeIPv6, removeDotSegments, recomposeAuthority, normalizeComponentEncoding, isIPv4, nonSimpleDomain } = require_utils();
+    var { normalizeIPv6, removeDotSegments, recomposeAuthority, normalizePercentEncoding, normalizePathEncoding, escapePreservingEscapes, reescapeHostDelimiters, isIPv4, nonSimpleDomain } = require_utils();
     var { SCHEMES, getSchemeHandler } = require_schemes();
     function normalize(uri, options) {
       if (typeof uri === "string") {
         uri = /** @type {T} */
-        serialize(parse3(uri, options), options);
+        normalizeString(uri, options);
       } else if (typeof uri === "object") {
         uri = /** @type {T} */
         parse3(serialize(uri, options), options);
@@ -3641,19 +3697,9 @@ var require_fast_uri = __commonJS({
       return target;
     }
     function equal(uriA, uriB, options) {
-      if (typeof uriA === "string") {
-        uriA = unescape(uriA);
-        uriA = serialize(normalizeComponentEncoding(parse3(uriA, options), true), { ...options, skipEscape: true });
-      } else if (typeof uriA === "object") {
-        uriA = serialize(normalizeComponentEncoding(uriA, true), { ...options, skipEscape: true });
-      }
-      if (typeof uriB === "string") {
-        uriB = unescape(uriB);
-        uriB = serialize(normalizeComponentEncoding(parse3(uriB, options), true), { ...options, skipEscape: true });
-      } else if (typeof uriB === "object") {
-        uriB = serialize(normalizeComponentEncoding(uriB, true), { ...options, skipEscape: true });
-      }
-      return uriA.toLowerCase() === uriB.toLowerCase();
+      const normalizedA = normalizeComparableURI(uriA, options);
+      const normalizedB = normalizeComparableURI(uriB, options);
+      return normalizedA !== void 0 && normalizedB !== void 0 && normalizedA.toLowerCase() === normalizedB.toLowerCase();
     }
     function serialize(cmpts, opts) {
       const component = {
@@ -3678,12 +3724,12 @@ var require_fast_uri = __commonJS({
       if (schemeHandler && schemeHandler.serialize) schemeHandler.serialize(component, options);
       if (component.path !== void 0) {
         if (!options.skipEscape) {
-          component.path = escape(component.path);
+          component.path = escapePreservingEscapes(component.path);
           if (component.scheme !== void 0) {
             component.path = component.path.split("%3A").join(":");
           }
         } else {
-          component.path = unescape(component.path);
+          component.path = normalizePercentEncoding(component.path);
         }
       }
       if (options.reference !== "suffix" && component.scheme) {
@@ -3718,7 +3764,16 @@ var require_fast_uri = __commonJS({
       return uriTokens.join("");
     }
     var URI_PARSE = /^(?:([^#/:?]+):)?(?:\/\/((?:([^#/?@]*)@)?(\[[^#/?\]]+\]|[^#/:?]*)(?::(\d*))?))?([^#?]*)(?:\?([^#]*))?(?:#((?:.|[\n\r])*))?/u;
-    function parse3(uri, opts) {
+    function getParseError(parsed, matches) {
+      if (matches[2] !== void 0 && parsed.path && parsed.path[0] !== "/") {
+        return 'URI path must start with "/" when authority is present.';
+      }
+      if (typeof parsed.port === "number" && (parsed.port < 0 || parsed.port > 65535)) {
+        return "URI port is malformed.";
+      }
+      return void 0;
+    }
+    function parseWithStatus(uri, opts) {
       const options = Object.assign({}, opts);
       const parsed = {
         scheme: void 0,
@@ -3729,6 +3784,7 @@ var require_fast_uri = __commonJS({
         query: void 0,
         fragment: void 0
       };
+      let malformedAuthorityOrPort = false;
       let isIP = false;
       if (options.reference === "suffix") {
         if (options.scheme) {
@@ -3749,6 +3805,11 @@ var require_fast_uri = __commonJS({
         if (isNaN(parsed.port)) {
           parsed.port = matches[5];
         }
+        const parseError = getParseError(parsed, matches);
+        if (parseError !== void 0) {
+          parsed.error = parsed.error || parseError;
+          malformedAuthorityOrPort = true;
+        }
         if (parsed.host) {
           const ipv4result = isIPv4(parsed.host);
           if (ipv4result === false) {
@@ -3787,14 +3848,18 @@ var require_fast_uri = __commonJS({
               parsed.scheme = unescape(parsed.scheme);
             }
             if (parsed.host !== void 0) {
-              parsed.host = unescape(parsed.host);
+              parsed.host = reescapeHostDelimiters(unescape(parsed.host), isIP);
             }
           }
           if (parsed.path) {
-            parsed.path = escape(unescape(parsed.path));
+            parsed.path = normalizePathEncoding(parsed.path);
           }
           if (parsed.fragment) {
-            parsed.fragment = encodeURI(decodeURIComponent(parsed.fragment));
+            try {
+              parsed.fragment = encodeURI(decodeURIComponent(parsed.fragment));
+            } catch {
+              parsed.error = parsed.error || "URI malformed";
+            }
           }
         }
         if (schemeHandler && schemeHandler.parse) {
@@ -3803,7 +3868,29 @@ var require_fast_uri = __commonJS({
       } else {
         parsed.error = parsed.error || "URI can not be parsed.";
       }
-      return parsed;
+      return { parsed, malformedAuthorityOrPort };
+    }
+    function parse3(uri, opts) {
+      return parseWithStatus(uri, opts).parsed;
+    }
+    function normalizeString(uri, opts) {
+      return normalizeStringWithStatus(uri, opts).normalized;
+    }
+    function normalizeStringWithStatus(uri, opts) {
+      const { parsed, malformedAuthorityOrPort } = parseWithStatus(uri, opts);
+      return {
+        normalized: malformedAuthorityOrPort ? uri : serialize(parsed, opts),
+        malformedAuthorityOrPort
+      };
+    }
+    function normalizeComparableURI(uri, opts) {
+      if (typeof uri === "string") {
+        const { normalized, malformedAuthorityOrPort } = normalizeStringWithStatus(uri, opts);
+        return malformedAuthorityOrPort ? void 0 : normalized;
+      }
+      if (typeof uri === "object") {
+        return serialize(uri, opts);
+      }
     }
     var fastUri = {
       SCHEMES,
@@ -3943,7 +4030,7 @@ var require_core = __commonJS({
       constructor(opts = {}) {
         this.schemas = {};
         this.refs = {};
-        this.formats = {};
+        this.formats = /* @__PURE__ */ Object.create(null);
         this._compilations = /* @__PURE__ */ new Set();
         this._loading = {};
         this._cache = /* @__PURE__ */ new Map();
@@ -30931,7 +31018,7 @@ var CreditKarmaClient = class {
    * Requires a refresh token and session cookies (captured after login).
    */
   async refreshAccessToken() {
-    if (!this.refreshToken) throw new Error("NO_REFRESH_TOKEN: Call ck_login first.");
+    if (!this.refreshToken) throw new Error("NO_REFRESH_TOKEN: Call ck_set_session first.");
     const headers = {
       "content-type": "application/json",
       "Origin": "https://www.creditkarma.com",
@@ -30954,7 +31041,13 @@ var CreditKarmaClient = class {
       headers,
       body: JSON.stringify({ refreshToken: this.refreshToken })
     });
-    if (!res.ok) throw new Error(`Token refresh failed: HTTP ${res.status}`);
+    if (!res.ok) {
+      const body = await res.text().catch(() => "");
+      const contentType = res.headers.get("content-type") ?? "";
+      const looksHtml = !contentType.includes("json") && /^\s*<(!doctype|html)/i.test(body);
+      const detail = looksHtml ? "(non-JSON error page \u2014 refresh token likely expired or session invalid; re-run `npm run auth`)" : body.length > 200 ? body.slice(0, 200) + "\u2026" : body || "(empty body)";
+      throw new Error(`Token refresh failed: HTTP ${res.status} \u2014 ${detail}`);
+    }
     const json2 = await res.json();
     if (json2.error || !json2.accessToken) throw new Error(`Token refresh error: ${json2.error ?? "no accessToken in response"}`);
     this.setToken(json2.accessToken);
@@ -30975,14 +31068,23 @@ var CreditKarmaClient = class {
     });
   }
 };
-function extractGlidFromJwt(token) {
+function decodeJwtPayload(token) {
   try {
-    const payload = JSON.parse(Buffer.from(token.split(".")[1], "base64url").toString());
-    return payload.glid ?? null;
+    return JSON.parse(Buffer.from(token.split(".")[1], "base64url").toString());
   } catch {
     return null;
   }
 }
+function isJwtExpired(token) {
+  const p = decodeJwtPayload(token);
+  if (!p || typeof p.exp !== "number") return false;
+  return p.exp * 1e3 < Date.now();
+}
+function extractGlidFromJwt(token) {
+  const p = decodeJwtPayload(token);
+  const glid = p?.glid;
+  return typeof glid === "string" ? glid : null;
+}
 function extractCookieValue(cookieString, name) {
   const match = cookieString.match(new RegExp(`(?:^|;\\s*)${name}=([^;]+)`));
   return match ? match[1] : null;
@@ -31139,21 +31241,20 @@ function setSyncState(db, key, value) {
 import { readFileSync as readFileSync2, writeFileSync, existsSync } from "fs";
 import { join as join2, dirname as dirname3 } from "path";
 async function handleSetSession(args, ctx) {
-  const ckat = extractCookieValue2(args.cookies, "CKAT") ?? args.cookies.trim();
+  const ckat = extractCookieValue(args.cookies, "CKAT") ?? args.cookies.trim();
   const parts = ckat.replace("%3B", ";").split(";");
   const accessToken = parts[0]?.trim();
   const refreshToken = parts[1]?.trim() ?? null;
   if (!accessToken) return "Session not saved: could not extract a token from the provided value.";
+  if (refreshToken && isJwtExpired(refreshToken)) {
+    return "Session not saved: refresh token has already expired. Run `npm run auth` to capture fresh credentials via browser login.";
+  }
   ctx.client.setToken(accessToken);
   if (refreshToken) ctx.client.setRefreshToken(refreshToken);
   ctx.client.setCookies(args.cookies);
   const warning = persistSession(args.cookies, ctx.mcpJsonPath);
   return warning ? `Session saved. Warning: ${warning}` : "Session saved. Access token, refresh token, and cookies stored.";
 }
-function extractCookieValue2(cookieString, name) {
-  const match = cookieString.match(new RegExp(`(?:^|;\\s*)${name}=([^;]+)`));
-  return match ? match[1] : null;
-}
 function persistSession(cookies, mcpJsonPath) {
   if (!cookies) return null;
   const envPath = join2(dirname3(mcpJsonPath), ".env");
@@ -31168,7 +31269,7 @@ function persistSession(cookies, mcpJsonPath) {
   const line = `CK_COOKIES=${cookies}`;
   const updated = existing.match(/^CK_COOKIES=/m) ? existing.replace(/^CK_COOKIES=.*/m, line) : existing + (existing.endsWith("\n") || existing === "" ? "" : "\n") + line + "\n";
   try {
-    writeFileSync(envPath, updated);
+    writeFileSync(envPath, updated, { mode: 384 });
   } catch {
     return ".env could not be written \u2014 session applied in memory only";
   }
@@ -31178,10 +31279,10 @@ function registerAuthTools(server, ctx) {
   server.registerTool(
     "ck_set_session",
     {
-      description: 'Store a Credit Karma session to enable automatic token refresh. Accepts any of: (1) the raw CKAT cookie value, (2) the full Cookie header string from any creditkarma.com request, or (3) just "CKAT=<value>". Capture via `npm run auth` from the creditkarma-mcp repo, or find CKAT in Chrome DevTools \u2192 Application \u2192 Cookies \u2192 creditkarma.com.',
+      description: "Store a Credit Karma session to enable automatic token refresh. Pass the full Cookie header from a signed-in creditkarma.com request (Chrome DevTools \u2192 Network \u2192 any creditkarma.com request \u2192 Request Headers \u2192 right-click the `cookie` header \u2192 Copy value). Capture via `npm run auth` from the creditkarma-mcp repo.",
       annotations: { readOnlyHint: false },
       inputSchema: {
-        cookies: external_exports.string().describe('One of: raw CKAT value, full Cookie header string, or "CKAT=<value>"')
+        cookies: external_exports.string().describe("Full Cookie header from a signed-in creditkarma.com request (contains CKAT, CKTRKID, etc.)")
       }
     },
     async (args) => {
@@ -31271,7 +31372,7 @@ async function handleSyncTransactions(args, ctx) {
 }
 async function refreshOrThrow(ctx) {
   if (!ctx.client.getRefreshToken()) {
-    throw new Error("TOKEN_EXPIRED: No valid token. Run `npm run auth` to capture a fresh Cookie header via browser login, or call ck_set_session with your CKAT cookie.");
+    throw new Error("TOKEN_EXPIRED: No valid token. Run `npm run auth` to capture a fresh Cookie header via browser login, or call ck_set_session with the Cookie header from a signed-in creditkarma.com request.");
   }
   await ctx.client.refreshAccessToken();
 }
@@ -31298,13 +31399,15 @@ function registerSyncTools(server, ctx) {
     },
     async (args) => {
       const result = await handleSyncTransactions(args, ctx);
-      const text = typeof result === "string" ? result : JSON.stringify(result, null, 2);
-      return { content: [{ type: "text", text }] };
+      return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
     }
   );
 }
 
 // src/tools/query.ts
+function likePattern(value) {
+  return `%${value.replace(/[%_\\]/g, "\\$&")}%`;
+}
 async function handleListTransactions(args, ctx) {
   return queryTransactions(ctx.db, args);
 }
@@ -31347,15 +31450,15 @@ function buildWhere(filters) {
   }
   if (filters.account) {
     conditions.push("a.name LIKE ? ESCAPE '\\'");
-    params.push(`%${filters.account.replace(/[%_\\]/g, "\\$&")}%`);
+    params.push(likePattern(filters.account));
   }
   if (filters.category) {
     conditions.push("c.name LIKE ? ESCAPE '\\'");
-    params.push(`%${filters.category.replace(/[%_\\]/g, "\\$&")}%`);
+    params.push(likePattern(filters.category));
   }
   if (filters.merchant) {
     conditions.push("m.name LIKE ? ESCAPE '\\'");
-    params.push(`%${filters.merchant.replace(/[%_\\]/g, "\\$&")}%`);
+    params.push(likePattern(filters.merchant));
   }
   if (filters.status) {
     conditions.push("t.status = ?");
@@ -31390,7 +31493,7 @@ async function handleGetSpendingByCategory(args, ctx) {
   }
   if (args.account) {
     conditions.push("a.name LIKE ? ESCAPE '\\'");
-    params.push(`%${args.account.replace(/[%_\\]/g, "\\$&")}%`);
+    params.push(likePattern(args.account));
   }
   const where = `WHERE ${conditions.join(" AND ")}`;
   const rows = ctx.db.prepare(`
@@ -31419,7 +31522,7 @@ async function handleGetSpendingByMerchant(args, ctx) {
   }
   if (args.category) {
     conditions.push("c.name LIKE ? ESCAPE '\\'");
-    params.push(`%${args.category.replace(/[%_\\]/g, "\\$&")}%`);
+    params.push(likePattern(args.category));
   }
   const where = `WHERE ${conditions.join(" AND ")}`;
   const limit = args.limit ?? 25;
@@ -31594,10 +31697,6 @@ try {
   config2({ path: join3(__dirname, "..", ".env"), override: false, quiet: true });
 } catch {
 }
-function extractCookieValue3(cookieString, name) {
-  const match = cookieString.match(new RegExp(`(?:^|;\\s*)${name}=([^;]+)`));
-  return match ? match[1] : void 0;
-}
 async function main() {
   const dbPath = readVar("CK_DB_PATH") || join3(homedir(), ".creditkarma-mcp", "transactions.db");
   const mcpJsonPath = join3(__dirname, "..", ".mcp.json");
@@ -31605,18 +31704,21 @@ async function main() {
   let token;
   let refreshToken;
   if (cookies) {
-    const ckat = extractCookieValue3(cookies, "CKAT") ?? cookies.trim();
+    const ckat = extractCookieValue(cookies, "CKAT") ?? cookies.trim();
     const parts = ckat.replace("%3B", ";").split(";");
     token = parts[0]?.trim() || void 0;
     refreshToken = parts[1]?.trim() || void 0;
   }
+  if (refreshToken && isJwtExpired(refreshToken)) {
+    console.error("[creditkarma-mcp] Warning: refresh token in CK_COOKIES has expired. Run `npm run auth` (or call ck_set_session) to capture fresh credentials.");
+  }
   const ctx = {
     client: new CreditKarmaClient(token, refreshToken, cookies),
     db: initDb(dbPath),
     mcpJsonPath
   };
   const server = new McpServer(
-    { name: "creditkarma-mcp", version: "2.0.5" }
+    { name: "creditkarma-mcp", version: "2.0.7" }
   );
   registerAuthTools(server, ctx);
   registerSyncTools(server, ctx);

package/dist/client.js

@@ -73,7 +73,7 @@ export class CreditKarmaClient {
      */
     async refreshAccessToken() {
         if (!this.refreshToken)
-            throw new Error('NO_REFRESH_TOKEN: Call ck_login first.');
+            throw new Error('NO_REFRESH_TOKEN: Call ck_set_session first.');
         const headers = {
             'content-type': 'application/json',
             'Origin': 'https://www.creditkarma.com',
@@ -101,8 +101,15 @@ export class CreditKarmaClient {
             headers,
             body: JSON.stringify({ refreshToken: this.refreshToken })
         });
-        if (!res.ok)
-            throw new Error(`Token refresh failed: HTTP ${res.status}`);
+        if (!res.ok) {
+            const body = await res.text().catch(() => '');
+            const contentType = res.headers.get('content-type') ?? '';
+            const looksHtml = !contentType.includes('json') && /^\s*<(!doctype|html)/i.test(body);
+            const detail = looksHtml
+                ? '(non-JSON error page — refresh token likely expired or session invalid; re-run `npm run auth`)'
+                : (body.length > 200 ? body.slice(0, 200) + '…' : body || '(empty body)');
+            throw new Error(`Token refresh failed: HTTP ${res.status} — ${detail}`);
+        }
         const json = await res.json();
         if (json.error || !json.accessToken)
             throw new Error(`Token refresh error: ${json.error ?? 'no accessToken in response'}`);
@@ -128,16 +135,34 @@ export class CreditKarmaClient {
 // ---------------------------------------------------------------------------
 // Helpers
 // ---------------------------------------------------------------------------
-function extractGlidFromJwt(token) {
+/** Decode the unverified JWT payload claims. Returns null if the token is not
+ *  a well-formed JWT. We never use this for authorization — only for reading
+ *  claims (exp, glid) on tokens we already trust. */
+export function decodeJwtPayload(token) {
     try {
-        const payload = JSON.parse(Buffer.from(token.split('.')[1], 'base64url').toString());
-        return payload.glid ?? null;
+        return JSON.parse(Buffer.from(token.split('.')[1], 'base64url').toString());
     }
     catch {
         return null;
     }
 }
-function extractCookieValue(cookieString, name) {
+/** True only if we can decode the JWT and its `exp` claim is in the past.
+ *  Returns false for un-decodable strings (let the API decide) or tokens
+ *  without an `exp` claim. */
+export function isJwtExpired(token) {
+    const p = decodeJwtPayload(token);
+    if (!p || typeof p.exp !== 'number')
+        return false;
+    return p.exp * 1000 < Date.now();
+}
+function extractGlidFromJwt(token) {
+    const p = decodeJwtPayload(token);
+    const glid = p?.glid;
+    return typeof glid === 'string' ? glid : null;
+}
+/** Parse a single cookie value out of a Cookie header string. Exported so the
+ *  auth tool and bootstrap don't each maintain their own copy. */
+export function extractCookieValue(cookieString, name) {
     const match = cookieString.match(new RegExp(`(?:^|;\\s*)${name}=([^;]+)`));
     return match ? match[1] : null;
 }

package/dist/index.js

@@ -3,7 +3,7 @@ import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js'
 import { homedir } from 'os';
 import { join, dirname } from 'path';
 import { fileURLToPath } from 'url';
-import { CreditKarmaClient } from './client.js';
+import { CreditKarmaClient, isJwtExpired, extractCookieValue } from './client.js';
 import { initDb } from './db.js';
 import { registerAuthTools } from './tools/auth.js';
 import { registerSyncTools } from './tools/sync.js';
@@ -36,15 +36,12 @@ try {
 catch {
     // not available — rely on process.env (mcpb sets credentials via mcp_config.env)
 }
-function extractCookieValue(cookieString, name) {
-    const match = cookieString.match(new RegExp(`(?:^|;\\s*)${name}=([^;]+)`));
-    return match ? match[1] : undefined;
-}
 async function main() {
     const dbPath = readVar('CK_DB_PATH') || join(homedir(), '.creditkarma-mcp', 'transactions.db');
     const mcpJsonPath = join(__dirname, '..', '.mcp.json');
     const cookies = readVar('CK_COOKIES') || undefined;
-    // Bootstrap tokens from CK_COOKIES: accepts raw CKAT, CKAT=<value>, or full cookie string
+    // Canonical CK_COOKIES is a full Cookie header. Parser stays lenient and
+    // also accepts a bare CKAT value or `CKAT=<value>` from legacy configs.
     let token;
     let refreshToken;
     if (cookies) {
@@ -53,12 +50,15 @@ async function main() {
         token = parts[0]?.trim() || undefined;
         refreshToken = parts[1]?.trim() || undefined;
     }
+    if (refreshToken && isJwtExpired(refreshToken)) {
+        console.error('[creditkarma-mcp] Warning: refresh token in CK_COOKIES has expired. Run `npm run auth` (or call ck_set_session) to capture fresh credentials.');
+    }
     const ctx = {
         client: new CreditKarmaClient(token, refreshToken, cookies),
         db: initDb(dbPath),
         mcpJsonPath
     };
-    const server = new McpServer({ name: 'creditkarma-mcp', version: '2.0.5' });
+    const server = new McpServer({ name: 'creditkarma-mcp', version: '2.0.7' });
     registerAuthTools(server, ctx);
     registerSyncTools(server, ctx);
     registerQueryTools(server, ctx);

package/dist/tools/auth.js

@@ -1,17 +1,23 @@
 import { z } from 'zod';
 import { readFileSync, writeFileSync, existsSync } from 'fs';
 import { join, dirname } from 'path';
+import { isJwtExpired, extractCookieValue } from '../client.js';
 export async function handleSetSession(args, ctx) {
-    // Accept three formats:
-    //   1. Raw CKAT value:      eyJ...%3BeyJ...  or  eyJ...;eyJ...
-    //   2. Full Cookie header:  CKTRKID=...; CKAT=eyJ...%3BeyJ...; ...
-    //   3. Key=value pair:      CKAT=eyJ...%3BeyJ...
+    // Canonical input is the full Cookie header from a signed-in creditkarma.com
+    // request (`CKTRKID=...; CKAT=eyJ...%3BeyJ...; ...`). The parser remains
+    // lenient and also accepts a bare CKAT value or `CKAT=<value>` for callers
+    // that lifted just the cookie value from DevTools.
     const ckat = extractCookieValue(args.cookies, 'CKAT') ?? args.cookies.trim();
     const parts = ckat.replace('%3B', ';').split(';');
     const accessToken = parts[0]?.trim();
     const refreshToken = parts[1]?.trim() ?? null;
     if (!accessToken)
         return 'Session not saved: could not extract a token from the provided value.';
+    // Refuse if the refresh JWT is already expired — saving stale credentials
+    // pollutes .env and produces confusing HTTP 400s from the refresh endpoint.
+    if (refreshToken && isJwtExpired(refreshToken)) {
+        return 'Session not saved: refresh token has already expired. Run `npm run auth` to capture fresh credentials via browser login.';
+    }
     ctx.client.setToken(accessToken);
     if (refreshToken)
         ctx.client.setRefreshToken(refreshToken);
@@ -21,10 +27,6 @@ export async function handleSetSession(args, ctx) {
         ? `Session saved. Warning: ${warning}`
         : 'Session saved. Access token, refresh token, and cookies stored.';
 }
-function extractCookieValue(cookieString, name) {
-    const match = cookieString.match(new RegExp(`(?:^|;\\s*)${name}=([^;]+)`));
-    return match ? match[1] : null;
-}
 /** Persist session to .env. Returns a warning string or null on success. */
 export function persistSession(cookies, mcpJsonPath) {
     if (!cookies)
@@ -45,7 +47,7 @@ export function persistSession(cookies, mcpJsonPath) {
         ? existing.replace(/^CK_COOKIES=.*/m, line)
         : existing + (existing.endsWith('\n') || existing === '' ? '' : '\n') + line + '\n';
     try {
-        writeFileSync(envPath, updated);
+        writeFileSync(envPath, updated, { mode: 0o600 });
     }
     catch {
         return '.env could not be written — session applied in memory only';
@@ -56,10 +58,10 @@ export function persistSession(cookies, mcpJsonPath) {
 export const persistTokens = persistSession;
 export function registerAuthTools(server, ctx) {
     server.registerTool('ck_set_session', {
-        description: 'Store a Credit Karma session to enable automatic token refresh. Accepts any of: (1) the raw CKAT cookie value, (2) the full Cookie header string from any creditkarma.com request, or (3) just "CKAT=<value>". Capture via `npm run auth` from the creditkarma-mcp repo, or find CKAT in Chrome DevTools \u2192 Application \u2192 Cookies \u2192 creditkarma.com.',
+        description: 'Store a Credit Karma session to enable automatic token refresh. Pass the full Cookie header from a signed-in creditkarma.com request (Chrome DevTools \u2192 Network \u2192 any creditkarma.com request \u2192 Request Headers \u2192 right-click the `cookie` header \u2192 Copy value). Capture via `npm run auth` from the creditkarma-mcp repo.',
         annotations: { readOnlyHint: false },
         inputSchema: {
-            cookies: z.string().describe('One of: raw CKAT value, full Cookie header string, or "CKAT=<value>"'),
+            cookies: z.string().describe('Full Cookie header from a signed-in creditkarma.com request (contains CKAT, CKTRKID, etc.)'),
         },
     }, async (args) => {
         const result = await handleSetSession(args, ctx);

package/dist/tools/query.js

@@ -1,4 +1,13 @@
 import { z } from 'zod';
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+/** Wrap a user-supplied string as a SQL LIKE pattern with `%`s on both sides
+ *  and the LIKE metacharacters (`%`, `_`, `\`) escaped. Pair with `ESCAPE '\'`
+ *  in the SQL fragment. */
+function likePattern(value) {
+    return `%${value.replace(/[%_\\]/g, '\\$&')}%`;
+}
 export async function handleListTransactions(args, ctx) {
     return queryTransactions(ctx.db, args);
 }
@@ -40,16 +49,16 @@ function buildWhere(filters) {
         params.push(filters.end_date);
     }
     if (filters.account) {
-        conditions.push('a.name LIKE ? ESCAPE \'\\\'');
-        params.push(`%${filters.account.replace(/[%_\\]/g, '\\$&')}%`);
+        conditions.push("a.name LIKE ? ESCAPE '\\'");
+        params.push(likePattern(filters.account));
     }
     if (filters.category) {
-        conditions.push('c.name LIKE ? ESCAPE \'\\\'');
-        params.push(`%${filters.category.replace(/[%_\\]/g, '\\$&')}%`);
+        conditions.push("c.name LIKE ? ESCAPE '\\'");
+        params.push(likePattern(filters.category));
     }
     if (filters.merchant) {
-        conditions.push('m.name LIKE ? ESCAPE \'\\\'');
-        params.push(`%${filters.merchant.replace(/[%_\\]/g, '\\$&')}%`);
+        conditions.push("m.name LIKE ? ESCAPE '\\'");
+        params.push(likePattern(filters.merchant));
     }
     if (filters.status) {
         conditions.push('t.status = ?');
@@ -83,8 +92,8 @@ export async function handleGetSpendingByCategory(args, ctx) {
         params.push(args.end_date);
     }
     if (args.account) {
-        conditions.push('a.name LIKE ? ESCAPE \'\\\'');
-        params.push(`%${args.account.replace(/[%_\\]/g, '\\$&')}%`);
+        conditions.push("a.name LIKE ? ESCAPE '\\'");
+        params.push(likePattern(args.account));
     }
     const where = `WHERE ${conditions.join(' AND ')}`;
     const rows = ctx.db.prepare(`
@@ -112,8 +121,8 @@ export async function handleGetSpendingByMerchant(args, ctx) {
         params.push(args.end_date);
     }
     if (args.category) {
-        conditions.push('c.name LIKE ? ESCAPE \'\\\'');
-        params.push(`%${args.category.replace(/[%_\\]/g, '\\$&')}%`);
+        conditions.push("c.name LIKE ? ESCAPE '\\'");
+        params.push(likePattern(args.category));
     }
     const where = `WHERE ${conditions.join(' AND ')}`;
     const limit = args.limit ?? 25;

package/dist/tools/sync.js

@@ -96,7 +96,7 @@ export async function handleSyncTransactions(args, ctx) {
 }
 async function refreshOrThrow(ctx) {
     if (!ctx.client.getRefreshToken()) {
-        throw new Error('TOKEN_EXPIRED: No valid token. Run `npm run auth` to capture a fresh Cookie header via browser login, or call ck_set_session with your CKAT cookie.');
+        throw new Error('TOKEN_EXPIRED: No valid token. Run `npm run auth` to capture a fresh Cookie header via browser login, or call ck_set_session with the Cookie header from a signed-in creditkarma.com request.');
     }
     await ctx.client.refreshAccessToken();
 }
@@ -124,7 +124,6 @@ export function registerSyncTools(server, ctx) {
         },
     }, async (args) => {
         const result = await handleSyncTransactions(args, ctx);
-        const text = typeof result === 'string' ? result : JSON.stringify(result, null, 2);
-        return { content: [{ type: 'text', text }] };
+        return { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] };
     });
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "creditkarma-mcp",
-  "version": "2.0.5",
+  "version": "2.0.7",
   "mcpName": "io.github.chrischall/creditkarma-mcp",
   "description": "MCP server for Credit Karma — natural-language access to your transactions, spending, and accounts",
   "author": "Claude Code (AI) <https://www.anthropic.com/claude>",

package/server.json

@@ -6,19 +6,19 @@
     "url": "https://github.com/chrischall/creditkarma-mcp",
     "source": "github"
   },
-  "version": "2.0.5",
+  "version": "2.0.7",
   "packages": [
     {
       "registryType": "npm",
       "identifier": "creditkarma-mcp",
-      "version": "2.0.5",
+      "version": "2.0.7",
       "transport": {
         "type": "stdio"
       },
       "environmentVariables": [
         {
           "name": "CK_COOKIES",
-          "description": "Your Credit Karma Cookie header (run `npm run auth` to capture via browser login, or copy CKAT from DevTools)",
+          "description": "The Cookie header from a signed-in creditkarma.com request. Run `npm run auth` to capture via browser login, or copy from DevTools → Network → any creditkarma.com request → Request Headers.",
           "isRequired": false,
           "format": "string",
           "isSecret": true