API Documentation

Query trust scores, scan results, and security intelligence programmatically. All public endpoints are free and require no authentication.

Base URL

https://api.ledger.ultra.security

Authentication

Public endpoints require no authentication and are rate-limited to 100 requests/minute per IP. For higher limits (1,000 req/min), include an API key:

X-API-Key: your-api-key

Webhook and alert management endpoints require an API key.

Response Format

All responses are JSON. List endpoints return paginated responses:

{
  "data": [...],
  "total": 100,
  "page": 1,
  "per_page": 20,
  "has_more": true
}

Errors return a consistent shape:

{ "error": "message", "code": "ERROR_CODE" }

Rate Limiting

Rate limit headers are included in every response:

X-RateLimit-Limit: 100
X-RateLimit-Remaining: 98
X-RateLimit-Reset: 1710000000

Endpoints 26

GET /v1/servers

List all indexed MCP servers

Params: page, per_page, sort (score|stars|updated_at|name), order (asc|desc), status, tags
GET /v1/servers/:slug

Get full server detail including tools, permissions, and trust score

GET /v1/servers/:slug/score

Get current trust score with breakdown

GET /v1/servers/:slug/versions

List all versions of a server

GET /v1/servers/:slug/versions/:version

Get a specific version

GET /v1/servers/:slug/diff/:v1/:v2

Get diff between two versions

GET /v1/servers/:slug/scans

List scan results

GET /v1/servers/:slug/scans/latest

Get latest scan result

GET /v1/servers/:slug/provenance

Get provenance / audit trail

POST /v1/servers/scores/batch

Batch fetch trust scores (max 100 slugs)

Body: { "slugs": ["server-a", "server-b"] }
GET /v1/authors/:id

Get author profile and their servers

GET /v1/registries

List all known MCP registries

GET /v1/registries/:slug

Get registry profile

GET /v1/transparency/entries

Browse transparency log entries

Params: page, per_page
GET /v1/transparency/verify/:ref

Verify an attestation reference

GET /v1/feed

Get recent events as JSON

Params: severity, limit
GET /feed.xml

RSS feed of security events

GET /feed.atom

Atom feed of security events

GET /badge/:slug.svg

Embeddable trust score badge

Params: style (flat|flat-square), label
POST /v1/webhooks auth

Create webhook subscription

Body: { "url": "...", "events": ["score_change", "new_flag", "version_released"] }
GET /v1/webhooks auth

List your webhook subscriptions

DELETE /v1/webhooks/:id auth

Delete a webhook subscription

POST /v1/alerts/subscribe auth

Subscribe to server alerts

Body: { "server_slug": "...", "channel": "email|slack", "destination": "..." }
GET /v1/alerts/subscriptions auth

List your alert subscriptions

DELETE /v1/alerts/subscriptions/:id auth

Delete an alert subscription

CLI

Check any MCP server from the command line:

npx ultra-ledger check @modelcontextprotocol/filesystem

# JSON output
npx ultra-ledger check @modelcontextprotocol/filesystem --json

Badges

Embed trust score badges in your README:

![Trust Score](https://api.ledger.ultra.security/badge/your-server-slug.svg)