auth-fetch-mcp
Health Warn
- License — License: MIT
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Low visibility — Only 5 GitHub stars
Code Fail
- fs module — File system access in demo/record-demo.js
- execSync — Synchronous shell command execution in src/browser.ts
- process.env — Environment variable access in src/browser.ts
- process.env — Environment variable access in src/tools.ts
Permissions Pass
- Permissions — No dangerous permissions requested
This tool acts as an MCP server allowing AI assistants to fetch content from web pages that require authentication. It opens a real browser window for the user to manually log in, then captures the page's HTML and downloads media using the authenticated session.
Security Assessment
The tool processes highly sensitive data, specifically your browser session cookies and environment variables. While this is necessary to maintain logged-in states, the code relies on synchronous shell command execution (`execSync`) within the browser management module. This is a significant security liability because if an attacker manipulates the input or environment, it could lead to arbitrary command execution on your system. Additionally, it accesses the file system to save sessions and makes active network requests. There are no hardcoded secrets, but the combination of arbitrary network fetching, local cookie storage, and unsafe shell execution elevates the overall risk to High.
Quality Assessment
The project is actively maintained, with repository activity as recent as today. It is properly licensed under the standard MIT license. However, community visibility and trust are extremely low, currently sitting at only 5 GitHub stars. It is a relatively young and untested tool in the broader developer ecosystem, meaning bugs and security vulnerabilities are more likely to go unnoticed.
Verdict
Not recommended due to unsafe synchronous shell execution and high handling of sensitive session data with minimal community oversight.
MCP server that lets AI assistants fetch content from authenticated web pages.
auth-fetch-mcp
MCP server that lets AI assistants fetch content from authenticated web pages.
When your AI tries to read a URL that requires login, this tool opens a real browser for you to sign in — then captures the page content as cleaned HTML. Sessions are saved locally, so you only log in once per service.
Demo
Quick Start
Claude Code
claude mcp add --scope user auth-fetch -- npx auth-fetch-mcp@latest
.mcp.json (Cursor, Windsurf, etc.)
{
"mcpServers": {
"auth-fetch": {
"command": "npx",
"args": ["auth-fetch-mcp@latest"]
}
}
}
Chromium is auto-installed on first run if not already present.
How It Works
- Ask your AI to read any authenticated page — just paste the URL.
- A browser window opens automatically and navigates to the page.
- Log in as you normally would (supports SSO, 2FA, CAPTCHA — anything).
- Click the "📸 Capture" button in the bottom-right corner when ready.
- The page content is captured as cleaned HTML (noise elements stripped, media tags preserved), the browser closes, and your AI receives the content.
Tools
auth_fetch
The primary tool. Fetches page content using a real browser, opening a window for login if needed. Returns cleaned HTML with noise elements (nav, footer, scripts, etc.) stripped and media tags (<img>, <video>, <iframe>) preserved.
| Parameter | Type | Required | Description |
|---|---|---|---|
url |
string | yes | The URL to fetch content from |
wait_for |
string | no | CSS selector to wait for before capturing (useful for SPAs) |
download_media
Downloads files from URLs using saved browser sessions. Use this to lazily download images, videos, or other files found in auth_fetch results. The browser's saved cookies handle authentication automatically — no need to log in again.
| Parameter | Type | Required | Description |
|---|---|---|---|
urls |
string[] | yes | One or more URLs to download |
output_dir |
string | no | Directory to save files to (defaults to ~/.auth-fetch-mcp/downloads/<timestamp>/) |
Example flow:
1. auth_fetch("https://notion.so/my-page")
→ Returns HTML with <img src="https://s3.notion.so/signed-url..."/> tags
2. AI reads the HTML, identifies an image it needs
3. download_media(["https://s3.notion.so/signed-url..."])
→ Downloads the image using saved session cookies
→ Returns { localPath: "~/.auth-fetch-mcp/downloads/.../file-1.png" }
list_pages
Lists all open tabs in the browser with their URLs and titles.
close_browser
Closes the browser window. Login sessions are saved and will be reused next time.
Data Storage
All data is stored locally under ~/.auth-fetch-mcp/. Nothing is sent to external servers.
| What | Where | When | Persistent? |
|---|---|---|---|
| Browser sessions (cookies, local storage) | ~/.auth-fetch-mcp/browser-data/ |
After first login | Yes — reused across restarts |
| Downloaded media files | ~/.auth-fetch-mcp/downloads/<timestamp>/ |
Only when download_media is called |
Yes — stays until you delete it |
| Captured page content (HTML) | Not saved to disk | Passed directly to AI via stdio | No — exists only in the AI's context |
To clear all data:
# Clear login sessions only
rm -rf ~/.auth-fetch-mcp/browser-data/
# Clear downloaded files only
rm -rf ~/.auth-fetch-mcp/downloads/
# Clear everything
rm -rf ~/.auth-fetch-mcp/
Supported AI Tools
- Claude Code
- Cursor
- Windsurf
- Any MCP-compatible client using stdio transport
Limitations
- Requires a local environment (does not work in web-based chat interfaces)
- First access to each service requires manual login
- Very long pages are truncated to fit LLM context windows (100K chars)
- Some sites with aggressive bot detection may not work (try the
wait_foroption)
Privacy
- All data stays on your machine — nothing is sent to external servers
- Captured HTML is never written to disk — it only passes through the stdio pipe to the AI tool
- Browser sessions are stored locally as a standard Chromium profile
- Downloaded files go to a local directory you control
Contributing
Contributions are welcome! Please open an issue or submit a pull request.
git clone https://github.com/ymw0407/auth-fetch-mcp.git
cd auth-fetch-mcp
npm install
npm run build
License
MIT
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found