Core documentation content is fully readable without JavaScript. The table of contents, assistant, and some copy buttons enhance the experience but are not required.

Reviewer test instructions

For Anthropic Connectors Directory and OpenAI Apps SDK reviewers evaluating Zephex.

Quick facts

MCP endpoint	`https://zephex.dev/mcp`
Auth type	OAuth 2.0 (Anthropic-held credentials for Directory)
Authorization server	`https://zephex.us.auth0.com`
Tool count	10 tools, all read-only
Protocol version	`2025-11-25`
Egress allowlist	Not needed — both `zephex.dev` and Auth0 are fully public

Test account

Test credentials are shared securely via the submission form attachment. The reviewer email is anthropicreviewer-zephex@inbox.testmail.app (Pro tier, active subscription, no Stripe charges). Password and pre-provisioned API key are in the secure attachment.

Step-by-step OAuth test

1. In Claude.ai (web/Desktop/mobile), open Settings → Connectors → Add custom connector.
2. Enter URL: https://zephex.dev/mcp
3. Click Connect. Browser opens to https://zephex.us.auth0.com/u/login.
4. Sign in with the reviewer email and shared password.
5. Approve scopes (mcp:read mcp:write).
6. You're returned to Claude with the connector connected.

Tool tests (all should succeed)

audit_headers

Prompt: "Use audit_headers on https://example.com"
Expected: A+ to F security grade, list of headers, fix snippets.

check_package

Prompt: "Use check_package to verify that 'react' exists on npm"
Expected: { exists: true, deprecated: false, latest_version: "19.x.x" }

audit_package

Prompt: "Use audit_package on react with task: security"
Expected: CVE advisories list (real GHSA data) and security_status.

Zephex_dev_info

Prompt: "Use Zephex_dev_info to search for OAuth refresh tokens"
Expected: Either a knowledge base article result or a graceful "no entry found" message.

keep_thinking

Prompt: "Use keep_thinking with thought: 'Test reasoning step', thoughtNumber 1, totalThoughts 1, nextThoughtNeeded false, confidence 0.9, thoughtType observation, goalAnchor 'verify tool works'"
Expected: { thoughtConfirmed: "[1/1] Test reasoning step", shouldContinue: false }

Project tools (get_project_context, scope_task, read_code, find_code, explain_architecture)

These read project files. From hosted Claude, pass inline_files (a JSON object mapping relative paths to file contents) or a GitHub URL like github:vercel/next.js.
Example prompt: "Use get_project_context with this package.json: {"name":"test","dependencies":{"express":"^4.18.0"}}"
Expected: detected stack ("JavaScript / Express / Node.js"), dev_command, entry_point.

Spec compliance

✅ MCP 2025-11-25 protocol
✅ RFC 9728 Protected Resource Metadata at /.well-known/oauth-protected-resource
✅ RFC 8414 Authorization Server Metadata at /.well-known/oauth-authorization-server
✅ OIDC Discovery 1.0 at /.well-known/openid-configuration
✅ PKCE S256 supported
✅ Token endpoint accepts application/x-www-form-urlencoded
✅ Refresh token rotation enabled (Auth0 setting)
✅ WWW-Authenticate header on 401 with realm, resource_metadata, scope
✅ All 10 tools have title + readOnlyHint: true + destructiveHint: false
✅ Origin header validation enforced (allowlist: claude.ai, claude.com, chatgpt.com, platform.openai.com, zephex.dev)
✅ HTTPS / TLS 1.3 only (HSTS preloaded)

Questions during review? support@zephex.dev

Was this page helpful?

Reviewer test instructions

For Anthropic Connectors Directory and OpenAI Apps SDK reviewers evaluating Zephex.

Quick facts

MCP endpoint	`https://zephex.dev/mcp`
Auth type	OAuth 2.0 (Anthropic-held credentials for Directory)
Authorization server	`https://zephex.us.auth0.com`
Tool count	10 tools, all read-only
Protocol version	`2025-11-25`
Egress allowlist	Not needed — both `zephex.dev` and Auth0 are fully public

Test account

Step-by-step OAuth test

1. In Claude.ai (web/Desktop/mobile), open Settings → Connectors → Add custom connector.
2. Enter URL: https://zephex.dev/mcp
3. Click Connect. Browser opens to https://zephex.us.auth0.com/u/login.
4. Sign in with the reviewer email and shared password.
5. Approve scopes (mcp:read mcp:write).
6. You're returned to Claude with the connector connected.

Tool tests (all should succeed)

audit_headers

Prompt: "Use audit_headers on https://example.com"
Expected: A+ to F security grade, list of headers, fix snippets.

check_package

Prompt: "Use check_package to verify that 'react' exists on npm"
Expected: { exists: true, deprecated: false, latest_version: "19.x.x" }

audit_package

Prompt: "Use audit_package on react with task: security"
Expected: CVE advisories list (real GHSA data) and security_status.

Zephex_dev_info

Prompt: "Use Zephex_dev_info to search for OAuth refresh tokens"
Expected: Either a knowledge base article result or a graceful "no entry found" message.

keep_thinking

Project tools (get_project_context, scope_task, read_code, find_code, explain_architecture)

Spec compliance

✅ MCP 2025-11-25 protocol
✅ RFC 9728 Protected Resource Metadata at /.well-known/oauth-protected-resource
✅ RFC 8414 Authorization Server Metadata at /.well-known/oauth-authorization-server
✅ OIDC Discovery 1.0 at /.well-known/openid-configuration
✅ PKCE S256 supported
✅ Token endpoint accepts application/x-www-form-urlencoded
✅ Refresh token rotation enabled (Auth0 setting)
✅ WWW-Authenticate header on 401 with realm, resource_metadata, scope
✅ All 10 tools have title + readOnlyHint: true + destructiveHint: false
✅ Origin header validation enforced (allowlist: claude.ai, claude.com, chatgpt.com, platform.openai.com, zephex.dev)
✅ HTTPS / TLS 1.3 only (HSTS preloaded)

Reviewer test instructions

Quick facts

Test account

Step-by-step OAuth test

Tool tests (all should succeed)

Spec compliance

Quick Links

API Reference

Troubleshooting

Community

Plugins

Pricing

Reviewer test instructions

Quick facts

Test account

Step-by-step OAuth test

Tool tests (all should succeed)

Spec compliance