BambooHR MCP Server

MCP server providing read-only access to BambooHR employee data, time off, goals, and company files

Overall Score71/100

Score Breakdown

Authentication & Identity1 finding↓0/25

Tool Schema Quality25/25

Permission Granularity20/20

LLM Safety15/15

Data Exposure10/10

Maintenance & Trust2 findings↓1/5

Server Info

Package: mcp-bamboohr
Registry: npm
Repository: evrimalacan/mcp-bamboohr
Maintainer: Community
Category: HR & People
Tags: hremployeestime-off
Last Scanned: 7 Apr 2026

Findings

3 issues

Authentication & Identity

HIGHNo per-request auth - requires instance-per-user

Stdio-only transport. Authentication via BambooHR API token passed as environment variable. No HTTP/SSE transport or MCP OAuth support. For multi-tenant deployment, the platform must spawn a separate server instance per user.

Remediation

Add HTTP/SSE transport to accept per-request Authorization headers, or implement the MCP OAuth spec.

Maintenance & Trust

LOWCommunity-maintained by Evrim Alacan

No official vendor backing.

Remediation

Seek vendor verification.

HIGH12 dependency vulnerabilities (1 critical, 6 high)

npm audit found 1 critical and 6 high severity CVEs.

Remediation

Run `npm audit fix` and update vulnerable dependencies.

Tools

10 total

Name	Description	Risk
get-employee	Get employee data with customizable field selection. Returns employee object with fields like displayName, firstName, lastName, jobTitle, department, division, location, supervisor, photoUrl, and many more based on the 'fields' parameter.	read
get-employee-photo	Get an employee photo by size	read
get-employee-directory	Get the company-wide employee directory. Returns array of employee objects with comprehensive information including displayName, jobTitle, department, division, location, supervisor, workEmail, photoUrl, and more.	read
get-employee-goals	Get performance goals and objectives for an employee. Returns goal objects with title, description, percentComplete, status, dueDate, milestones (for milestone-based goals), and progress tracking information.	read
estimate-time-off-balance	Calculate future time off balances for an employee. Returns array of time off types with current balance, units (days/hours), policyType (accruing/discretionary/manual), and usedYearToDate amounts.	read
get-time-off-requests	Retrieve and filter time off requests. Returns request objects with id, employeeId, status, start/end dates, request type, amount, available actions (approve/deny/etc.), and employee/manager notes. Supports extensive filtering.	read
get-whos-out	View upcoming time off and holidays for a date range. Returns array of mixed events: timeOff events (id, type, employeeId, name, start, end) and holiday events (id, type, name, start, end) with summary counts.	read
list-company-files	Browse available company files and categories. Returns organized structure with file categories, each containing files with id, name, originalFileName, size, dateCreated, and category information.	read
get-company-file	Download a specific company document by ID. Returns file data with base64-encoded content for binary files (PDFs, images, etc.) along with file size and metadata.	read
get-meta-fields	Discover all available BambooHR data fields. Returns array of field definitions with id, type (text/email/list/etc.), name, and optional alias. Essential for understanding what employee data fields can be requested.	read

Deploy BambooHR MCP Server securely

CompleteFlow adds per-user authentication, permission scoping, and audit logging to any MCP server out of the box.

Deploy on CompleteFlow