Monday.com MCP
Official Monday.com MCP server providing comprehensive platform API tools for boards, items, documents, workspaces, dashboards, workforms, and app management
Score Breakdown
Server Info
- Package
- @mondaydotcomorg/monday-api-mcp
- Registry
- npm
- Repository
- mondaycom/monday-ai
- Maintainer
- Community
- Category
- Project Management
- Tags
- project-managementboardsworkflows
- Last Scanned
- 7 Apr 2026
Findings
7 issuesAuthentication & Identity
HIGHNo per-request auth - requires instance-per-user
Stdio transport only. Requires a monday.com API token passed via MONDAY_API_TOKEN environment variable or --token CLI argument. The token is a personal API token or OAuth token from monday.com. No MCP OAuth implementation. Supports --read-only flag and tool mode selection (api/apps/atp). For multi-tenant deployment, the platform must spawn a separate server instance per user.
Add HTTP/SSE transport to accept per-request Authorization headers, or implement the MCP OAuth spec.
Tool Schema Quality
MEDIUMOnly 1 of 68 schemas have parameter constraints
Most schemas lack maxLength, enum, or pattern constraints on string parameters.
Add constraints to string parameters, especially on write operations.
CRITICALDangerous execution surface: all_monday_api accepts arbitrary GraphQL queries/mutations that can modify any monday.com data
Tool allows raw code/query execution which could be exploited via prompt injection.
Use parameterized queries or validated command sets.
Permission Granularity
MEDIUM10 tools combine read and write operations
Tools are typed as ToolType.READ, ToolType.WRITE, or ToolType.ALL_API in source code. The server supports readOnlyMode which filters to READ tools only. The all_monday_api tool (ALL_API type) is the main dangerous surface as it can execute arbitrary GraphQL. Tool filtering via include/exclude and enableDynamicApiTools configuration. The 10 'mixed' tools noted above are ALL_API type tools (all_monday_api, get_graphql_schema, get_type_details) which can perform both read and write operations.
Split into separate read and write tools.
HIGH1 destructive operations not isolated
Admin/delete tools are mixed with regular operations and cannot be independently disabled.
Namespace admin tools separately for independent access control.
LLM Safety
HIGHTool descriptions contain instructional language
Descriptions include directives that could influence LLM behavior beyond tool selection.
Remove instructional language. Descriptions should be purely factual.
Data Exposure
MEDIUM5 list operations lack pagination
get_board_items_page supports cursor-based pagination with limit parameter. list_workspaces, list_users_and_teams, get_updates, and various list tools lack explicit pagination. The all_monday_api tool supports field selection through GraphQL query construction. Board data tools return structured data rather than full raw API responses.
Add limit/offset or cursor-based pagination.
Tools
68 total| Name | Description | Risk |
|---|---|---|
| get_board_info | Get information about a monday.com board | read |
| get_board_schema | Get the schema of a monday.com board | read |
| get_board_items_page | Get items from a board with pagination and filtering support | read |
| get_full_board_data | Get full board data from a monday.com board | read |
| board_insights | Get insights and analytics for a monday.com board | read |
| get_board_activity | Get activity log for a board | read |
| create_board | Create a new monday.com board | write |
| create_item | Create a new item on a monday.com board | write |
| change_item_column_values | Change column values for an item | write |
| delete_item | Delete an item from a board | write |
| move_item_to_group | Move an item to a different group | write |
| create_column | Create a new column on a board | write |
| delete_column | Delete a column from a board | write |
| get_column_type_info | Get information about a column type | read |
| create_group | Create a new group on a board | write |
| create_update | Create an update (comment) on an item | write |
| create_update_in_monday | Create an update in monday.com (UI variant) | write |
| get_updates | Get updates (comments) for an item | read |
| list_workspaces | List all workspaces in the account | read |
| workspace_info | Get information about a workspace | read |
| create_workspace | Create a new workspace | write |
| update_workspace | Update a workspace | write |
| list_users_and_teams | List users and teams in the account | read |
| get_user_context | Get context about the current user | read |
| search | Search across monday.com | read |
| create_doc | Create a new document | write |
| read_docs | Read document contents | read |
| update_doc | Update a document | write |
| add_content_to_doc | Add content to a document | write |
| create_dashboard | Create a new dashboard | write |
| create_widget | Create a widget on a dashboard | write |
| all_widgets_schema | Get all widget schemas for dashboards | read |
| create_timeline_item | Create a timeline item | write |
| create_notification | Create a notification | write |
| create_folder | Create a folder | write |
| update_folder | Update a folder | write |
| move_object | Move a board or folder to a different location | write |
| create_view | Create a board view | write |
| update_assets_on_item | Update file assets on an item | write |
| undo_action | Undo a previous action | write |
| manage_tools | Manage which tools are available | read |
| fetch_custom_activity | Fetch custom activity data | read |
| create_custom_activity | Create a custom activity | write |
| get_notetaker_meetings | Get notetaker meeting records | read |
| get_form | Get a workform | read |
| create_form | Create a workform | write |
| update_form | Update a workform | write |
| form_questions_editor | Edit form questions | write |
| all_monday_api | Execute any monday.com API operation by generating GraphQL queries and mutations dynamically. | admin |
| get_graphql_schema | Get the monday.com GraphQL schema | read |
| get_type_details | Get details about a GraphQL type | read |
| get_monday_dev_sprints_boards | Get sprint boards for monday dev | read |
| get_sprints_metadata | Get sprint metadata | read |
| get_sprint_summary | Get sprint summary | read |
| monday_apps_get_all_apps | Get all apps in the account | read |
| monday_apps_create_app | Create a new monday.com app | write |
| monday_apps_promote_app | Promote an app version | write |
| monday_apps_get_app_versions | Get app versions | read |
| monday_apps_get_app_version | Get a specific app version | read |
| monday_apps_get_app_features | Get app features | read |
| monday_apps_get_app_feature_schema | Get app feature schema | read |
| monday_apps_create_app_feature | Create an app feature | write |
| monday_apps_get_deployment_status | Get deployment status for an app | read |
| monday_apps_set_environment_variable | Set an environment variable for a monday code deployment | write |
| monday_apps_list_environment_variable_keys | List environment variable keys for a deployment | read |
| monday_apps_search_storage_records | Search storage records for an app | read |
| monday_apps_export_storage_data | Export storage data for an app | read |
| monday_apps_get_development_context | Get app development context and guidance | read |
Deploy Monday.com MCP securely
CompleteFlow adds per-user authentication, permission scoping, and audit logging to any MCP server out of the box.
Deploy on CompleteFlow