Monday.com MCP
monday.com's official hosted remote MCP server (mcp.monday.com), the vendor-recommended path over the self-hosted local package. OAuth 2.0 Authorization Code Grant over Streamable HTTP. Exposes board/item/column tools plus a broad dynamic all_monday_api passthrough that can run any GraphQL query or mutation. Note: scores other than authentication are a provisional assessment from monday.com's documentation pending a live tool-level audit.
Score Breakdown
Server Info
- Package
- https://mcp.monday.com/mcp
- Registry
- remote
- Repository
- mondaycom/mcp
- Maintainer
- monday.comVendor
- Category
- Project Management
- Tags
- project-managementboardsworkflowshostedoauth
- Last Scanned
- 7 Apr 2026
Findings
4 issuesAuthentication & Identity
LOWImplements MCP OAuth spec for per-user authentication
Official monday.com-hosted remote MCP at https://mcp.monday.com/mcp. OAuth 2.0 Authorization Code Grant with monday.com as the identity provider; tokens are not stored or logged, and each user authorizes individually. Streamable HTTP transport. (The self-hosted local package still uses a MONDAY_TOKEN env var over stdio.)
Document the required OAuth scopes for each tool.
Tool Schema Quality
MEDIUMTool schemas not independently audited
The hosted server has no public source repository, so tool input schemas, required fields, and parameter constraints could not be verified directly. Provisional score pending a live tool-level audit.
Run a live audit against the hosted endpoint to enumerate and score tool schemas.
Permission Granularity
HIGHBroad generic API passthrough tool
Beyond scoped board/item tools, the server exposes a dynamic all_monday_api tool that can generate and execute any GraphQL query or mutation, widening the blast radius versus narrowly-scoped tools. This limits how tightly a platform can restrict capabilities.
Prefer narrowly-scoped tools; gate or disable the generic all_monday_api passthrough for least privilege.
Data Exposure
MEDIUMPagination and field selection not verified
Whether list operations paginate and support field selection could not be verified without a live audit of the hosted tool surface.
Audit list operations for pagination and field-selection support.
Deploy Monday.com MCP securely
CompleteFlow adds per-user authentication, permission scoping, and audit logging to any MCP server out of the box.
Deploy on CompleteFlow