C

Monday.com MCP

monday.com's official hosted remote MCP server (mcp.monday.com), the vendor-recommended path over the self-hosted local package. OAuth 2.0 Authorization Code Grant over Streamable HTTP. Exposes board/item/column tools plus a broad dynamic all_monday_api passthrough that can run any GraphQL query or mutation. Note: scores other than authentication are a provisional assessment from monday.com's documentation pending a live tool-level audit.

Overall Score69/100

Score Breakdown

Server Info

Package
https://mcp.monday.com/mcp
Registry
remote
Repository
mondaycom/mcp
Maintainer
monday.comVendor
Category
Project Management
Tags
project-managementboardsworkflowshostedoauth
Last Scanned
7 Apr 2026

Findings

4 issues

Authentication & Identity

LOWImplements MCP OAuth spec for per-user authentication

Official monday.com-hosted remote MCP at https://mcp.monday.com/mcp. OAuth 2.0 Authorization Code Grant with monday.com as the identity provider; tokens are not stored or logged, and each user authorizes individually. Streamable HTTP transport. (The self-hosted local package still uses a MONDAY_TOKEN env var over stdio.)

Remediation

Document the required OAuth scopes for each tool.

Tool Schema Quality

MEDIUMTool schemas not independently audited

The hosted server has no public source repository, so tool input schemas, required fields, and parameter constraints could not be verified directly. Provisional score pending a live tool-level audit.

Remediation

Run a live audit against the hosted endpoint to enumerate and score tool schemas.

Permission Granularity

HIGHBroad generic API passthrough tool

Beyond scoped board/item tools, the server exposes a dynamic all_monday_api tool that can generate and execute any GraphQL query or mutation, widening the blast radius versus narrowly-scoped tools. This limits how tightly a platform can restrict capabilities.

Remediation

Prefer narrowly-scoped tools; gate or disable the generic all_monday_api passthrough for least privilege.

Data Exposure

MEDIUMPagination and field selection not verified

Whether list operations paginate and support field selection could not be verified without a live audit of the hosted tool surface.

Remediation

Audit list operations for pagination and field-selection support.

Deploy Monday.com MCP securely

CompleteFlow adds per-user authentication, permission scoping, and audit logging to any MCP server out of the box.

Deploy on CompleteFlow