MCP security profile

SEC Filing MCP Security Profile

A machine-readable and human-readable trust profile for the hosted SEC Filing MCP server. Public setup calls are separated from production data tools, and production tool calls require a buyer-controlled Data APIs key.

Public no-key setup API-key production boundary Read-only public SEC data No OAuth DCR No trading or account writes
/.well-known/mcp-security.json
{
  "name": "SEC Event Intelligence MCP Security Profile",
  "product": "SEC Event Intelligence API",
  "mcpUrl": "https://api.data-apis.com/mcp",
  "version": "0.1.10",
  "profileUrl": "https://api.data-apis.com/mcp/security",
  "wellKnownUrl": "https://api.data-apis.com/.well-known/mcp-security.json",
  "serverManifestUrl": "https://api.data-apis.com/server.json",
  "officialRegistryName": "com.data-apis.api/sec-event-intelligence",
  "officialRegistryUrl": "https://registry.modelcontextprotocol.io/v0/servers?search=com.data-apis.api%2Fsec-event-intelligence",
  "transport": "streamable-http",
  "authentication": {
    "publicMethods": [
      "initialize",
      "tools/list",
      "prompts/list",
      "prompts/get"
    ],
    "publicTools": [
      "sec_demo_latest_filings",
      "sec_subscription_info"
    ],
    "productionToolCallsRequire": [
      "x-api-key",
      "Authorization: Bearer"
    ],
    "oauthDynamicClientRegistration": false,
    "credentialPlacement": "HTTP request headers only"
  },
  "securityControls": [
    {
      "name": "Public setup boundary",
      "scope": "initialize, tools/list, prompts/list, prompts/get, sec_demo_latest_filings, and sec_subscription_info are available without credentials for setup checks.",
      "credentialRequired": false
    },
    {
      "name": "Production API-key boundary",
      "scope": "Production SEC data-returning tools/call requests require a Data APIs key sent as x-api-key or Authorization: Bearer.",
      "credentialRequired": true
    },
    {
      "name": "Read-only public-data tools",
      "scope": "Tools return public SEC EDGAR filing metadata only. The hosted server does not write filings, trade securities, move money, or modify buyer accounts.",
      "credentialRequired": false
    },
    {
      "name": "No OAuth dynamic registration",
      "scope": "The hosted remote MCP server does not expose OAuth dynamic client registration. Production access uses scoped API keys.",
      "credentialRequired": false
    },
    {
      "name": "Evaluation before credentials",
      "scope": "Use the evaluation workflow and curl runner to test public MCP discovery, prompt, demo, and subscription-info calls before sending production credentials.",
      "credentialRequired": false
    }
  ],
  "toolBoundaries": {
    "readOnly": true,
    "publicDataSource": "SEC EDGAR",
    "writesExternalSystems": false,
    "tradesSecurities": false,
    "movesMoney": false,
    "modifiesBuyerAccounts": false,
    "investmentAdvice": false
  },
  "publicEvaluation": {
    "workflowUrl": "https://api.data-apis.com/downloads/sec-event-intelligence-mcp-evaluation-workflow.json",
    "curlScriptUrl": "https://api.data-apis.com/downloads/sec-event-intelligence-mcp-evaluation-curl.sh",
    "promptPayloadUrls": {
      "promptsList": "https://api.data-apis.com/downloads/sec-event-intelligence-mcp-prompts-list.json",
      "tryDemoPrompt": "https://api.data-apis.com/downloads/sec-event-intelligence-mcp-try-demo-prompt.json",
      "watchlistPrompt": "https://api.data-apis.com/downloads/sec-event-intelligence-mcp-watchlist-prompt.json"
    },
    "recommendedOrder": [
      "initialize",
      "tools/list",
      "prompts/list",
      "prompts/get sec_mcp_try_demo",
      "tools/call sec_demo_latest_filings",
      "tools/call sec_subscription_info"
    ]
  },
  "buyerHandoff": {
    "accessPageUrl": "https://api.data-apis.com/mcp/access",
    "pricingUrl": "https://api.data-apis.com/pricing",
    "rapidapiRestSubscribeUrl": "https://rapidapi.com/autoearnapi/api/sec-event-intelligence",
    "hostedMcpAccessRequestUrl": "https://api.data-apis.com/subscribe",
    "supportEmail": "api@data-apis.com"
  },
  "usageBoundary": "Data infrastructure only. The MCP server returns public SEC filing metadata and does not provide investment advice, ratings, recommendations, buy/sell signals, or personalized financial guidance."
}

Authentication boundary

MCP discovery methods and setup tools are public so clients can verify connectivity before sending credentials. Production SEC data tools require x-api-key or Authorization: Bearer.

Tool scope

The MCP server exposes read-only data infrastructure for public SEC filing metadata. It does not trade securities, move money, write filings, modify buyer accounts, or provide investment advice.