Skip to main content

Registry criteria

The ToolHive registry maintains a curated list of MCP servers that meet specific criteria. We aim to establish a curated, community-auditable list of high-quality MCP servers through clear, observable, and objective criteria. Here are the criteria for adding an MCP server to the ToolHive registry:

Heuristics

Open source requirements

  • Must be fully open source with no exceptions
  • Source code must be publicly accessible
  • Must use an acceptable open source license (see Acceptable licenses below)

Security

  • Software provenance verification (Sigstore, GitHub Attestations)
  • SLSA compliance level assessment
  • Pinned dependencies and GitHub Actions
  • Published Software Bill of Materials (SBOMs)

Continuous integration

  • Automated dependency updates (Dependabot, Renovate, etc.)
  • Automated security scanning
  • CVE monitoring
  • Code linting and quality checks

Repository metrics

  • Repository stars and forks
  • Commit frequency and recency
  • Contributor activity
  • Issue and pull request statistics

API compliance

  • Full MCP API specification support
  • Implementation of all required endpoints (tools, resources, etc.)
  • Protocol version compatibility

Tool stability

  • Version consistency
  • Breaking change frequency
  • Backward compatibility maintenance

Code quality

  • Presence of automated tests
  • Test coverage percentage
  • Quality CI/CD implementation
  • Code review practices

Documentation

  • Basic project documentation
  • API documentation
  • Deployment and operation guides
  • Regular documentation updates

Release process

  • Established CI-based release process
  • Regular release cadence
  • Semantic versioning compliance
  • Maintained changelog

Community health

Responsiveness

  • Active maintainer engagement
  • Regular commit activity
  • Timely issue and pull request responses (issues open 3-4 weeks without response is a red flag)
  • Bug resolution rate
  • User support quality

Community strength

  • Project backing (individual vs. organizational)
  • Number of active maintainers
  • Contributor diversity
  • Corporate or foundation support
  • Governance model maturity

Security requirements

Authentication and authorization

  • Secure authentication mechanisms
  • Proper authorization controls
  • Standard security protocol support (OAuth, TLS)

Data protection

  • Encryption for data in transit and at rest
  • Proper sensitive information handling

Security practices

  • Clear incident response channels
  • Security issue reporting mechanisms (email, GHSA, etc.)

Future considerations

Automated vs manual checks

  • Balance between automated checks (e.g., CI/CD, security scans) and manual reviews (e.g., community health, documentation quality)
  • Automated checks for basic compliance (e.g., license, API support)
  • Manual reviews for nuanced aspects (e.g., community strength, documentation quality)

Scoring system

  • Required: Essential attributes (significant penalty if missing)
  • Expected: Typical well-executed project attributes (moderate score impact)
  • Recommended: Good practice indicators (positive contribution)
  • Bonus: Excellence demonstrators (pure positive, no penalty for absence)

Tiered classifications

  • "Verified" vs "Experimental/Community" designations
  • Minimum threshold requirements (stars, maintainers, community indicators)
  • Regular re-evaluation frequency for automated checks

Acceptable licenses

The following open source licenses are accepted for MCP servers in the ToolHive registry:

Permissive licenses

Licenses such as Apache-2.0, MIT, BSD-2-Clause, and BSD-3-Clause allow maximum flexibility for integration, modification, and redistribution with minimal restrictions, making MCP servers accessible across all project types and commercial applications.

Excluded licenses

We exclude copyleft and restrictive licenses such as AGPL, GPL2, and GPL3 to ensure MCP servers can be freely integrated into various commercial and open source projects without legal complications or viral licensing requirements.