Server data from the Official MCP Registry
Send eCards, run bulk campaigns, and automate recurring cards from your AI assistant.
Send eCards, run bulk campaigns, and automate recurring cards from your AI assistant.
The eCardWidget MCP server is well-designed with strong security fundamentals. Authentication is properly scoped via API keys with server-side enforcement, destructive operations use two-step confirmation, and permissions align with the server's purpose (network I/O for API calls, environment variables for credentials). Minor code quality issues and incomplete input validation in a few edge cases prevent a higher score, but these pose no serious security risk. Supply chain analysis found 3 known vulnerabilities in dependencies (2 critical, 0 high severity). Package verification found 1 issue.
7 files analyzed · 9 issues found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
This plugin requests these system permissions. Most are normal for its category.
Set these up before or after installing:
Environment variable: ECW_API_KEY
Environment variable: ECW_BASE_URL
Add this to your MCP configuration file:
{
"mcpServers": {
"io-github-ecardwidget-ecardwidget-mcp": {
"env": {
"ECW_API_KEY": "your-ecw-api-key-here",
"ECW_BASE_URL": "your-ecw-base-url-here"
},
"args": [
"-y",
"ecardwidget-mcp"
],
"command": "npx"
}
}
}From the project's GitHub README.
The official Model Context Protocol server for eCardWidget. Let an AI assistant (Claude Desktop, Claude Code, Cursor, …) work in your eCardWidget account — search and send eCards, manage your directory, list campaigns/widgets/automations — using an API key you generate and scope yourself.
The assistant can only ever do what your API key permits. On startup the server asks the API what the key is allowed to do and registers only the tools that key is scoped for. All scope enforcement, throttling, and auditing happen server-side.
First, generate a scoped API key in your eCardWidget dashboard: Settings → Developers → API Keys. Grant only the areas you want the assistant to touch. Then pick whichever install fits your client:
Download ecardwidget-mcp.mcpb from the latest release
and open it. Claude Desktop shows an install dialog that asks you for your API key (stored in your OS
keychain) — no config files, no commands.
npx ecardwidget-mcp login # prompts for your key, verifies + saves it locally (0600)
claude mcp add ecardwidget -- npx -y ecardwidget-mcp # no key in the command
The server reads the saved key automatically. (npx ecardwidget-mcp logout removes it.)
{
"mcpServers": {
"ecardwidget": {
"command": "npx",
"args": ["-y", "ecardwidget-mcp"],
"env": { "ECW_API_KEY": "YOUR_API_KEY" }
}
}
}
Restart your client. It connects and shows the tools your key is scoped for. Precedence: an explicit
ECW_API_KEY env var always wins over the saved login credential.
| Variable | Required | Default | Description |
|---|---|---|---|
ECW_API_KEY | yes | — | Your scoped API key (used as a Bearer token). |
ECW_BASE_URL | no | https://app.ecardwidget.com | Override only for a custom domain / testing. |
All tools are namespaced ecw_*; only those your key is scoped for are registered.
ecw_whoami, ecw_describe_fields (what fields you can set on a
widget / eCard / campaign / automation — synced from the OpenAPI spec)ecw_search_ecards, ecw_get_widget_ecards, ecw_create_ecard (image via URL or base64),
ecw_send_ecard, ecw_delete_ecardecw_list_team_members, ecw_find_team_member, ecw_upsert_team_member,
ecw_import_team_members, ecw_deactivate_team_member, ecw_delete_team_memberecw_list_widgets, ecw_create_widget, ecw_duplicate_widget, ecw_delete_widgetecw_list_automations, ecw_create_automation (birthday / anniversary / onboarding)ecw_list_campaigns, ecw_create_campaign (draft), ecw_send_campaignDestructive tools (delete, send campaign) use a two-step confirmation — call once for a preview + a one-time token, then again with the token to execute. Deleting automations/campaigns and sending gift-card campaigns require confirmation in the dashboard.
The server ships prompts — guided, multi-step flow templates your client surfaces as
slash-commands/suggestions: run_campaign, setup_automation, spin_up_widget, import_directory
(each shown only if your key is scoped for it). It also hands the assistant a compact overview of the
object model and the core flows at connect, so it understands how widgets, eCards, campaigns,
automations, and the directory fit together.
Ask naturally, e.g. "Send a birthday eCard from our Thank-You widget to grace@acme.com".
See SECURITY.md. In short: least-privilege scoped keys, server-side enforcement is the real guarantee, destructive actions require a two-step confirmation, and the API key is never logged.
npm install
npm run build # tsup → dist/index.js
npm test # vitest
npm run inspector # MCP Inspector against the built server (needs ECW_API_KEY)
MIT
Be the first to review this server!
by Modelcontextprotocol · Developer Tools
Read, search, and manipulate Git repositories programmatically
by Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.
by mcp-marketplace · Developer Tools
Create, build, and publish Python MCP servers to PyPI — conversationally.
by Microsoft · Content & Media
Convert files (PDF, Word, Excel, images, audio) to Markdown for LLM consumption
by mcp-marketplace · Developer Tools
Search and install MCP servers from inside your AI client.
by mcp-marketplace · Finance
Free stock data and market news for any MCP-compatible AI assistant.