Server data from the Official MCP Registry
FastMCP server for posting formatted content to X (Twitter) — Tollbooth-monetized, DPYC-native
FastMCP server for posting formatted content to X (Twitter) — Tollbooth-monetized, DPYC-native
Remote endpoints: streamable-http: https://excalibur-mcp.fastmcp.app/mcp
The eXcalibur MCP server implements OAuth2 + PKCE for X/Twitter authentication with Nostr identity and Lightning micropayment metering via the Tollbooth DPYC framework. The codebase demonstrates reasonable security practices for credential handling (OAuth tokens stored in Neon vault, human-in-the-loop Secure Courier for operator secrets), but the analysis reveals several code quality concerns and dependency risks that warrant attention. The frontend TypeScript code contains unvalidated user inputs, broad exception handling, and potential XSS vectors in dynamic content rendering that lower confidence in overall security posture. Supply chain analysis found 10 known vulnerabilities in dependencies (1 critical, 4 high severity).
4 files analyzed · 19 issues found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
This plugin requests these system permissions. Most are normal for its category.
Available as Local & Remote
This plugin can run on your machine or connect to a hosted endpoint. during install.
From the project's GitHub README.
Sword-swift posting of pretty tweets to X (Twitter) via AI agents, monetized with Bitcoin Lightning micropayments through the DPYC(TM) Tollbooth protocol.
eXcalibur is a FastMCP server that lets AI agents post to X (Twitter) with rich Unicode formatting and optional images. Patron authentication for X uses OAuth2 Authorization Code + PKCE -- no credentials appear in chat. Operator credentials (X app keys, BTCPay) arrive via human-in-the-loop Secure Courier and are stored in the operator's per-operator Neon vault schema. Tool calls are metered with Tollbooth DPYC(TM) pre-funded Lightning balances -- Don't Pester Your Customer.
Part of the DPYC(TM) Social Contract.
Connect via FastMCP Cloud -- no local install needed:
https://www.fastmcp.cloud/mcp/lonniev/excalibur-mcp
Call excalibur_session_status to see your current session state. If you have
an active session with funded credits, you are ready to post.
how_to_join() tool, or any
Nostr client.excalibur_begin_oauth(npub=<npub>) -- returns an authorize_url.
Open the primary authorize_url (not a shortlink) in your browser and
authorize the app on X.excalibur_check_oauth_status(npub=<npub>) -- completes the code
exchange, vaults the tokens, and activates your session.Sessions are keyed by npub. Tokens are stored in the Neon vault and auto-refresh on expiry.
Operator credentials (X OAuth2 app keys, BTCPay connection) are delivered via
Secure Courier (service="excalibur-operator"). This is a human-in-the-loop
flow: the operator consciously approves each credential delivery via their
Nostr client. On receive_credentials, the relay DM is destructively drained
-- credentials exist only in the Neon vault after receipt.
Tool calls cost api_sats per call. Credits have a tranche_lifetime --
each purchase creates a tranche that expires after the configured lifetime.
Auth and balance tools are always free. Use excalibur_check_balance to see
your balance and tranche expiry. Top up via excalibur_purchase_credits.
Standard DPYC(TM) tools are registered by register_standard_tools() from
tollbooth-dpyc. These include
session management, credit operations, Secure Courier, pricing, notarization,
and Oracle delegation. Each tool is identified by a deterministic UUID v5.
| Category | Tools |
|---|---|
| Session & Billing | session_status, check_balance, account_statement, account_statement_infographic, restore_credits, service_status, check_price, check_authority_balance |
| Secure Courier | request_credential_channel, receive_credentials, forget_credentials |
| Npub Proof | request_npub_proof, receive_npub_proof |
| Purchase | purchase_credits, check_payment |
| Pricing & Constraints | get_pricing_model, set_pricing_model, reset_pricing_model, list_constraint_types |
| Notarization | notarize_ledger, list_notarizations, get_notarization_proof |
| Onboarding | get_operator_onboarding_status, get_patron_onboarding_status |
| Oracle (delegated) | oracle_about, oracle_how_to_join, oracle_lookup_member, oracle_get_tax_rate, oracle_network_advisory |
| Tool | Cost | Description |
|---|---|---|
begin_oauth | Free | Start X OAuth2 Authorization Code + PKCE flow; returns authorize_url |
check_oauth_status | Free | Complete the browser authorization and exchange the code for tokens |
post_tweet | ad valorem | Post to X with markdown-to-Unicode rich text formatting |
post_tweet_image | ad valorem | Post with an image URL or SVG banner (rendered to PNG) |
All tools that take an npub also accept a proof: str parameter for
kind-27235 Schnorr proof attestation.
npub),
not an email or password. One keypair per role, managed by the user.request_npub_proof / receive_npub_proof.src/excalibur_mcp/
server.py FastMCP server -- domain tools + register_standard_tools()
config.py Pydantic settings from environment variables
oauth_flow.py X-specific OAuth2 Authorization Code + PKCE wrapper
vault.py In-memory Bearer token session cache (keyed by npub)
x_client.py X API v2 client with OAuth 2.0 Bearer token auth
formatter.py Markdown -> Unicode rich text (bold, italic, headers)
Key design choices:
begin_oauth returns the primary authorize_url (not a shortlink);
check_oauth_status completes the exchange. Tokens stored in Neon vault,
auto-refreshed on expiry. No OAuth 1.0a.register_standard_tools() provides
all DPYC(TM) infrastructure tools. Only domain-specific X/Twitter tools are
defined in server.py.**bold**, *italic*, and # headers
to Unicode characters that render in tweets without markup syntax.| Variable | Required | Description |
|---|---|---|
TOLLBOOTH_NOSTR_OPERATOR_NSEC | Yes | Operator's Nostr secret key for identity bootstrap and DM encryption |
This is the only env var required to start. All other secrets (X app keys, BTCPay credentials) arrive via Secure Courier credential templates and are stored in the per-operator Neon vault schema.
These are delivered via Secure Courier (service="excalibur-operator"), not
set as environment variables:
| Credential | Description |
|---|---|
client_id | X OAuth2 Client ID (from X Developer Portal) |
client_secret | X OAuth2 Client Secret (from X Developer Portal) |
btcpay_host | BTCPay Server URL |
btcpay_store_id | Store ID for invoices |
btcpay_api_key | API key with invoice permissions |
Certified operators bootstrap their Neon database URL from the Authority via
encrypted Nostr DM -- NEON_DATABASE_URL is not read from the environment.
| Variable | Description |
|---|---|
TOLLBOOTH_NOSTR_RELAYS | Comma-separated relay URLs (overrides defaults) |
SEED_BALANCE_SATS | Starter credits for new users (default: 0) |
DPYC_REGISTRY_CACHE_TTL_SECONDS | How long to cache the DPYC community registry (default: 300) |
CONSTRAINTS_ENABLED | "true" to enable constraint engine evaluation on tool calls |
On first request after deploy, the service may take a few seconds to initialize Neon connections and load the pricing model. The runtime handles this with inline retry -- the caller receives the result after the warm-up completes, not a "service unavailable" error.
Credential-related responses describe the current lifecycle state with clear guidance, not error messages:
| State | Meaning | Next step |
|---|---|---|
no_session | No npub recognized | Call session_status with your npub |
awaiting_oauth | OAuth flow started, browser not yet authorized | Open the authorize_url and authorize |
awaiting_courier | Secure Courier channel opened, credentials not yet received | Reply via Nostr client with credentials JSON |
proof_expired | Npub proof cache expired (~1 hour) | Call request_npub_proof then receive_npub_proof |
insufficient_balance | Credits exhausted or tranche expired | Call purchase_credits to top up |
request_npub_proof then
receive_npub_proof to prove npub ownership. The cache expires after ~1
hour; renew with a fresh request/receive cycle.purchase_credits to top up.
Check tranche expiry with check_balance.Don't Pester Your Customer: Do NOT ask the patron to re-authenticate, re-authorize, or re-do OAuth unless the response specifically says the upstream token is expired or invalid.
# Install in development mode
cd excalibur-mcp
python -m venv .venv
source .venv/bin/activate
pip install -e ".[dev]"
# Run tests
.venv/bin/pytest tests/
# Type checking
mypy src/excalibur_mcp/
# Formatting
black src/ tests/
ruff check src/ tests/
DPYC, Tollbooth DPYC, and Don't Pester Your Customer are trademarks of Lonnie VanZandt. See the TRADEMARKS.md in the dpyc-community repository for usage guidelines.
Apache License 2.0 -- see LICENSE for details.
Be the first to review this server!
by Modelcontextprotocol · Developer Tools
Read, search, and manipulate Git repositories programmatically
by Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.
by mcp-marketplace · Developer Tools
Create, build, and publish Python MCP servers to PyPI — conversationally.