Setup ¶

This article describes how to enable and configure API Security Testing via Postman.

1. Add Wallarm's MCP server¶

1. In Postman, access its AI Agent.

2. In AI Agent panel, click Configure ("gear"), and select Configure MCP servers.

3. In displayed MCP Servers tab, click Add ("plus") and do one of the following:

   • Select Rogue MCP Server Detection from the list of the featured MCP servers

   • Or just click Edit config and save the following to it:

     {
         "mcpServers": {
             "Rogue MCP Server Detection": {
                 "command": "npx",
                 "args": [
                     "-y",
                     "rogue-mcp@latest"
                 ],
                 "env": {
                     "WALLARM_API_TOKEN": "YOUR_WALLARM_API_TOKEN"
                 }
             }
         }
     }
     

   Free MCP scans available immediately

   After adding the MCP server, you can immediately run Rogue MCP Inspection scans on your installed MCP servers — no registration or API key required. To set up API Security Testing on Postman collections (paid), continue with the steps below.

2. Run Rogue MCP Inspection (free, no API key)¶

After step 1, you can immediately use Rogue MCP Inspection — a free audit of MCP servers installed locally on your machine. No WALLARM_API_TOKEN and no paid subscription required.

Requirements: Postman Desktop Agent locally installed and running, connected to Postman — the scan runs on your computer through the Desktop Agent.

How to run. In Postman Agent Mode, ask the AI Agent to check for rogue MCPs — for example: "Inspect my local machine for rogue MCPs". The scan takes about 2 minutes and reports what can be misused on your computer and how to fix it.

To run API Security Testing on Postman collections (paid) instead, continue with the steps below.

3. Subscribe and get API token¶

API Security Testing requires a paid Rogue MCP subscription. To unlock it, obtain a WALLARM_API_TOKEN and add it to the MCP server configuration in Postman.

New users:

1. Register and subscribe at roguemcp.wallarm.com.

2. Copy the provided API token and paste it as the WALLARM_API_TOKEN value in your MCP server configuration in Postman.

Existing users:

1. Contact Wallarm Support to get the Rogue MCP subscription.

2. Once the subscription is active, go to Wallarm Console → Settings → API Tokens and create a token of the Rogue MCP type.

3. Copy the token and paste it as the WALLARM_API_TOKEN value in your MCP server configuration in Postman.

4. Ask to test the collection¶

With Wallarm's MCP server and credentials in place, use natural language in Postman Agent Mode to ask for a security test. For example: "Please, test the collection for security issues with Wallarm."

The Agent runs the tests (typically 2–3 minutes) and responds with a report; results are also sent to Wallarm Cloud. To interpret them, see Exploring Results.

Was this page helpful?

How can we improve this article? (Optional)

Information is unclear or confusing

Insufficient information

Outdated or incorrect information

0/240

Send