Roast-as-a-tool

Roast agent ideas without leaving your editor

The same verdict engine behind the site, exposed as an MCP server over Streamable HTTP. Call roast_idea from Claude Code, Cursor, or Claude Desktop and get the verdict tier, agent-readiness score, top OWASP-MCP risk, and a shareable /result URL back inline. The website stays no-signup and free; the MCP endpoint takes a bearer token for machine access (see Auth below).

Install

Claude Code

claude mcp add --transport http whycant https://whycantwehaveanagentforthis.com/api/mcp \
  --header "Authorization: Bearer $WHYCANT_MCP_TOKEN"

Cursor — ~/.cursor/mcp.json (or .cursor/mcp.json)

{
  "mcpServers": {
    "whycant": {
      "url": "https://whycantwehaveanagentforthis.com/api/mcp",
      "headers": { "Authorization": "Bearer <your-mcp-token>" }
    }
  }
}

Claude Desktop — claude_desktop_config.json

{
  "mcpServers": {
    "whycant": {
      "command": "npx",
      "args": ["-y", "mcp-remote", "https://whycantwehaveanagentforthis.com/api/mcp",
               "--header", "Authorization: Bearer <your-mcp-token>"]
    }
  }
}

Endpoint: https://whycantwehaveanagentforthis.com/api/mcp (Streamable HTTP, POST). Claude Desktop bridges remote servers through mcp-remote.

Auth

The endpoint is gated by a bearer access token — send Authorization: Bearer <token> on every call (the install snippets above already do). This is machine access, deliberately distinct from the site: no human signup, no paywall, ever. It’s the security wedge — unlike the ~40% of public MCP servers that expose their tools to the whole internet, this one fails closed.

OAuth 2.1 + PKCE (Nov-2025 MCP spec): compliant clients auto-discover via /.well-known/oauth-protected-resource and run the authorization-code + PKCE (S256) flow — no token to paste. A static Authorization: Bearer token also works for simple machine access.
Missing/invalid token → 401 with a structured JSON error (never a stack trace) and a WWW-Authenticate pointer to the OAuth metadata.
Token-gated tools still run the site’s full guard pipeline (kill-switch → daily cap → budget → burst → hourly/daily), so a leaked token still can’t run up the bill.
Ask the operator for a token; rotate by setting a new one (multiple tokens supported).

Tools

roast_idea(idea) — full roast. Mints a real, persistent /result/[id] (its own share card), returns verdict tier, readiness 0-100, top OWASP-MCP risk, the “you’re the X%” framing, and the canonical URL.
get_verdict(id) — look up a verdict already minted, by id or slug. Read-only, no cost.
validate_idea / find_existing_agents — the original tool surface, kept for installed clients.

Shareable by design

A roast from a tool call isn’t a dead end. Every roast_idea mints a real, public /result/[id] page with its own OG share card — the same page a human submission creates. The tool result hands back that URL with a “this verdict came from an MCP tool call” note, so an agent can drop the link into a PR, an issue, or a tweet and the OG-card loop keeps working. MCP usage feeds the same virality flywheel as the website.

Registry

Machine-readable manifest for the MCP Registry, Smithery, and Glama: /server.json. It points listing tools at the same Streamable-HTTP endpoint.

← Back to whycantwehaveanagentforthis.com