Install & Run MCP Inspector
Overview
MCP Inspector is a lightweight developer tool for connecting to MCP servers, discovering tools, and making tool calls. You'll use it in this module to test both the direct MCP server path and the sanctioned portal path.
You must run MCP Inspector from the Windows 11 VM — the same device where you connected CF1 Client / WARP in M0. This ensures Gateway policies apply to MCP traffic. If you run Inspector from your personal laptop, Gateway won't see or enforce the block rules you create later in this module.
Prerequisites
MCP Inspector runs via npx, which requires Node.js 18+ and npm.
Check if Node.js is installed
Open a terminal and run:
node --version
If you see v18.x.x or higher, you're good. If not, install Node.js first.
Install Node.js (if needed)
- macOS
- Windows
- Linux
Option A: Download installer
- Go to nodejs.org
- Download the LTS version
- Run the
.pkginstaller - Restart your terminal
Option B: Using Homebrew
brew install node
Verify:
node --version
npm --version
Option A: Download installer
- Go to nodejs.org
- Download the LTS version (
.msiinstaller) - Run the installer with default settings (ensure Add to PATH is checked)
- Restart PowerShell or Command Prompt
Option B: Using winget
winget install OpenJS.NodeJS.LTS
Verify:
node --version
npm --version
Ubuntu / Debian:
sudo apt update
sudo apt install nodejs npm
Fedora / RHEL:
sudo dnf install nodejs npm
Using nvm (any distro):
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.0/install.sh | bash
source ~/.bashrc
nvm install --lts
Verify:
node --version
npm --version
Run MCP Inspector
MCP Inspector runs directly via npx — no global install needed.
- macOS
- Windows
- Linux
Open Terminal and run:
If you see unable to verify the first certificate, Node.js does not trust the Cloudflare Gateway CA that M0 installed into the macOS system keychain. Node.js uses its own CA bundle and ignores the system store.
The CF1 Client placed the certificate at /Library/Application Support/Cloudflare/installed_cert.pem. Point Node.js at it:
export NODE_EXTRA_CA_CERTS="/Library/Application Support/Cloudflare/installed_cert.pem"
npx @modelcontextprotocol/inspector@latest
The first run will download the package (may take 10–20 seconds). Once ready, you'll see:
MCP Inspector is up and running at http://localhost:5173
Open http://localhost:5173 in your browser.
Open PowerShell, Command Prompt, or Git Bash and run:
If you see unable to verify the first certificate, Node.js does not trust the Cloudflare Gateway CA that M0 installed into the Windows certificate store. Node.js uses its own CA bundle and ignores the system store.
The CF1 Client placed the certificate at C:\ProgramData\Cloudflare\installed_cert.pem. Point Node.js at it:
$env:NODE_EXTRA_CA_CERTS="C:\ProgramData\Cloudflare\installed_cert.pem"
npx @modelcontextprotocol/inspector@latest
The first run will download the package. When prompted Need to install the following packages... Ok to proceed?, type y and press Enter.
Once ready:
MCP Inspector is up and running at http://localhost:5173
Open http://localhost:5173 in your browser.
If Windows Firewall prompts you, click Allow access for Node.js on private networks.
Open your terminal and run:
If you see unable to verify the first certificate, Node.js does not trust the Cloudflare Gateway CA that M0 installed into the system certificate store. Node.js uses its own CA bundle and ignores the system store.
If the CF1 Client placed the certificate on your system, point Node.js at it (path varies by distribution):
export NODE_EXTRA_CA_CERTS="/usr/share/ca-certificates/Cloudflare/installed_cert.pem"
npx @modelcontextprotocol/inspector@latest
Once ready:
MCP Inspector is up and running at http://localhost:5173
Open http://localhost:5173 in your browser.
About MCP Inspector
MCP Inspector is a lightweight developer tool that emulates an AI agent interacting with remote MCP servers and their tools. It runs locally on your machine and connects to MCP servers over the internet — just like Claude Desktop, a coding assistant, or any other agentic system would.
What it does
- Connects to MCP servers — just like an AI agent would
- Discovers tools — lists all available tools exposed by the server (e.g., product catalog lookups, order status checks)
- Invokes tools — sends requests with parameters and displays responses
- Shows raw protocol traffic — useful for debugging how the agent ↔ server communication works
Why we need it in this lab
In the next pages, you will use MCP Inspector to:
- Test the unsanctioned path — connect directly to the KiwiCart MCP server to prove it works without any identity check or logging
- Test the sanctioned path — connect through the MCP Portal you create to prove identity, governance, and audit trails are enforced
- Compare before/after — demonstrate that direct access is blocked by Gateway while portal access remains open
MCP Inspector gives you a hands-on way to see what an AI agent sees — and to validate that Cloudflare governance controls are working as intended.
Verify it's running
Once the Inspector UI opens at http://localhost:5173, confirm the page loads. You don't need to connect to anything yet — the next page will walk you through the first connection.
Troubleshooting
npx command not found
npx comes with npm 5.2+. If it's not available:
- Update npm:
npm install -g npm@latest - Or install the package globally:
npm install -g @modelcontextprotocol/inspector - Then run:
mcp-inspector
Port 5173 is already in use
Another process is using port 5173. Either:
- Stop the other process
- Or use a different port:
npx @modelcontextprotocol/inspector@latest --port 5174 - Then open
http://localhost:5174
Windows: "Execution of scripts is disabled" error in PowerShell
Run this command first to allow script execution for the current session:
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
Then retry the npx command.
"unable to verify the first certificate" or TLS errors with npx
This happens because Node.js ships with its own CA bundle and does not read certificates from the operating system's certificate store. Even though M0 installed the Cloudflare Gateway CA into the system store, Node.js ignores it.
Fix — point Node.js at the certificate file:
-
Windows: The CF1 Client placed it at
C:\ProgramData\Cloudflare\installed_cert.pem$env:NODE_EXTRA_CA_CERTS="C:\ProgramData\Cloudflare\installed_cert.pem"
npx @modelcontextprotocol/inspector@latest -
macOS: The CF1 Client placed it at
/Library/Application Support/Cloudflare/installed_cert.pemexport NODE_EXTRA_CA_CERTS="/Library/Application Support/Cloudflare/installed_cert.pem"
npx @modelcontextprotocol/inspector@latest -
Linux: Path varies by distribution. Check where the CF1 Client wrote the certificate and export accordingly.
NODE_EXTRA_CA_CERTS tells Node.js to trust the Cloudflare Gateway CA in addition to its built-in CAs. No security is downgraded.
If the certificate file is not present yet (cert sync can take a few minutes after WARP connects), wait and retry. As a temporary lab-only fallback, you can use $env:NODE_TLS_REJECT_UNAUTHORIZED="0" (Windows) or export NODE_TLS_REJECT_UNAUTHORIZED=0 (macOS/Linux), but this disables all TLS verification for that session.
Next
Once MCP Inspector is running and you can see the UI at http://localhost:5173, proceed to the next page where you will:
- Check the MCP server health — verify it's reachable
- Connect directly — prove the unsanctioned path works
- Explore and run tools — see what the server exposes
- Create a sanctioned portal — add identity and governance
- Block the direct path — only the portal remains