For developers

Your vendor compliance,
accessible from any AI.

VendorKeep ships an MCP server, a typed REST API, outbound webhooks, and per-agent identity & audit. Plug into Claude, ChatGPT, Cursor, Windsurf, or your own agents.

The four-part agent surface

Built for the way agents actually integrate.

Anything less than this is marketing wash. Vanta, Drata, Linear, Notion, Resend — the credible benchmark in 2026.

REST API

Typed, OpenAPI-documented, OAuth 2.0 + RBAC scopes. Cursor-paginated. Idempotency-keyed mutations.

api.vendorkeep.ai/v1

MCP server

Hosted, OAuth 2.1 + PKCE + DCR, MCP spec rev 2025-06-18, Streamable HTTP. 60+ tools.

api.vendorkeep.ai/mcp

Webhooks

Outbound notifications for vendor lifecycle events. HMAC-SHA256 signed. Idempotency-keyed delivery.

vendor.* / payment.* / filing.*

Identity & audit

Per-agent OAuth scopes. Paired audit rows on every mutation. Arg-fingerprint replay protection.

RFC 8707 audience-bound

Live MCP demo

From "Hi Claude" to filing readiness — in one prompt.

With your VendorKeep tenant connected, your AI client of choice can answer questions about your vendor base, draft compliance workflows, and propose actions for your approval. PII never crosses the wire — every TIN, SSN, and EIN stays in the vault.

  • "Show me vendors with TIN mismatches in the last 30 days."
  • "Which contractors are missing W-9s for tax year 2026?"
  • "What's our 1099 filing readiness?"
Claude Desktop · vendorkeep mcp

user:

What's our 1099 filing readiness?

claude:

→ tool: filing.readiness

→ tool: vendors.list_needs_attention

# Result

94% ready (342/363 vendors)

Needs attention: 21

– 12 missing W-9s

– 6 TIN mismatches

– 3 classification issues

Want me to start a W-9 reminder run for the 12 missing? (needs your approval)

Install

Add VendorKeep to your AI in one command.

Cross-client installer auto-detects what you have running locally and writes the right config.

Universal (Claude Code, Cursor, VS Code, Codex, Windsurf)

npx add-mcp https://api.vendorkeep.ai/mcp

Claude Code (CLI)

claude mcp add --transport http vendorkeep https://api.vendorkeep.ai/mcp

Run in your terminal. OAuth flow opens in your browser to authorize.

Cursor (one-click)

Add to Cursor

Opens Cursor and adds VendorKeep to .cursor/mcp.json. Cursor must be installed.

Claude Desktop / Claude.ai

Settings → Connectors → Add custom connector → paste:

https://api.vendorkeep.ai/mcp

VS Code (one-click)

Add to VS Code

Requires the MCP extension in VS Code Insiders or stable.

Server card: /.well-known/mcp/server-card.json · Spec: modelcontextprotocol.io rev 2025-06-18

MCP client compatibility

Works with your favorite AI client.

Connector setup guides for every major MCP client. Built on the open MCP spec rev 2025-06-18.

Claude Desktop

Native MCP support. Add VendorKeep via Settings → Connectors.

Setup guide

Claude.ai (Custom Connectors)

Browser-based connection. Tenant-admin approval required for org-wide.

Setup guide

ChatGPT (MCP Developer Mode)

OpenAI MCP support via Developer Mode. OAuth 2.1 + PKCE.

Setup guide

Cursor

Add to Cursor via the MCP marketplace or .cursor/mcp.json.

Setup guide

Windsurf

Codeium Windsurf MCP support. Standard MCP server URL.

Setup guide

Custom SDKs

Any agent built on the Anthropic, OpenAI, or open MCP SDKs.

SDK reference
Security & guardrails

Designed for what your CFO will ask.

"What can the AI do? What can't it do? Who approved that? Where's the log?" — VendorKeep is built so every answer is in the audit trail.

Three-tier action gating

Read tools are unrestricted within the agent's OAuth scope. Mutating tools require an idempotency key. Destructive tools (filing submission, payment voids, TIN reveal) require human consent at call time, plus optional second-admin approval.

PII never crosses the AI boundary

Raw TINs, SSNs, and EINs stay in the KMS-encrypted PII vault. AI clients only ever see masked values like ***-**-6789. TIN reveal remains a web-UI-only operation.

Per-tenant opt-in & scope control

MCP access is opt-in per tenant. Tenant admins control which scopes any agent can exercise via Settings → Agent Access. Tightening scopes is always an option; granting scopes beyond your role permission matrix is not.

IRC §7216 disclosure at consent

The OAuth consent screen includes the IRC §7216 taxpayer-information disclosure language for any token granting access to taxpayer data — required by federal law for tax-information handling.

Tenant isolation at the row level

Multi-tenancy is enforced at the database layer, scoped by your ein_entity_id. Cross-tenant data is invisible — even probes return "not found."

Paired audit rows on every mutation

Every agent action produces a paired audit row capturing the agent identity (which client, which token), the user behind it, the input arg fingerprint, and the outcome. Replay protection comes free.

Tool catalog

60+ tools, organized by domain.

Every tool is documented with its scope, input schema, output schema, and side-effect class.

vendors.*

List, search, get detail, classify, archive. Onboarding state machine transitions.

w9.*

Request, status, freshness, refresh. Tracks every form's chain of custody.

tin.*

Match status, B-Notice intake, mismatch resolution. (TIN values never returned.)

contracts.*

List, get detail, redlines, renewals queue. Sign-flow state.

payments.*

Ingest, classify, list, void. GL mapping. YTD spend per vendor.

filing.*

Readiness scoring, generation, submission. Federal + state. (Submission gated.)

compliance.*

Annual review lifecycle, dormant safety net, B-Notice resolution status.

dashboard.*

Portfolio metrics, watcher activity, today's actions, signals.

audit.*

Append-only log queries. Filter by watcher, vendor, decision, severity.

Ready to plug your AI into your vendor base?

Join the waitlist — developer access opens with early access.

Join the Waitlist