Heroku MCP Server
Local stdio MCP server for Heroku platform management — apps, dynos, add-ons, PostgreSQL databases, pipelines, and deployments via the Heroku CLI
Score Breakdown
Server Info
- Package
- @heroku/mcp-server
- Registry
- npm
- Repository
- heroku/heroku-mcp-server
- Maintainer
- HerokuVendor
- Category
- Cloud & Infrastructure
- Tags
- paasdeploymentdynos
- Last Scanned
- 28 May 2026
Findings
13 issuesAuthentication & Identity
CRITICALStdio-only transport - no per-request token support
stdio-only transport. Auth is via HEROKU_API_KEY environment variable passed as a Bearer token in the Authorization header when the Heroku CLI REPL process and direct API calls are made. There is no MCP OAuth spec implementation. No HTTP/SSE transport. v1.2.2 is a bug fix only (path validation on so... Platform cannot pass per-request tokens; must spawn one server instance per user.
Add HTTP/SSE transport to accept per-request Authorization headers.
HIGHNo MCP OAuth spec implementation
Server does not implement the MCP OAuth authorization server spec. The platform must handle the full OAuth flow, token management, and credential injection externally.
Implement the MCP OAuth spec (.well-known/oauth-authorization-server) for native per-user authentication.
HIGHEnv var credentials with no rotation mechanism
Credentials (HEROKU_API_KEY, MCP_SERVER_REQUEST_TIMEOUT) are read from environment variables at startup. Rotation requires restarting the server process. All requests share the same service account credential.
Support dynamic credential refresh or secrets manager integration.
Tool Schema Quality
HIGHRequired fields missing on 2 write operations
Write tools without required field declarations: create_app, deploy_to_heroku.
Add required arrays to all write/delete tool schemas.
MEDIUMOnly 3 of 36 schemas have parameter constraints
Most schemas lack maxLength, enum, or pattern constraints on string parameters.
Add constraints to string parameters, especially on write operations.
CRITICALDangerous execution surface: pg_psql: accepts arbitrary SQL command string executed against Heroku Postgres
Tool allows raw code/query execution which could be exploited via prompt injection.
Use parameterized queries or validated command sets.
CRITICALDangerous execution surface: deploy_one_off_dyno: executes arbitrary commands in a Heroku dyno with network and filesystem access; v1.2.2 added path validation (isSafeSourceRelativePath) on source file paths
Tool allows raw code/query execution which could be exploited via prompt injection.
Use parameterized queries or validated command sets.
Permission Granularity
LOWTool descriptions lack resource scope
Descriptions don't specify what data types or resources they access.
Add resource type statements to descriptions.
LLM Safety
MEDIUM18 tool descriptions are too vague
Short or generic descriptions make tool selection unreliable.
Expand descriptions with specific actions, data types, and side effects.
HIGHTool descriptions contain instructional language
Descriptions include directives that could influence LLM behavior beyond tool selection.
Remove instructional language. Descriptions should be purely factual.
Data Exposure
MEDIUM5 list operations lack pagination
No pagination on any list tool (list_apps, list_addons, list_private_spaces, list_teams, list_addon_services, list_addon_plans, pipelines_list). Output is the raw Heroku CLI text or JSON output, meaning large accounts could return unbounded results. No field selection. Responses are passed through from the Heroku CLI REPL via stdout capture.
Add limit/offset or cursor-based pagination.
LOWNo field selection on responses
Responses return full records rather than projected fields.
Implement field selection to return only relevant fields.
Maintenance & Trust
MEDIUM14 dependency vulnerabilities (5 high)
npm audit found 5 high severity CVEs.
Update vulnerable dependencies.
Tools
36 total| Name | Description | Risk |
|---|---|---|
| list_apps | List Heroku apps: owned, collaborator access, team/space filtering | read |
| get_app_info | Get app details: config, dynos, addons, access, domains | read |
| create_app | Create app: custom name, region (US/EU), team, private space | write |
| rename_app | Rename app: validate and update app name | write |
| maintenance_on | Enable maintenance mode and redirect traffic for a Heroku app | write |
| maintenance_off | Disable maintenance mode and restore normal app operations | write |
| get_app_logs | App logs: monitor/debug/filter by dyno/process/source | read |
| list_private_spaces | Lists Heroku Private Spaces with CIDR blocks, regions, compliance and capacity details. JSON output supported. | read |
| list_teams | Lists Heroku Teams with membership and enterprise account details. | read |
| list_addons | List add-ons: all apps or specific app, detailed metadata | read |
| get_addon_info | Get add-on details: plan, state, billing | read |
| create_addon | Create add-on: provision services for app with plan and configuration | write |
| list_addon_services | List available add-on services and providers | read |
| list_addon_plans | List available plans for an add-on service | read |
| pg_psql | Execute SQL queries: analyze, debug, modify schema, manage data | admin |
| pg_info | View database status: config, metrics, resources, health | read |
| pg_ps | Monitor active queries: progress, resources, performance | read |
| pg_locks | View database locks: blocking queries, deadlocks, transactions | read |
| pg_outliers | View query statistics: slow queries, performance outliers | read |
| pg_credentials | Manage access: credentials, permissions, security, monitoring | admin |
| pg_kill | Stop processes: stuck queries, blocking transactions, runaway operations | write |
| pg_maintenance | Track maintenance: windows, schedules, progress, planning | read |
| pg_backups | Manage backups: schedules, status, verification, recovery | read |
| pg_upgrade | Upgrade PostgreSQL: version migration, compatibility, safety | admin |
| ps_list | List and monitor Heroku app dynos. View running dynos, check status/health, monitor process states, verify configurations. | read |
| ps_scale | Scale dynos: adjust count and size for app process types | write |
| ps_restart | Restart dynos: target by type or individual dyno | write |
| pipelines_create | Creates new Heroku deployment pipeline with configurable stages, apps, and team settings | write |
| pipelines_promote | Promote apps through a pipeline stage | admin |
| pipelines_list | List available Heroku pipelines | read |
| pipelines_info | Get details for a Heroku pipeline | read |
| deploy_to_heroku | Use for all deployments. Deploys new/existing apps, with or without teams/spaces, and env vars to Heroku. Ask for app name if missing. Requires valid app.json via appJson param. | admin |
| deploy_one_off_dyno | Run code/commands in Heroku one-off dyno with network and filesystem access. | admin |
| list_ai_available_models | List available AI inference models | read |
| provision_ai_model | Provision AI model access for app | write |
| make_ai_inference | Make inference request to Heroku AI API | read |
Deploy Heroku MCP Server securely
CompleteFlow adds per-user authentication, permission scoping, and audit logging to any MCP server out of the box.
Deploy on CompleteFlow