Labsco
lnvpn logo

nadanada_me

from lnvpn

A public MCP server that gives AI agents access to real UK carrier phone numbers for SMS verification. Agents can rent disposable or rental numbers, pay Lightning invoices, and read incoming SMS, all through standard MCP tool calls with no authentication required.

๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅโœ“ VerifiedFreeQuick setup

Phone MCP Server

Standalone MCP adapter for lnvpn-web-app/app/api/v2/phone/*.

This service is additive only: it does not change existing phone API routes or behavior.

What It Exposes

Tools mapped 1:1 to your existing API:

  • phone.purchase.start -> POST /api/v2/phone/purchase
  • phone.purchase.complete -> POST /api/v2/phone/complete
  • phone.renew.start -> POST /api/v2/phone/renew
  • phone.renew.complete -> POST /api/v2/phone/renew/complete
  • phone.numbers.list -> GET /api/v2/phone/numbers
  • phone.messages.list -> GET /api/v2/phone/messages/{phoneNumber}

Security Model

By default, the server runs in hmac mode (MCP_AUTH_MODE=hmac).

Each request to /mcp must include:

  • X-Client-Id
  • X-Timestamp (unix ms)
  • X-Nonce (UUID recommended)
  • X-Body-SHA256 (sha256 hex of stable JSON body)
  • X-Signature (v1=<hex_hmac>)

Canonical signing string:

{METHOD}\n{PATH}\n{X-Timestamp}\n{X-Nonce}\n{X-Body-SHA256}

Signature:

hex(HMAC_SHA256(canonical, client_secret))

Controls:

  • timestamp skew protection (HMAC_ALLOWED_SKEW_MS)
  • one-time nonce replay protection (Redis recommended)
  • per-client rate limit
  • per-client allowed tool list

If you want a fully open endpoint, set MCP_AUTH_MODE=open. In open mode, MCP client auth is disabled and requests are accepted without HMAC headers.

Run

npm install
npm run dev

Build + production:

npm run build
npm run start