Testing

Test MCP endpoints before production

A preflight checklist for generated MCP endpoints: initialize, tools/list, schema validation, auth failure, safe execution, and logging.

Jun 25, 202610 min readIntermediate

Steps

1

Initialize the endpoint

Start with the protocol handshake. If initialize fails, do not debug individual tools yet.

Example
curl -sS -X POST https://astrail.dev/api/mcp/SERVER_ID \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{}}'
2

Inspect the visible tools

tools/list should show only the tools your public policy allows. Check names, descriptions, input schemas, and auth annotations.

Example
curl -sS -X POST https://astrail.dev/api/mcp/SERVER_ID \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":2,"method":"tools/list","params":{}}'
3

Send a known-bad argument

A production MCP endpoint should reject invalid input before making an upstream call. This catches loose JSON schema mapping and unclear required fields.

Example
curl -sS -X POST https://astrail.dev/api/mcp/SERVER_ID \
  -H "Content-Type: application/json" \
  -d '{
    "jsonrpc": "2.0",
    "id": 3,
    "method": "tools/call",
    "params": { "name": "get_pet_by_id", "arguments": { "petId": "" } }
  }'
4

Run one read-only happy path

Pick a GET route with deterministic output. The first production smoke should prove end-to-end execution without modifying upstream state.

5

Review runtime evidence

Check trace id, upstream status, latency, execution mode, and redaction. The goal is not just a green response; it is a debuggable response.

Production checks

initialize returns server metadata and capabilities.
tools/list excludes private tools from public surfaces.
Invalid arguments fail locally with a clear validation error.
Auth-required tools fail closed when credentials are absent.
Runtime logs redact credentials and include enough context to debug.

FAQ

What is the minimum MCP smoke test?

Run initialize, tools/list, one invalid tools/call, one auth failure, and one read-only happy path.

Should smoke tests call destructive endpoints?

Only in a staging environment with test data. Production launch checks should prefer read-only paths unless you have explicit rollback behavior.