Sagentum tests MCP server endpoints as part of the Full assessment type. This page discloses exactly how that testing works — the identification headers we send, the call volume, the test suite, and how to opt out if you prefer not to have your server tested automatically.
All test calls are made with the following User-Agent header:
Test calls originate from a fixed set of IP addresses. If you need the current IP range for allowlisting, email testing-opt-out@sagentum.com and we will provide it.
Maximum 15 calls per server per assessment. In practice, the standard test suite uses 8 calls. Additional calls only occur if the initial calls return ambiguous results that require clarification.
Re-assessments follow the same limit. Quarterly re-assessments are the default cadence — servers are not tested continuously.
If a server returns a rate limit response during testing, we wait 60 seconds and retry once. If the rate limit persists, the relevant dimensions are marked Not Tested rather than Fail — rate limiting is not treated as a quality failure.
Eight structured calls, each testing a specific assessment dimension:
Standard valid call
Uses documented example parameters. Validates response schema matches documentation. Tests Dimension 2 (Behavioural Consistency).
Repeat identical call
Same parameters as call 1. Validates idempotency and consistency. Tests Dimension 5 (Idempotency & Agent Safety).
Malformed parameter
Wrong type for a required parameter. Validates error response structure. Tests Dimension 3 (Error Handling).
Missing required parameter
Omits a required field. Validates parameter validation and error clarity. Tests Dimension 3.
Invalid authentication
Malformed API key or token. Validates auth error response. Tests Dimensions 3 and 4.
Response header inspection
Checks all response headers for credential or token leakage. Tests Dimension 4 (Security Posture).
Rapid sequential calls
3 calls in 5 seconds. Validates rate limiting behaviour and schema consistency under load. Tests Dimension 2.
Read-only idempotency
If a tool with readOnlyHint: true exists, calls it twice and confirms no side effects. If no annotated read-only tool exists, selects the most likely read-only tool by name and description. Tests Dimension 5.
If you prefer your server not be live tested, email testing-opt-out@sagentum.com with your server name and endpoint URL. We will add your server to the live testing exclusion list within 48 hours.
Opting out is not penalised in the score. Opted-out servers are assessed using Documentation + Static Analysis only, with an assessment note stating the reason. The score ceiling for Documentation + Static Analysis assessments is 80 — this reflects reduced assessment coverage, not a quality judgment.
You can reverse an opt-out at any time by emailing the same address. The next scheduled re-assessment will include live testing.
For servers with significant traffic (500+ weekly visitors by PulseMCP estimate), we email the server developer before the first assessment. The email discloses that an assessment is in progress, links to this page, and offers the opt-out path and self-submission channel.
For all servers, draft scores are shared with the server developer before publication via a 7-day dispute window. If you are the maintainer of an assessed server and did not receive a pre-publication draft, email hello@sagentum.com.
Sagentum assesses publicly available MCP servers as part of its published methodology. Server developers do not need to participate for an assessment to proceed — the assessment uses publicly available documentation, repository content, and (unless opted out) live endpoints.
Participation — via self-submission, credential sharing, or responding to the pre-publication draft — improves the accuracy of the assessment and gives developers the opportunity to correct errors before publication. It does not affect whether the assessment is published.