# Setup <a href="https://docs.wallarm.com/5.x/about-wallarm/subscription-plans.md#rogue-mcp"><img src="../../../images/rogue-mcp-tag.svg" class="non-zoomable" style="border: none;"></a>

This article describes how to enable and configure [API Security Testing via Postman](https://docs.wallarm.com/5.x/vulnerability-detection/api-security-testing-via-postman/overview.md).

## 1. Add Wallarm's MCP server

1. In Postman, access its AI Agent.
1. In AI Agent panel, click **Configure** ("gear"), and select **Configure MCP servers**.
1. In displayed **MCP Servers** tab, click **Add** ("plus") and do one of the following:

    * Select **Rogue MCP Server Detection** from the list of the featured MCP servers
    * Or just click Edit config and save the following to it:

        ```json
        {
            "mcpServers": {
                "Rogue MCP Server Detection": {
                    "command": "npx",
                    "args": [
                        "-y",
                        "rogue-mcp@latest"
                    ],
                    "env": {
                        "WALLARM_API_TOKEN": "YOUR_WALLARM_API_TOKEN"
                    }
                }
            }
        }
        ```

    !!! info "Free MCP scans available immediately"
        After adding the MCP server, you can immediately run [Rogue MCP Inspection](#2-run-rogue-mcp-inspection-free-no-api-key) scans on your installed MCP servers — no registration or API key required. To set up API Security Testing on Postman collections (paid), continue with the steps below.

## 2. Run Rogue MCP Inspection (free, no API key)

After step 1, you can immediately use [Rogue MCP Inspection](https://docs.wallarm.com/5.x/vulnerability-detection/api-security-testing-via-postman/overview.md#bonus-rogue-mcp-inspection-free) — a free audit of MCP servers installed locally on your machine. No `WALLARM_API_TOKEN` and no paid subscription required.

**Requirements:** [Postman Desktop Agent](https://learning.postman.com/docs/getting-started/basics/about-postman-agent/#postman-desktop-agent) locally installed and running, connected to Postman — the scan runs on your computer through the Desktop Agent.

**How to run.** In Postman Agent Mode, ask the AI Agent to check for rogue MCPs — for example: *"Inspect my local machine for rogue MCPs"*. The scan takes about 2 minutes and reports what can be misused on your computer and how to fix it.

<div>
  <script async src="https://js.storylane.io/js/v2/storylane.js"></script>
  <div class="sl-embed" style="position:relative;padding-bottom:calc(60.70% + 25px);width:100%;height:0;transform:scale(1)">
    <iframe loading="lazy" class="sl-demo" src="https://wallarm.storylane.io/demo/uw9kwraim34e?embed=inline" name="sl-embed" allow="fullscreen" allowfullscreen style="position:absolute;top:0;left:0;width:100%!important;height:100%!important;border:1px solid rgba(63,95,172,0.35);box-shadow: 0px 0px 18px rgba(26, 19, 72, 0.15);border-radius:10px;box-sizing:border-box;"></iframe>
  </div>
</div>

To run API Security Testing on Postman collections (paid) instead, continue with the steps below.

## 3. Subscribe and get API token

API Security Testing requires a paid [**Rogue MCP** subscription](https://docs.wallarm.com/5.x/about-wallarm/subscription-plans.md#rogue-mcp). To unlock it, obtain a `WALLARM_API_TOKEN` and add it to the MCP server configuration in Postman.

**New users:**

1. Register and subscribe at [roguemcp.wallarm.com](https://roguemcp.wallarm.com/).
1. Copy the provided API token and paste it as the `WALLARM_API_TOKEN` value in your MCP server configuration in Postman.

**Existing users:**

1. Contact [Wallarm Support](https://support.wallarm.com) to get the **Rogue MCP** [subscription](https://docs.wallarm.com/5.x/about-wallarm/subscription-plans.md#rogue-mcp).
1. Once the subscription is active, go to Wallarm Console → **Settings** → [**API Tokens**](https://docs.wallarm.com/5.x/user-guides/settings/api-tokens.md) and create a token of the **Rogue MCP** type.
1. Copy the token and paste it as the `WALLARM_API_TOKEN` value in your MCP server configuration in Postman.

!!! info "Credits"
    Credits are only consumed when running API Security Testing on Postman collections — [Rogue MCP Inspection](#2-run-rogue-mcp-inspection-free-no-api-key) scans are always free.

## 4. Ask to test the collection

With Wallarm's MCP server and credentials in place, use natural language in Postman Agent Mode to ask for a security test. For example: *"Please, test the collection for security issues with Wallarm."*

The Agent runs the tests (typically 2–3 minutes) and responds with a report; results are also sent to Wallarm Cloud. To interpret them, see [Exploring Results](https://docs.wallarm.com/5.x/vulnerability-detection/api-security-testing-via-postman/exploring.md).