# Setup <a href="https://docs.wallarm.com/about-wallarm/subscription-plans.md#rogue-mcp"><img src="../../../images/rogue-mcp-tag.svg" style="border: none;"></a>

This article describes how to enable and configure [API Security Testing via Postman](https://docs.wallarm.com/vulnerability-detection/api-security-testing-via-postman/overview.md).

## 1. Add Wallarm's MCP server

1. In Postman, access its AI Agent.
1. In AI Agent panel, click **Configure** ("gear"), and select **Configure MCP servers**.
1. In displayed **MCP Servers** tab, click **Add** ("plus") and do one of the following:

    * Select **Rogue MCP Server Detection** from the list of the featured MCP servers
    * Or just click Edit config and save the following to it:

        ```json
        {
            "mcpServers": {
                "Rogue MCP Server Detection": {
                    "command": "npx",
                    "args": [
                        "-y",
                        "rogue-mcp@latest"
                    ],
                    "env": {
                        "WALLARM_API_TOKEN": "YOUR_WALLARM_API_TOKEN"
                    }
                }
            }
        }
        ```

    !!! info "Free MCP scans available immediately"
        After adding the MCP server, you can immediately run [Rogue MCP Inspection](https://docs.wallarm.com/agentic-ai/rogue-mcp-inspection.md) scans on your installed MCP servers — no registration or API key required.

## 2. Subscribe and get API token

API Security Testing requires a paid [**Rogue MCP** subscription](https://docs.wallarm.com/about-wallarm/subscription-plans.md#rogue-mcp). To unlock it, obtain a `WALLARM_API_TOKEN` and add it to the MCP server configuration in Postman.

**New users:**

1. Register and subscribe at [roguemcp.wallarm.com](https://roguemcp.wallarm.com/).
1. Copy the provided API token and paste it as the `WALLARM_API_TOKEN` value in your MCP server configuration in Postman.

**Existing users:**

1. Contact [Wallarm Support](https://support.wallarm.com) to get the **Rogue MCP** [subscription](https://docs.wallarm.com/about-wallarm/subscription-plans.md#rogue-mcp).
1. Once the subscription is active, go to Wallarm Console → **Settings** → [**API Tokens**](https://docs.wallarm.com/user-guides/settings/api-tokens.md) and create a token of the **Rogue MCP** type.
1. Copy the token and paste it as the `WALLARM_API_TOKEN` value in your MCP server configuration in Postman.

!!! info "Credits"
    Credits are only consumed when running API Security Testing on Postman collections — [Rogue MCP Inspection](https://docs.wallarm.com/agentic-ai/rogue-mcp-inspection.md) scans are always free.

## 3. Ask to test the collection

With Wallarm's MCP server and credentials in place, use natural language in Postman Agent Mode to ask for a security test. For example: *"Please, test the collection for security issues with Wallarm."*

The Agent runs the tests (typically 2–3 minutes) and responds with a report; results are also sent to Wallarm Cloud. To interpret them, see [Exploring Results](https://docs.wallarm.com/vulnerability-detection/api-security-testing-via-postman/exploring.md).