Serve an existing Streamlit app as an MCP server — agents drive it natively, no browser.
Project description
streamlit-mcp
Serve any Streamlit app as an MCP server. Agents introspect your app's widgets,
set values, click buttons, and read the rendered output and session_state — natively,
over MCP, with no browser automation.
📖 Documentation: https://dkedar7.github.io/streamlit-mcp/
pip install streamlit-mcp # or run with no install via: uvx streamlit-mcp ...
# serve an app over MCP (stdio for local clients)
streamlit-mcp serve app.py
# ...or HTTP/SSE on loopback for local networked agents
streamlit-mcp serve app.py --transport http --port 8000
# drive it yourself from the terminal (same engine the agent uses)
streamlit-mcp inspect app.py
streamlit-mcp call app.py --set "Name=agent" --click "Save" --read
Streamlit has no callback graph — it reruns the whole script per interaction — so
streamlit-mcp drives the app headlessly through Streamlit's own test runtime
(streamlit.testing.v1.AppTest) and returns the semantic element tree, not pixels.
Gradio and Dash already shipped native app-as-MCP; this fills the Streamlit gap.
Demo
A normal Streamlit app (what a human opens in a browser) and what an agent does with the same
app over MCP — inspect the widgets, call to set values / click / read the result. No browser:
| The app a human runs | What the agent sees over MCP |
A human can also watch the agent work live in their browser — no refresh, no browser automation —
by opting in with one with block (from streamlit_mcp.live import live). See the
live / human-in-the-loop guide.
Use it with an MCP client
Claude Desktop / Cursor — add to your MCP config (claude_desktop_config.json or
.cursor/mcp.json):
{
"mcpServers": {
"streamlit-mcp": {
"command": "uvx",
"args": ["streamlit-mcp", "serve", "/absolute/path/to/your/app.py"]
}
}
}
Claude Code:
claude mcp add streamlit-mcp -- uvx streamlit-mcp serve /absolute/path/to/your/app.py
uvx runs the published package with no prior install. stdio (the default) is the right
transport for local clients.
Tools exposed to agents
| Tool | What it does |
|---|---|
list_widgets / get_layout |
introspect widgets (kind, label, value, constraints) |
set_widget(identifier, value) |
set a widget and rerun |
click(identifier) |
click a button and rerun |
read_output() |
the rendered element tree, agent-readable |
get_state() |
the app's session_state |
Supported widgets (v1): text_input, number_input, text_area, slider, selectbox,
multiselect, checkbox, radio, button, date_input. Unsupported elements (file_uploader,
custom components, st.chat, fragments) are reported explicitly, never silently dropped.
Custom semantic tools
Beyond the per-widget tools, expose a higher-level named action by decorating a function with
@mcp_tool in your app file:
import streamlit as st
from streamlit_mcp import mcp_tool
@mcp_tool
def reset_all():
"""Reset everything to defaults."""
return {"ok": True}
st.text_input("Name")
streamlit-mcp serve app.py loads the app and exposes reset_all over MCP alongside the widget
tools. The decorated function is called directly (it isn't a widget), so keep it self-contained.
It's reachable from the CLI too (human ↔ agent parity): streamlit-mcp inspect app.py lists it and
streamlit-mcp call app.py --tool reset_all invokes it.
Human ↔ agent parity
Everything an agent can do over MCP, a human can do via the CLI — both call the same engine. The read-only mode and widget allow-list guardrails apply identically to both surfaces.
Security / trust model
app_pathis executed as trusted code in the server process (that's how AppTest runs it). Only serve apps you trust.get_state/read_outputexpose the app'ssession_stateto the caller — do not put secrets there.- HTTP/SSE bearer auth is enforced. Pass
--bearer-token <T>and every HTTP/SSE request must sendAuthorization: Bearer <T>— a missing or wrong token gets401before any tool runs. A non-loopback host is allowed only with a token set; without one,servebinds127.0.0.1only and refuses a non-loopback host (fail closed). stdio is local and unauthenticated.
Known limitations
- Sessions are not disposed. Per-client isolation works, but there is no session-close hook, so a long-running HTTP server accumulates one runtime per client. stdio and single-client use are unaffected.
- No concurrency locking. Concurrent requests sharing one session are not serialized, and
AppTestis not known to be re-entrant — use one in-flight request per session for now. - Output capture covers headings / markdown / caption / text;
st.write,st.error, and similar are a planned coverage expansion.
License
MIT
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file streamlit_mcp-0.3.2.tar.gz.
File metadata
- Download URL: streamlit_mcp-0.3.2.tar.gz
- Upload date:
- Size: 434.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: uv/0.11.25 {"installer":{"name":"uv","version":"0.11.25","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
006c47c4142d77ac7591237c27e7628d9d91fbcce1278bf4c8dee9133d8d8b6b
|
|
| MD5 |
3dde44ab61179fe9a5eb9883b7b08388
|
|
| BLAKE2b-256 |
4bf71944d841804a6295edd83dd863dca7be3987c3974d65c7dd03c26fd8d6df
|
File details
Details for the file streamlit_mcp-0.3.2-py3-none-any.whl.
File metadata
- Download URL: streamlit_mcp-0.3.2-py3-none-any.whl
- Upload date:
- Size: 25.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: uv/0.11.25 {"installer":{"name":"uv","version":"0.11.25","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ee0196c16cff93f3c87fae43bd60f4bb8019ddeaeabf28005077fd74febcffb9
|
|
| MD5 |
0d2723af9fe811ed7ee535d129c0cdba
|
|
| BLAKE2b-256 |
b45026b3b2474634d122cfeb6c611e70c87fee33af00a8037ada32848fc2f9e2
|