Security-hardened MCP server for TickTick task management
Project description
TickTick MCP Server
A security-hardened Model Context Protocol (MCP) server for TickTick that enables managing your tasks directly through any MCP-compatible client.
Works With Any MCP Client
This server works with any MCP-compatible client:
- Claude Desktop
- Cursor
- Cline
- Continue
- Any MCP-compatible IDE or tool
Quick Start
1. Get TickTick API Credentials
- Go to TickTick Developer Center
- Create a new app with redirect URI:
http://localhost:8080/callback - Copy your Client ID and Client Secret
2. Authenticate (One-Time Setup)
Run this command and enter your credentials when prompted:
uvx ticktick-mcp-server auth
This opens your browser to authorize with TickTick. Your tokens are securely saved to ~/.config/ticktick-mcp/credentials.json.
3. Configure Your MCP Client
Add to your MCP client config:
{
"mcpServers": {
"ticktick": {
"command": "uvx",
"args": ["ticktick-mcp-server"],
"env": {
"TICKTICK_CLIENT_ID": "your-client-id-here",
"TICKTICK_CLIENT_SECRET": "your-client-secret-here"
}
}
}
}
Config file locations
| Client | macOS | Windows |
|---|---|---|
| Claude Desktop | ~/Library/Application Support/Claude/claude_desktop_config.json |
%APPDATA%\Claude\claude_desktop_config.json |
| Cursor | ~/.cursor/mcp.json |
%USERPROFILE%\.cursor\mcp.json |
4. Restart Your Client
That's it! Now you can:
- "Show me all my TickTick projects"
- "What tasks are due today?"
- "Create a task to buy groceries in my Shopping list"
Alternative Installation
Using pip
pip install ticktick-mcp-server
ticktick-mcp-server auth
Dida365 (滴答清单) Support
For the China version of TickTick, add these environment variables to your MCP config:
{
"mcpServers": {
"ticktick": {
"command": "uvx",
"args": ["ticktick-mcp-server"],
"env": {
"TICKTICK_CLIENT_ID": "your-client-id",
"TICKTICK_CLIENT_SECRET": "your-client-secret",
"TICKTICK_BASE_URL": "https://api.dida365.com/open/v1",
"TICKTICK_AUTH_URL": "https://dida365.com/oauth/authorize",
"TICKTICK_TOKEN_URL": "https://dida365.com/oauth/token"
}
}
}
}
Register your app at Dida365 Developer Center.
Available Tools
Projects
| Tool | Description |
|---|---|
get_projects |
List all projects |
get_project |
Get project details |
create_project |
Create a new project |
delete_project |
Delete a project |
Tasks
| Tool | Description |
|---|---|
get_task |
Get task details |
create_task |
Create a new task |
update_task |
Update a task |
complete_task |
Mark task complete |
delete_task |
Delete a task |
get_all_tasks |
Get all tasks |
search_tasks |
Search tasks |
Date Filters
| Tool | Description |
|---|---|
get_tasks_due_today |
Tasks due today |
get_tasks_due_tomorrow |
Tasks due tomorrow |
get_tasks_due_this_week |
Tasks due this week |
get_overdue_tasks |
Overdue tasks |
GTD Workflow
| Tool | Description |
|---|---|
get_engaged_tasks |
High priority + overdue |
get_next_tasks |
Medium priority + due tomorrow |
batch_create_tasks |
Create multiple tasks |
Example Prompts
"Show me all my TickTick projects"
"What tasks do I have due today?"
"Create a high priority task 'Finish report' in my Work project"
"Mark 'Buy groceries' as complete"
"Show me everything that's overdue"
"Break down 'Plan vacation' into 5 subtasks"
Credential Storage
Tokens are stored securely in:
- macOS/Linux:
~/.config/ticktick-mcp/credentials.json - Windows:
%APPDATA%/ticktick-mcp/credentials.json
To re-authenticate, run uvx ticktick-mcp-server auth again.
Why This Fork?
This is a security-hardened fork of jacepark12/ticktick-mcp with 9 vulnerabilities fixed:
| Severity | Issue | Status |
|---|---|---|
| Critical | CSRF in OAuth callback | Fixed |
| High | Insecure credential file permissions | Fixed |
| High | OAuth server binds to all interfaces | Fixed |
| High | No explicit TLS verification | Fixed |
| Medium | Sensitive data in error messages | Fixed |
| Medium | No rate limiting on OAuth | Fixed |
| Medium | Bare except catches signals | Fixed |
| Medium | Path traversal in IDs | Fixed |
| Medium | Race conditions in state | Fixed |
License
MIT License - see LICENSE file for details.
Credits
Fork of jacepark12/ticktick-mcp.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file ticktick_mcp_server-0.3.0.tar.gz.
File metadata
- Download URL: ticktick_mcp_server-0.3.0.tar.gz
- Upload date:
- Size: 16.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.6.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
13107a14c697f78055beac746f6bed5bb7a5869a4fb31496cb8ec5b168f8daed
|
|
| MD5 |
b89fca5538af49981307e496e5f62f8f
|
|
| BLAKE2b-256 |
4d0818e2836fd3c40a2cc83dafc553cc67b7d05f96b36bc669feac813be5a0fe
|
File details
Details for the file ticktick_mcp_server-0.3.0-py3-none-any.whl.
File metadata
- Download URL: ticktick_mcp_server-0.3.0-py3-none-any.whl
- Upload date:
- Size: 19.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.6.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ce1b6ddb5f63cd76b42380b70ab11137f410efed65005b08026d7e781ee06232
|
|
| MD5 |
fecc750790d169056baad0fd158ebcbe
|
|
| BLAKE2b-256 |
d8cf2f20196ab2cf50d477184cde90715eaa2c7eaaa1b1e844d046bc03e0294b
|
