MCP Manifest

An MCP manifest is the machine-readable description of an MCP server that registries consume. By convention it's a server.json file, and it answers the questions a directory needs answered before it can list your server: what is it called, what does it do, where does the code live, what version is current, and how do users install or reach it.

It plays the same role package.json plays for npm or pyproject.toml plays for PyPI — except it describes an MCP server rather than a library, and it's read by MCP registries rather than package managers.

The core fields are a namespaced name (for example io.github.yourorg/your-server), a description, the repository URL, and a version. The most consequential section is packages: the list of ways the server can be obtained, each entry naming a registry type and identifier.

Supported distribution types span npm, PyPI, OCI (Docker images), NuGet, and MCPB bundles, plus remote entries that point at a hosted Streamable HTTP endpoint instead of an installable package. One server can declare several — an npm package for local use and a remote URL for hosted use, for instance.

When an author publishes to the official MCP registry, the manifest is the publication — the registry validates it, verifies namespace ownership, and serves the metadata through its API. Downstream indexes then pull from that API rather than scraping repos.

Loomal's index works this way: listing pages for registry-published servers are populated from manifest data automatically, so the name, description, and install packages you see on a listing trace back to what the author declared in server.json.

The manifest is most users' first contact with your server, rendered across every directory that indexes it. A vague description, a stale version, or a missing package entry propagates everywhere at once.

It also anchors ownership. The official registry verifies that you control the namespace you publish under (a GitHub org, a domain), and claim flows on marketplaces build on the same chain of evidence — on Loomal, verifying ownership of the linked GitHub repository is how an author claims a listing and gains control over how it's presented and priced.

Two different files share the "manifest" name. The server.json manifest describes a server to registries. An MCPB bundle carries its own internal manifest.json describing how a desktop client should unpack and run the bundled server locally. A server distributed as an MCPB will have both: the bundle's internal manifest, and a registry manifest whose packages section points at the .mcpb file.