# Filesystem > Read and write local files with configurable access controls. [Canonical HTML page](https://top-mcps.com/mcp/filesystem) · [server.json](https://top-mcps.com/mcp/filesystem.json) · [methodology](https://top-mcps.com/about/methodology) ## Install ### Claude Desktop — `claude_desktop_config.json` Paste under mcpServers. Fully quit and reopen Claude after editing. ```json { "mcpServers": { "filesystem": { "command": "npx", "args": [ "-y", "@modelcontextprotocol/server-filesystem", "/path/to/allowed/dir" ] } } } ``` ### Claude Code — `CLI or .mcp.json` Run from your repo. Commit .mcp.json to share with your team. ```shell claude mcp add filesystem -- npx -y @modelcontextprotocol/server-filesystem /path/to/allowed/dir ``` ### Cursor — `.cursor/mcp.json` Global path: ~/.cursor/mcp.json. Reload window after editing. ```json { "mcpServers": { "filesystem": { "command": "npx", "args": [ "-y", "@modelcontextprotocol/server-filesystem", "/path/to/allowed/dir" ] } } } ``` ### VS Code — `.vscode/mcp.json` VS Code uses the "servers" key (not "mcpServers"). ```jsonc { "servers": { "filesystem": { "command": "npx", "args": [ "-y", "@modelcontextprotocol/server-filesystem", "/path/to/allowed/dir" ] } } } ``` ### Windsurf — `~/.codeium/windsurf/mcp_config.json` Open via Cascade → hammer icon → Configure. ```json { "mcpServers": { "filesystem": { "command": "npx", "args": [ "-y", "@modelcontextprotocol/server-filesystem", "/path/to/allowed/dir" ] } } } ``` ### Cline — `cline_mcp_settings.json` Open via the Cline sidebar → MCP Servers → Edit. ```json { "mcpServers": { "filesystem": { "command": "npx", "args": [ "-y", "@modelcontextprotocol/server-filesystem", "/path/to/allowed/dir" ] } } } ``` ### Continue — `~/.continue/config.json` Continue uses modelContextProtocolServers with a transport block. ```json { "experimental": { "modelContextProtocolServers": [ { "transport": { "type": "stdio", "command": "npx", "args": [ "-y", "@modelcontextprotocol/server-filesystem", "/path/to/allowed/dir" ] } } ] } } ``` ### Codex CLI — `~/.codex/config.toml` Codex uses TOML. Each server is a [mcp_servers.] subtable. ```shell # ~/.codex/config.toml [mcp_servers.filesystem] command = "npx" args = [ "-y", "@modelcontextprotocol/server-filesystem", "/path/to/allowed/dir", ] ``` ### Zed — `~/.config/zed/settings.json` Zed calls them "context_servers". Settings live-reload on save. ```jsonc { "context_servers": { "filesystem": { "command": { "path": "npx", "args": [ "-y", "@modelcontextprotocol/server-filesystem", "/path/to/allowed/dir" ] } } } } ``` ### ChatGPT — `ChatGPT → Apps directory` Filesystem doesn't ship a hosted HTTPS endpoint today. ChatGPT supports remote MCP servers only — to use this server in ChatGPT you'll need to deploy it to a public HTTPS URL first (e.g. via Cloudflare Workers or Vercel) or wait for an official remote build. ```none ``` ## At a glance - **Maintainer:** Anthropic (modelcontextprotocol) - **Transport:** stdio - **Auth model:** None - **Required secrets:** None - **Supported clients:** Claude, Cursor, VS Code, Zed, Any MCP-compatible client - **License:** MIT - **Language:** TypeScript - **Latest version:** latest - **Last verified:** 2026-04-19 - **GitHub stars:** 84,102 (fetched 2026-04-30T10:58:23.347Z) - **Score:** 100/100 (rubric 2026-04 — see https://top-mcps.com/about/methodology) - **Source:** https://github.com/modelcontextprotocol/servers/tree/main/src/filesystem ## Tools & permissions | Tool | Description | Args | Side effects | |------|-------------|------|--------------| | `read_file` | Read the full contents of a file within an allowed directory. | `path: string` | read | | `read_multiple_files` | Read several files in one call. | `paths: string[]` | read | | `write_file` | Create or overwrite a file. | `path: string, content: string` | write | | `edit_file` | Apply a search-and-replace edit to an existing file. | `path: string, edits: object[]` | write | | `create_directory` | Create a new directory (and parents) within an allowed root. | `path: string` | write | | `list_directory` | List the entries of a directory. | `path: string` | read | | `directory_tree` | Return a recursive tree of a directory. | `path: string` | read | | `move_file` | Move or rename a file. | `source: string, destination: string` | write | | `search_files` | Recursively search for files by pattern. | `path: string, pattern: string` | read | | `get_file_info` | Return size, timestamps, and type for a file. | `path: string` | read | | `list_allowed_directories` | Return the directory roots the server was started with. | `—` | read | ## Security & scope - **Access scope:** read-write - **Sandbox:** Runs as a child process over stdio. Access is restricted to the directory roots passed on the command line; path traversal via `..` or symlinks outside those roots is rejected at the path-normalization layer before any filesystem call is made. - **Gotchas:** - Without at least one allowed-directory argument, the server refuses to start — there is no implicit current-working-directory default. - Read and write are bundled; for read-only access you must mount the directory read-only at the OS level or run the server in a sandbox. ## Quick answer **What it does.** Provides read/write access to local files and directories within configurable path boundaries. Supports listing, reading, writing, and moving files. **Best for:** - Reading and editing local code - Generating files from AI output - Navigating project structures - Config file management **Not for:** - Remote file systems - Cloud storage access - High-security environments ## Recipes ### Prove the install works by grouping TODOs in your repo ``` List every TODO comment under ~/code/project-a (recursively) and group them by file, showing the matching line for each. ``` _Tested with: Claude Desktop, Cursor, VS Code_ ## Description The official Anthropic Filesystem MCP gives AI models secure, sandboxed access to your local filesystem. Define allowed directories, then let the model read, write, create, and delete files within those bounds. It is the default choice for any workflow that needs the AI to interact with local code, configs, or data. ## Why it matters Most AI workflows involve reading or modifying files. This MCP is the standard way to give models that access without exposing the full system. ## Key features - Configurable allowed directories - Read/write/create/delete operations - Directory listing - Path traversal protection - Official Anthropic support ## FAQ ### Is the Filesystem MCP safe to use? Yes. The allowed directories you pass on the command line are the only paths the server will read or write. Requests that try to traverse outside those roots (including via symlinks or `..` segments) are rejected at the path-normalization layer before any filesystem call is made. ### Can it write files, or is it read-only? Read and write are bundled together — once a directory is allowed, the server can create, overwrite, move, and delete files inside it. If you need read-only, either mount the directory read-only at the OS level or run the server inside a sandbox (e.g. macOS App Sandbox, Linux bind-mount). ### Does it work with Cursor and VS Code as well as Claude Desktop? Yes. Every MCP-compatible client (Claude Desktop, Cursor, VS Code, Windsurf, Cline, Continue, Zed) speaks the same stdio protocol. The install snippets on this page cover each of them. ### What happens if I do not pass an allowed directory? The server refuses to start. Unlike some shell tools it has no "current working directory" default — an explicit allow-list is required, which is the key safety property that makes it suitable to run as an agent tool. ### How do I give the agent access to multiple project folders? Pass each path as a positional argument after the package name. For example: `npx -y @modelcontextprotocol/server-filesystem ~/code/project-a ~/code/project-b`. The server treats each as an independent allowed root. ### Can two MCP clients share a single Filesystem server? No — each client launches its own process over stdio and does not multiplex connections. If Claude Desktop and Cursor are both running, each has its own Filesystem process. Performance is not affected since each is I/O-bound on its own agent. ## Changelog - **2026-04-19** — Refreshed install snippets and fact sheet; verified for 2026. - **2024-11-25** — Initial directory listing.