mcp-guard-1.0.0 is not a library.
The Problem
Model Context Protocol (MCP) servers are powerful. Most are deployed with zero authentication.
If your AI agent can access it, so can anyone else.
The Solution
mcp-guard is a security gateway that wraps any MCP server with production-grade protection.
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Client │─────▶│ mcp-guard │─────▶│ MCP Server │
│ (Claude) │ │ Gateway │ │ (yours) │
└─────────────┘ └─────────────┘ └─────────────┘
│
Authentication
Authorization
Rate Limiting
Audit Logging
Quick Start
Three commands. That's it.
# 1. Install
|
# 2. Configure
# 3. Run
Test that it works:
# From crates.io (requires Rust)
# Homebrew (macOS/Linux)
# Download binary directly
|
Features
Authentication
| Method | Free | Pro | Enterprise |
|---|---|---|---|
| API Keys | ✓ | ✓ | ✓ |
| JWT (HS256) | ✓ | ✓ | ✓ |
| JWT (JWKS/RS256/ES256) | ✓ | ✓ | |
| OAuth 2.1 + PKCE | ✓ | ✓ | |
| mTLS Client Certificates | ✓ |
Transport
| Type | Free | Pro | Enterprise |
|---|---|---|---|
| Stdio | ✓ | ✓ | ✓ |
| HTTP | ✓ | ✓ | |
| SSE | ✓ | ✓ | |
| Multi-Server Routing | ✓ |
Security & Observability
| Feature | Free | Pro | Enterprise |
|---|---|---|---|
| Per-Tool Authorization | ✓ | ✓ | ✓ |
| Tools Filtering | ✓ | ✓ | ✓ |
| Global Rate Limiting | ✓ | ✓ | ✓ |
| Per-Identity Rate Limiting | ✓ | ✓ | |
| Prometheus Metrics | ✓ | ✓ | ✓ |
| Health Endpoints | ✓ | ✓ | ✓ |
| Audit Logs (file/console) | ✓ | ✓ | ✓ |
| OpenTelemetry Tracing | ✓ | ||
| SIEM Log Shipping | ✓ |
Configuration
mcp-guard init generates a config file with sensible defaults:
# mcp-guard.toml
[]
= "0.0.0.0:3000"
[]
= "stdio"
= "npx"
= ["-y", "@modelcontextprotocol/server-filesystem", "./"]
[]
= 10
= 20
[[]]
= "sha256:..."
= "developer-1"
= ["read_file", "list_directory"]
[]
= "simple"
= "your-secret-key"
= "https://your-issuer.com"
= "mcp-guard"
[]
= ["read_file", "list_directory"]
= ["write_file", "create_directory"]
= ["*"]
[]
= "github" # or "google", "okta", "custom"
= "your-client-id"
= "your-client-secret"
[]
= ["read_file", "write_file"]
= ["*"]
[[]]
= "filesystem"
= "/fs"
= "stdio"
= "npx"
= ["-y", "@modelcontextprotocol/server-filesystem", "./"]
[[]]
= "database"
= "/db"
= "http"
= "http://localhost:8080"
Performance
| Metric | Target | Actual |
|---|---|---|
| Latency overhead | <2ms p99 | <1ms |
| Binary size | <15MB | <10MB |
| Memory usage | <50MB | ~30MB |
| Throughput | >5,000 RPS | >10,000 RPS |
Your agents stay fast. Your infrastructure stays simple.
Pricing
| Tier | Price | Best For |
|---|---|---|
| Free | $0 | Open source, side projects |
| Pro | $12/mo | Small teams, production apps |
| Enterprise | $29 + $8/seat | Compliance, multi-server |
Founder pricing: 40% off forever for early adopters. Lock in your discount →
CLI Reference
mcp-guard <command>
Commands:
init Generate config file with demo API key
validate Check config file for errors
keygen Generate a new API key
run Start the gateway
check-upstream Test upstream server connectivity
version Show version and build info
Options:
-c, --config Config file path (default: mcp-guard.toml)
-h, --help Show help
Documentation
| Topic | Guide |
|---|---|
| Getting Started | Quick Start |
| Authentication | Auth Guide |
| Transports | Stdio/HTTP/SSE |
| Rate Limiting | Rate Limits |
| Observability | Metrics & Tracing |
| Deployment | Production Guide |
| API Reference | HTTP API |
Security
Security vulnerabilities should be reported via security@mcp.guard.
See SECURITY.md for our security policy.
Contributing
We welcome contributions. See CONTRIBUTING.md for guidelines.
# Clone and build
# Run tests
# Run lints
License
AGPL-3.0. See LICENSE.
Commercial licenses available for Pro and Enterprise tiers.