AI agents like Claude, Cursor, and Copilot connect to your tools via MCP — but there's no built-in security. We add authentication, access control, and audit logging without touching your server code.
One proxy. Full zero-trust security. No server code changes.
Require login before anyone can use your tools. Works with GitHub, Google, Okta, or any identity provider — using the latest OAuth 2.1 standard.
Decide who can do what. Give one team full access, restrict another to read-only, block specific tools entirely — all configured in a simple YAML file.
Every user gets their own walled-off session. One client's data never leaks to another — even if they're using the same server.
Every request is recorded — who made it, what they asked for, whether it was allowed. Exportable logs for security reviews and compliance.
Docker pull, set your MCP target and auth provider, done. Single container, single config file. No Kubernetes required.
Prevent any single user or agent from overwhelming your server. Set request limits per client and enforce them automatically.
See how it compares to existing options.
| Feature | nginx reverse proxy |
mcp-remote (OAuth) |
Kong Gateway |
MCP Auth Proxy (OSS) |
MCP Zero- Trust Proxy |
|---|---|---|---|---|---|
| Drop-in (no code changes) | ✓ | ✗ | ✗ | ✓ | ✓ |
| OAuth 2.1 PKCE | ✗ | ✓ | ✓ | ✓ | ✓ |
| Tool-level RBAC | ✗ | ✗ | ~ | ✗ | ✓ |
| Per-client sessions | ✗ | ✗ | ✗ | ✗ | ✓ |
| Audit logging | ✗ | ✗ | ✓ | ✗ | ✓ |
| No known CVEs | ✓ | 9.6 RCE | ✓ | ✓ | ✓ |
| Setup time | 30 min | 15 min | Days | 10 min | < 10 min |
| Pricing | Free | Free | $$$ | Free | Free / MIT |
Choose nginx if you just need basic auth and already have it configured — it works fine for simple cases. Choose Kong if you're already running a Kong gateway in your infrastructure. The proxy adds value when you need tool-level RBAC, audit logging, or session isolation that generic proxies don't provide for MCP.
MIT licensed. No tiers, no license keys, no limits. Run it however you want.
That would be great. Native auth solves authentication. The proxy continues to add value for what comes next: authorization (who can call which tools), audit logging, rate limiting, and per-client sessions. The MCP spec has no plans to standardize these — and for regulated environments, they are not optional.
No. The proxy runs entirely on your own infrastructure. Your MCP traffic, tokens, and audit logs never leave your servers. The only external dependency is your OAuth provider (GitHub, Google, etc.) for the authentication flow — which your users already trust.
Get notified about new releases and security advisories.
No spam. Updates only.