PERMISSION/PROTOCOL

MCP Guard · Open source

Every MCP tool call, cleared or signed.

MCP Guard is an open-source proxy between your MCP client and its servers. Routine calls pass in milliseconds. Consequential calls hold for a named human. Every decision mints a tamper-evident receipt.

Install

MCP tool call

deploy_service · held for approval

tool: deploy_service

image: "myapp:v2.1.0"

env: "production"

Consequential call. Held until a named human signs.

Receipt on approval

authorizedBy: [email protected]

id: rcpt_mcp_7f3a9b2c

signature: ed25519:a9f3c2...

Routine readspass through

Zero-risk on-ramp

Observe first, enforce when ready.

You cannot govern what you cannot see. Day one is visibility. In observe mode, MCP Guard audits every tool call and mints a receipt for each one without blocking anything. Your agents keep working while you learn which tools fire, how often, and with what arguments. When the picture is clear, tighten policy tool by tool: keep reads flowing, hold the consequential calls for a named signer.

Audits every tool call

Every invocation that flows through the proxy is recorded: the tool, the arguments, the outcome.

Receipts without blocking

Each call mints a receipt while passing straight through. You get the record with zero approval friction.

No behavior change

Your agents keep working exactly as before. Observe mode adds visibility, not gates.

In the path, not in the agent

How the intercept works.

Enforcement happens on the MCP transport itself, so the agent and the servers run unchanged. No client rewrite, no server fork.

01

MCP client issues a tool call

Your agent calls a tool exactly as it does today. MCP Guard sits in the client's server path, so the call flows through it on the way to the server.

02

MCP Guard evaluates it against your policy

The exact tool name and arguments are checked against your rules: pass through, auto-approve with a receipt, or require approval.

03

Allowed calls pass, held calls open an approval

Routine calls pass through untouched. A consequential call is held while an approval request goes to your configured channel with a link to approve or deny.

04

The decision mints a signed receipt

Approved, denied, or auto-cleared, every decision is recorded as a signed receipt bound to that exact invocation.

AI Agent
Permission Protocol
Receipt
Authorized Action
$ npm install @permission-protocol/mcp-guard✓ Added @permission-protocol/mcp-guard

The approval moment

A named human sees the exact call.

A held call is not a vague notification. The signer sees the exact tool, the exact arguments, and the exact target, then approves or denies. The receipt records the signer, the action, the policy, and the timestamp, scoped to that one invocation, not the tool class.

You are not proving that someone once approved deploys in general. You are proving who approved this deploy, of this image, to this environment, at this moment. If the signer denies, the call never executes and the agent must re-plan. If no one responds before the receipt expiry, the request times out.

See a real signed receipt

Approval request

Agent wants to deploy myapp:v2.1.0 to production. Approve?

tool: deploy_service

image: "myapp:v2.1.0"

env: "production"

ApproveDeny

On approval, the receipt is signed and the call is released to the server with the receipt attached.

At the protocol layer

Works with your stack.

MCP Guard enforces on the MCP transport, so anything that speaks the protocol can sit behind it.

Claude Code

Route Claude Code's MCP tool calls through the proxy. The client runs unchanged.

Codex

Codex sessions get the same per-call policy check and receipt trail, with no client rewrite.

MCP servers you control

Wrap your own server with withMcpGuard and gate only the tools that need it.

Third-party MCP servers

Run the proxy in front of servers you cannot modify. Calls matching your policy fire the gate before forwarding.

MCP Guard for teams

From one laptop to the whole team.

MCP Guard starts as one developer's proxy. The Team plan turns it into shared infrastructure: one policy for every seat, one vault for every receipt, and a clear signal when anything drifts.

Talk to us about Team

Shared policy plane

One policy for every seat, instead of a config file per laptop.

Central receipt vault

Every receipt from every developer lands in one place your auditors can query.

Drift visibility

See when a machine's policy drifts from the shared one, or when its receipts stop arriving.

FAQ

Common questions.

What is MCP Guard?

MCP Guard is an open-source proxy that sits between your MCP client and its servers. It checks every tool call against your policy, passes routine calls through, holds consequential calls for a named human signer, and mints a signed receipt for every decision.

Does observe mode change my agent's behavior?

No. In observe mode MCP Guard audits every tool call and mints receipts without blocking anything. Calls pass through exactly as before. You gain the record, not the friction.

Can an agent bypass MCP Guard?

MCP Guard must be in the client's server path to see calls. If it is removed from that path, tool calls stop producing receipts, and the absence of receipts is itself visible to the team. A gap in the receipt trail is a signal, not a silent failure.

Is MCP Guard open source?

Yes. The source lives at github.com/permission-protocol/mcp-guard. Read it, run it in observe mode on one laptop, and tighten policy when you are ready. View the repository

In the path before the next tool call

Put a proxy in the path. Start with visibility.

One install, observe mode on, and every tool call starts leaving a receipt.

View on GitHub