Audits every tool call
Every invocation that flows through the proxy is recorded: the tool, the arguments, the outcome.
MCP Guard · Open source
MCP Guard is an open-source proxy between your MCP client and its servers. Routine calls pass in milliseconds. Consequential calls hold for a named human. Every decision mints a tamper-evident receipt.
Install
MCP tool call
deploy_service · held for approval
tool: deploy_service
image: "myapp:v2.1.0"
env: "production"
Consequential call. Held until a named human signs.
Zero-risk on-ramp
You cannot govern what you cannot see. Day one is visibility. In observe mode, MCP Guard audits every tool call and mints a receipt for each one without blocking anything. Your agents keep working while you learn which tools fire, how often, and with what arguments. When the picture is clear, tighten policy tool by tool: keep reads flowing, hold the consequential calls for a named signer.
Every invocation that flows through the proxy is recorded: the tool, the arguments, the outcome.
Each call mints a receipt while passing straight through. You get the record with zero approval friction.
Your agents keep working exactly as before. Observe mode adds visibility, not gates.
In the path, not in the agent
Enforcement happens on the MCP transport itself, so the agent and the servers run unchanged. No client rewrite, no server fork.
01
Your agent calls a tool exactly as it does today. MCP Guard sits in the client's server path, so the call flows through it on the way to the server.
02
The exact tool name and arguments are checked against your rules: pass through, auto-approve with a receipt, or require approval.
03
Routine calls pass through untouched. A consequential call is held while an approval request goes to your configured channel with a link to approve or deny.
04
Approved, denied, or auto-cleared, every decision is recorded as a signed receipt bound to that exact invocation.
$ npm install @permission-protocol/mcp-guard✓ Added @permission-protocol/mcp-guardThe approval moment
A held call is not a vague notification. The signer sees the exact tool, the exact arguments, and the exact target, then approves or denies. The receipt records the signer, the action, the policy, and the timestamp, scoped to that one invocation, not the tool class.
You are not proving that someone once approved deploys in general. You are proving who approved this deploy, of this image, to this environment, at this moment. If the signer denies, the call never executes and the agent must re-plan. If no one responds before the receipt expiry, the request times out.
See a real signed receiptApproval request
Agent wants to deploy myapp:v2.1.0 to production. Approve?
tool: deploy_service
image: "myapp:v2.1.0"
env: "production"
On approval, the receipt is signed and the call is released to the server with the receipt attached.
At the protocol layer
MCP Guard enforces on the MCP transport, so anything that speaks the protocol can sit behind it.
Route Claude Code's MCP tool calls through the proxy. The client runs unchanged.
Codex sessions get the same per-call policy check and receipt trail, with no client rewrite.
Wrap your own server with withMcpGuard and gate only the tools that need it.
Run the proxy in front of servers you cannot modify. Calls matching your policy fire the gate before forwarding.
MCP Guard for teams
MCP Guard starts as one developer's proxy. The Team plan turns it into shared infrastructure: one policy for every seat, one vault for every receipt, and a clear signal when anything drifts.
Talk to us about TeamOne policy for every seat, instead of a config file per laptop.
Every receipt from every developer lands in one place your auditors can query.
See when a machine's policy drifts from the shared one, or when its receipts stop arriving.
FAQ
MCP Guard is an open-source proxy that sits between your MCP client and its servers. It checks every tool call against your policy, passes routine calls through, holds consequential calls for a named human signer, and mints a signed receipt for every decision.
No. In observe mode MCP Guard audits every tool call and mints receipts without blocking anything. Calls pass through exactly as before. You gain the record, not the friction.
MCP Guard must be in the client's server path to see calls. If it is removed from that path, tool calls stop producing receipts, and the absence of receipts is itself visible to the team. A gap in the receipt trail is a signal, not a silent failure.
Yes. The source lives at github.com/permission-protocol/mcp-guard. Read it, run it in observe mode on one laptop, and tighten policy when you are ready. View the repository
In the path before the next tool call
One install, observe mode on, and every tool call starts leaving a receipt.