{"slug": "put-a-security-gateway-in-front-of-any-mcp-server-in-5-minutes", "title": "\"Put a security gateway in front of any MCP server in 5 minutes\"", "summary": "A developer has released mcp-guard, an open-source security gateway that sits between AI agents and MCP servers to enforce authentication, rate limiting, audit logging, and spending controls. The tool, installable via pip, can wrap any MCP server in 30 seconds and includes features like approval queues for expensive tool calls and CI/CD scanning via a GitHub Action.", "body_md": "If you're shipping an AI agent, you've probably wired it up to one or more MCP servers — for filesystem, GitHub, web search, payments. But here's the uncomfortable truth: most MCP setups today have **zero auth, no rate limit, no audit log, and no spending control**.\n\nAnyone who can hit your MCP URL can drain your wallet, exfiltrate your files, or run up a bill on a paid API. There's no firewall. There's no `if amount > $5, ask me first`\n\n. There's nothing.\n\nI just shipped **mcp-guard**, a tiny open-source gateway that sits between your agent and any MCP server. It's one `pip install`\n\nand one config file away from being useful.\n\n```\npip install bonanza-mcp-guard\nmcp-guard scan     # check your existing config for holes\nmcp-guard serve    # wrap any MCP server in 30 seconds\n```\n\nHere's what it does, why I built it, and how to wire it into your stack today.\n\nWhen I started shipping agents that talk to paid APIs (Stripe, OpenAI, Anthropic, Twilio, weather APIs), I wanted **five things** that MCP didn't give me out of the box:\n\n`wallet_pay`\n\nto the value of $50 should require my approval. Always.MCP itself is great. It's a clean protocol. It doesn't try to be a security layer — and that's the right call for a protocol spec. But somebody has to build the security layer.\n\nSo I did.\n\nmcp-guard is a **transparent proxy**. You put it in front of any MCP server (stdio or HTTP) and it enforces:\n\n`30 req/min`\n\n, configurable per-agent or globally`require_approval_above: 5.0`\n\n→ tool calls ≥ $5 get held in the approval queue`-32004 approval_pending`\n\nwith an `approval_id`\n\n. Human runs `mcp-guard approvals approve <id>`\n\n. Done.`deny: [\"filesystem.delete\", \"wallet_pay\"]`\n\nper server`GET /metrics`\n\non the HTTP gateway, drop-in for Grafana`docker run mcp-guard serve --config /etc/mcp-guard.yaml`\n\n`wallet_pay`\n\n→ bonanza, `read_file`\n\n→ filesystem, default → search.The whole thing is **zero required dependencies** (pyyaml only if you want YAML configs) and **~2,900 lines of Python**. You can read the whole codebase in an afternoon.\n\n```\npip install \"bonanza-mcp-guard[yaml]\"\nmcp-guard scan\n```\n\nThis walks your Claude Desktop config (`~/Library/Application Support/Claude/`\n\n), Cursor config (`~/.cursor/mcp.json`\n\n), and any local `mcp.json`\n\nfiles. It flags:\n\nIt doesn't fix anything — just shows you the holes.\n\nCreate a config file:\n\n```\n# mcp-guard.yaml\nauth:\n  mode: api_key\n  keys:\n    - ${AGENT_API_KEY}\n\nrate_limit:\n  requests_per_minute: 30\n\npolicies:\n  spend_cap_usd: 100.0\n  require_approval_above: 5.0\n  deny:\n    - filesystem.delete_file\n    - wallet_pay.bulk_transfer\n  audit_log: ./audit.jsonl\n\nservers:\n  filesystem:\n    command: npx\n    args: [\"-y\", \"@modelcontextprotocol/server-filesystem\", \"/data\"]\n```\n\nRun it:\n\n```\nexport AGENT_API_KEY=$(openssl rand -hex 32)\nmcp-guard serve --config mcp-guard.yaml\n```\n\nYour agent now hits `mcp-guard`\n\ninstead of the bare MCP server. Everything works the same — but every call is now authenticated, rate-limited, audited, and (if it's expensive) held for approval.\n\nWhen the agent calls `wallet_pay`\n\nwith `$amount: 10`\n\n, it gets back:\n\n```\n{\n  \"jsonrpc\": \"2.0\",\n  \"id\": 42,\n  \"error\": {\n    \"code\": -32004,\n    \"message\": \"Tool call held for approval\",\n    \"data\": {\n      \"approval_id\": \"appr_7f3a9c\",\n      \"tool\": \"wallet_pay\",\n      \"amount_usd\": 10.0,\n      \"expires_at\": 1719336000\n    }\n  }\n}\n```\n\nYou see this in your audit log, your Slack, your phone. You run:\n\n```\nmcp-guard approvals list\nmcp-guard approvals approve appr_7f3a9c\n```\n\nThe agent retries, the call goes through, the audit log records your decision.\n\nState is **persistent** (SQLite), so approvals survive restarts. And `require_approval_above`\n\nis **per-tool, per-amount** — `$4.99`\n\ngoes through, `$5.01`\n\nwaits.\n\nmcp-guard ships with a **GitHub Action** that scans your MCP configs on every PR:\n\n```\n# .github/workflows/mcp-scan.yml\nname: mcp-scan\non: [pull_request]\njobs:\n  scan:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - uses: c6zks4gssn-droid/mcp-guard/.github/workflows/mcp-scan.yml@main\n```\n\nI tested it on mcp-guard itself with a `.mcp.json`\n\nfixture — it posted a live comment on the PR with 6 warnings, then merged clean. See the [test PR](https://github.com/c6zks4gssn-droid/mcp-guard/pull/1) for the actual output.\n\nA few things that surprised me:\n\n**1. The approval queue is the killer feature.** I expected auth and rate limiting to be the headlines. Nope — the moment I shipped the approval queue, every single person who tested it said \"oh, this is what I needed.\" When an agent wants to spend money, you want a human in the loop. That turns out to be the entire pitch.\n\n**2. JSON-RPC error codes are your API surface.** `-32004 approval_pending`\n\nis now a stable contract that tools and dashboards can build against. Pick your extension codes carefully — they're forever.\n\n**3. PKCE without a JWT library is easier than I thought.** mcp-guard's OAuth2 provider does HMAC-SHA256 signed access tokens with PKCE S256. Zero JWT deps, ~150 lines of code, RFC-compliant.\n\n**4. Docker is the secret weapon for stdio MCP.** The HTTP transport (`mcp-guard serve-http`\n\n) is great, but the killer app is wrapping a stdio server in Docker, exposing it as HTTP, and putting a real auth layer in front. Suddenly every MCP server in the world is reachable from a browser tab.\n\nI want to be upfront about what's missing:\n\nIf any of those block you, open an issue. I ship fast when someone files a real bug.\n\n`pip install bonanza-mcp-guard`\n\n`docker pull ghcr.io/c6zks4gssn-droid/mcp-guard:v0.1.4`\n\nIf you're shipping agents that talk to MCP servers, give it 5 minutes. Scan your config, wrap one server, send one expensive tool call through it. If it doesn't immediately make sense why you need this, I'm happy to refund your time.\n\n**About me:** I run [Bonanza Labs](https://bonanza-labs.com) — we ship security and tooling for the agent economy. mcp-guard is one of a dozen open-source packages we maintain. Follow me on X ([@myopenclaw](https://x.com/myopenclaw)) if you want to see what we're working on next.", "url": "https://wpnews.pro/news/put-a-security-gateway-in-front-of-any-mcp-server-in-5-minutes", "canonical_source": "https://dev.to/c6zks4gssndroid/put-a-security-gateway-in-front-of-any-mcp-server-in-5-minutes-5ag0", "published_at": "2026-06-25 17:45:04+00:00", "updated_at": "2026-06-25 18:13:40.934620+00:00", "lang": "en", "topics": ["ai-agents", "ai-safety", "developer-tools", "ai-infrastructure"], "entities": ["mcp-guard", "MCP", "Claude Desktop", "Cursor", "GitHub", "Stripe", "OpenAI", "Anthropic"], "alternates": {"html": "https://wpnews.pro/news/put-a-security-gateway-in-front-of-any-mcp-server-in-5-minutes", "markdown": "https://wpnews.pro/news/put-a-security-gateway-in-front-of-any-mcp-server-in-5-minutes.md", "text": "https://wpnews.pro/news/put-a-security-gateway-in-front-of-any-mcp-server-in-5-minutes.txt", "jsonld": "https://wpnews.pro/news/put-a-security-gateway-in-front-of-any-mcp-server-in-5-minutes.jsonld"}}