mcp-guard-core
| Crates.io | mcp-guard-core |
| lib.rs | mcp-guard-core |
| version | 1.0.0 |
| created_at | 2026-01-04 19:39:20.391506+00 |
| updated_at | 2026-01-04 19:39:20.391506+00 |
| description | Core library for mcp-guard - A lightweight, high-performance security gateway for MCP servers |
| homepage | https://github.com/botzrdev/mcp-guard |
| repository | https://github.com/botzrdev/mcp-guard |
| max_upload_size | |
| id | 2022357 |
| size | 758,429 |
Phillip Austin Green (botzrDev)
documentation
https://docs.rs/mcp-guard-core
README
mcp-guard
MCP security without the infrastructure tax.
One binary. One config file. Production-ready in 5 minutes.
The Problem
Model Context Protocol (MCP) servers are powerful. Most are deployed with zero authentication.
If your AI agent can access it, so can anyone else.
The Solution
mcp-guard is a security gateway that wraps any MCP server with production-grade protection.
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Client │─────▶│ mcp-guard │─────▶│ MCP Server │
│ (Claude) │ │ Gateway │ │ (yours) │
└─────────────┘ └─────────────┘ └─────────────┘
│
Authentication
Authorization
Rate Limiting
Audit Logging
Quick Start
Three commands. That's it.
# 1. Install
curl -fsSL https://mcp.guard/install.sh | sh
# 2. Configure
mcp-guard init
# 3. Run
mcp-guard run
Test that it works:
curl -H "Authorization: Bearer mcp_YOUR_KEY" http://localhost:3000/health
Alternative installation methods
# From crates.io (requires Rust)
cargo install mcp-guard
# Homebrew (macOS/Linux)
brew install mcp-guard/tap/mcp-guard
# Download binary directly
curl -fsSL https://github.com/mcp-guard/mcp-guard/releases/latest/download/mcp-guard-$(uname -s)-$(uname -m).tar.gz | tar -xz
Features
Authentication
| Method | Free | Pro | Enterprise |
|---|---|---|---|
| API Keys | ✓ | ✓ | ✓ |
| JWT (HS256) | ✓ | ✓ | ✓ |
| JWT (JWKS/RS256/ES256) | ✓ | ✓ | |
| OAuth 2.1 + PKCE | ✓ | ✓ | |
| mTLS Client Certificates | ✓ |
Transport
| Type | Free | Pro | Enterprise |
|---|---|---|---|
| Stdio | ✓ | ✓ | ✓ |
| HTTP | ✓ | ✓ | |
| SSE | ✓ | ✓ | |
| Multi-Server Routing | ✓ |
Security & Observability
| Feature | Free | Pro | Enterprise |
|---|---|---|---|
| Per-Tool Authorization | ✓ | ✓ | ✓ |
| Tools Filtering | ✓ | ✓ | ✓ |
| Global Rate Limiting | ✓ | ✓ | ✓ |
| Per-Identity Rate Limiting | ✓ | ✓ | |
| Prometheus Metrics | ✓ | ✓ | ✓ |
| Health Endpoints | ✓ | ✓ | ✓ |
| Audit Logs (file/console) | ✓ | ✓ | ✓ |
| OpenTelemetry Tracing | ✓ | ||
| SIEM Log Shipping | ✓ |
Configuration
mcp-guard init generates a config file with sensible defaults:
# mcp-guard.toml
[server]
listen = "0.0.0.0:3000"
[upstream]
transport = "stdio"
command = "npx"
args = ["-y", "@modelcontextprotocol/server-filesystem", "./"]
[rate_limit]
requests_per_second = 10
burst_size = 20
[[auth.api_keys]]
key_hash = "sha256:..."
user_id = "developer-1"
allowed_tools = ["read_file", "list_directory"]
JWT configuration
[auth.jwt]
mode = "simple"
secret = "your-secret-key"
issuer = "https://your-issuer.com"
audience = "mcp-guard"
[auth.jwt.scope_mapping]
"read" = ["read_file", "list_directory"]
"write" = ["write_file", "create_directory"]
"admin" = ["*"]
OAuth 2.1 configuration
[auth.oauth]
provider = "github" # or "google", "okta", "custom"
client_id = "your-client-id"
client_secret = "your-client-secret"
[auth.oauth.scope_mapping]
"repo" = ["read_file", "write_file"]
"admin:org" = ["*"]
Multi-server routing (Enterprise)
[[servers]]
name = "filesystem"
path_prefix = "/fs"
transport = "stdio"
command = "npx"
args = ["-y", "@modelcontextprotocol/server-filesystem", "./"]
[[servers]]
name = "database"
path_prefix = "/db"
transport = "http"
url = "http://localhost:8080"
Performance
| Metric | Target | Actual |
|---|---|---|
| Latency overhead | <2ms p99 | <1ms |
| Binary size | <15MB | <10MB |
| Memory usage | <50MB | ~30MB |
| Throughput | >5,000 RPS | >10,000 RPS |
Your agents stay fast. Your infrastructure stays simple.
Pricing
| Tier | Price | Best For |
|---|---|---|
| Free | $0 | Open source, side projects |
| Pro | $12/mo | Small teams, production apps |
| Enterprise | $29 + $8/seat | Compliance, multi-server |
Founder pricing: 40% off forever for early adopters. Lock in your discount →
CLI Reference
mcp-guard <command>
Commands:
init Generate config file with demo API key
validate Check config file for errors
keygen Generate a new API key
run Start the gateway
check-upstream Test upstream server connectivity
version Show version and build info
Options:
-c, --config Config file path (default: mcp-guard.toml)
-h, --help Show help
Documentation
| Topic | Guide |
|---|---|
| Getting Started | Quick Start |
| Authentication | Auth Guide |
| Transports | Stdio/HTTP/SSE |
| Rate Limiting | Rate Limits |
| Observability | Metrics & Tracing |
| Deployment | Production Guide |
| API Reference | HTTP API |
Security
Security vulnerabilities should be reported via security@mcp.guard.
See SECURITY.md for our security policy.
Contributing
We welcome contributions. See CONTRIBUTING.md for guidelines.
# Clone and build
git clone https://github.com/mcp-guard/mcp-guard
cd mcp-guard
cargo build
# Run tests
cargo test
# Run lints
cargo clippy -- -D warnings
License
AGPL-3.0. See LICENSE.
Commercial licenses available for Pro and Enterprise tiers.
Built by botzr