MCP Shield CLI
The MCP Shield CLI provides a powerful command-line interface for managing your AI tooling security. Install it globally or run with npx.
Installation
The quickest way to get started is with npx (no installation required):
npx @mcpshield/cli initFor repeated use, install globally with your preferred package manager:
npm install -g @mcpshield/cliVerify Installation
After installation, verify that the CLI is working:
mcp-shield --version
# Output:
# @mcpshield/cli v1.0.0mcp-shield --help
# Output:
# MCP Shield CLI - Enterprise AI Governance
#
# Usage: mcp-shield <command> [options]
#
# Commands:
# login Authenticate with MCP Shield
# logout Clear local credentials
# providers Manage provider connections
# mcp Invoke MCP tools
# config Generate AI tool configurations
# policies View and simulate policies
# audit View audit logs
# tokens Manage API tokens
#
# Options:
# --version Show version
# --help Show help
# --token <token> Use specific token
# --env <env> Environment (production, staging)What You Can Do
Authenticate
Securely log in and manage your credentials.
Connect Providers
Link GitHub, Vercel, Supabase, and more.
Invoke MCPs
Run governed MCP calls from the terminal.
Generate Configs
Create configs for Cursor, Claude, and CI/CD.
Authentication
Log in to your MCP Shield account using browser-based OAuth:
mcp-shield login
# Output:
# Opening browser for authentication...
# Waiting for confirmation...
# ✓ Authenticated as you@company.com
# ✓ Token saved to ~/.mcpshield/credentialsSecure Credential Storage
Credentials are stored encrypted in ~/.mcpshield/credentials. Your password is never stored. Only OAuth tokens with automatic refresh are kept.
For CI/CD and automation, use environment variables or token flags:
# Environment variable (recommended)
export MCP_SHIELD_TOKEN=mcp_live_xxxxxxxxxxxxx
# Or pass directly
mcp-shield --token mcp_live_xxxxx providers listQuick Examples
Connect a Provider
mcp-shield providers connect github
# Output:
# Opening browser to authorize GitHub...
# ✓ GitHub connected successfully
# Connected as: your-username
# Scopes: repo, read:orgInvoke an MCP Tool
mcp-shield mcp invoke github:list_repos --limit 5
# Output:
# ┌─────────────────────────┬───────────┬──────────────┐
# │ Repository │ Visibility│ Last Updated │
# ├─────────────────────────┼───────────┼──────────────┤
# │ your-org/project-a │ private │ 2 hours ago │
# └─────────────────────────┴───────────┴──────────────┘
#
# ✓ Policy: allowed (matched: default-allow-read)
# ✓ DLP: passed
# ✓ Audit: loggedGenerate AI Tool Config
mcp-shield config generate cursor
# Output:
# ✓ Config written to ~/.cursor/mcp.json
#
# Contents:
# {
# "mcpServers": {
# "mcp-shield": {
# "url": "https://gateway.mcpshield.com/mcp",
# "headers": {
# "Authorization": "Bearer ${MCP_SHIELD_TOKEN}"
# }
# }
# }
# }Simulate Policy
mcp-shield policies simulate \
--mcp github:create_pull_request \
--user alice@company.com
# Output:
# Policy Simulation Result:
# ┌───────────────┬──────────────────────────────────────┐
# │ Decision │ ALLOW │
# │ Policy │ dev-team-write-access │
# │ Condition │ user.role == 'developer' AND │
# │ │ mcp.provider == 'github' │
# │ DLP │ Would scan for: secrets, PII │
# │ Audit Level │ decision_summary │
# └───────────────┴──────────────────────────────────────┘Configuration File
The CLI can use a configuration file for project-specific settings:
# .mcpshield.yaml
organization: your-org
environment: production
default_provider: github
policies:
simulate_on_invoke: true
logging:
level: info
audit_local: falseSystem Requirements
- Node.js 18.0 or higher
- macOS, Linux, or Windows
- Internet connection for authentication