Docs/MCP Gateway

MCP Gateway

MCP Shield acts as a governed MCP gateway. Configure your AI tools to route all MCP calls through MCP Shield for policy enforcement, DLP, and audit logging.

How It Works

AI Client

Cursor, Claude, etc.

Authenticates with MCP Shield token

↓

MCP Shield Gateway

Policy evaluation

DLP scanning

Credential injection

Audit logging

↓

Provider MCP

GitHub, Vercel, etc.

Receives governed requests

Gateway Features

Policy Enforcement

Every MCP call is evaluated against your security policies in real-time.

Credential Security

Provider credentials never reach AI clients. MCP Shield injects them securely.

Full Audit Trail

Every request and response is logged for compliance and debugging.

DLP Scanning

Requests and responses are scanned for sensitive data patterns.

Gateway Endpoint

Configure your AI tools to use this MCP gateway URL:

https://gateway.mcpshield.com/mcp

bash

All requests must include an Authorization header with your MCP Shield token:

Authorization: Bearer mcp_live_xxxxxxxxxxxxx

http

Configuration Examples

Configure your AI tool to use MCP Shield as the gateway:

// ~/.cursor/mcp.json
{
  "mcpServers": {
    "mcp-shield": {
      "url": "https://gateway.mcpshield.com/mcp",
      "headers": {
        "Authorization": "Bearer ${MCP_SHIELD_TOKEN}"
      }
    }
  }
}

json

Generate Configuration

Use the CLI to automatically generate and install configurations:

# Generate and install for Cursor
mcp-shield config generate cursor

# Generate and install for Claude
mcp-shield config generate claude

# Generate for any tool (prints to stdout)
mcp-shield config generate --format json

bash

Automatic Token Handling

When you generate a config, the CLI uses environment variable references ($${MCP_SHIELD_TOKEN}) by default. Set this in your shell profile or the tool's environment.

Environment Setup

Set your MCP Shield token as an environment variable:

# Add to ~/.zshrc or ~/.bashrc
export MCP_SHIELD_TOKEN=mcp_live_xxxxxxxxxxxxx

# Reload shell
source ~/.zshrc

bash

Verify Connection

Test that your configuration is working:

# Test via CLI
mcp-shield mcp list

# Output:
# Connected to MCP Shield Gateway
# Available MCP Tools:
# ├── github:list_repos
# ├── github:create_issue
# ├── vercel:list_projects
# └── ...

bash

Then test from your AI tool by invoking any MCP. The response will include governance metadata confirming it went through MCP Shield.

Tool-Specific Guides

Cursor

Detailed setup guide for using MCP Shield with Cursor IDE.

Claude Desktop

Configure Claude Desktop to use MCP Shield on macOS and Windows.

Troubleshooting

Connection refused / timeout

Ensure your network allows outbound HTTPS connections to gateway.mcpshield.com. Check firewall rules and proxy settings.

401 Unauthorized

Your token is invalid or expired. Generate a new token with mcp-shield tokens createor re-authenticate with mcp-shield login.

403 Policy Denied

The request was blocked by a security policy. Use mcp-shield policies simulateto understand why and adjust policies if needed.

On this page

Overview
Installation
Usage
Examples

Report an issue Edit this page