# MCP Proxy
## Overview
Akto MCP Proxy is a security and governance layer that sits between MCP (Model Context Protocol) clients and MCP servers. It enables organizations to implement guardrail protection, security policies, and guardrails for all MCP server requests while maintaining seamless connectivity to the original MCP servers.
## Key Features
* **Guardrail Protection**: Real-time scanning and blocking of malicious requests
* **Security Guardrails**: Enforce organizational security policies and compliance requirements
* **Request Monitoring**: Complete visibility into all MCP communications
* **Transparent Proxying**: Zero-configuration changes required on MCP servers
* **Performance Optimization**: Intelligent caching and request optimization
## Architecture
```
┌─────────────┐ ┌─────────────────┐ ┌──────────────┐
│ MCP Client │───────▶│ Akto MCP Proxy │───────▶│ MCP Server │
└─────────────┘ └─────────────────┘ └──────────────┘
│
▼
┌──────────────────┐
│ Guardrail Detection │
│ & Guardrails │
└──────────────────┘
```
### Cloud setup
## How It Works
1. **Request Interception**: MCP clients send requests to the Akto proxy endpoint instead of directly to MCP servers
2. **Security Analysis**: Each request undergoes guardrail detection and policy validation
3. **Policy Enforcement**: Requests are evaluated against configured guardrails
4. **Request Forwarding**: Validated requests are forwarded to the original MCP server
5. **Response Processing**: Server responses are analyzed and returned to the client
## Configuration
### Basic Setup
To use Akto MCP Proxy, simply prepend your original MCP server URL with the Akto proxy endpoint. All existing authentication and credentials for your original MCP server remain unchanged.
**Proxy URL Format:**
```
https://mcp-proxy.akto.io/proxy/{protocol}/{host}/{path}
```
Where the original MCP server URL is transformed by:
* Replacing `://` with `/`
* Example: `https://mcp.example.com/api` → `https/mcp.example.com/api`
#### Configuration Examples
1. **SSE-based MCP Server**
Original configuration:
```json
{
"mcpServers": {
"kite-trading": {
"url": "https://mcp.kite.trade/sse",
"apiKey": "your-kite-api-key"
}
}
}
```
With Akto proxy:
```json
{
"mcpServers": {
"kite-trading": {
"url": "https://mcp-proxy.akto.io/proxy/https/mcp.kite.trade/sse",
"apiKey": "your-kite-api-key"
}
}
}
```
2. **WebSocket MCP Server**
Original configuration:
```json
{
"mcpServers": {
"data-server": {
"url": "wss://api.example.com/mcp",
"auth": {
"token": "bearer-token-123"
}
}
}
}
```
With Akto proxy:
```json
{
"mcpServers": {
"data-server": {
"url": "https://mcp-proxy.akto.io/proxy/wss/api.example.com/mcp",
"auth": {
"token": "bearer-token-123"
}
}
}
}
```
{% hint style="info" %}
**Important Notes**
* All original authentication credentials (API keys, tokens, etc.) remain the same
* The proxy transparently forwards authentication headers to the original server
* No changes required on the MCP server side
* The proxy URL supports both HTTP/HTTPS and WebSocket protocols
{% endhint %}
### Advanced Configuration
#### Custom Guardrails
Define custom security policies and guardrails:
```yaml
guardrails:
- name: "PII Protection"
type: "content_filter"
rules:
- pattern: "ssn|social security"
action: "block"
- pattern: "credit card|cc number"
action: "redact"
- name: "Rate Limiting"
type: "rate_limit"
rules:
- requests_per_minute: 100
per_client: true
```
#### Guardrails Profiles
Configure guardrail detection sensitivity and rules:
```yaml
threat_detection:
sensitivity: "high"
enabled_checks:
- sql_injection
- command_injection
- path_traversal
- data_exfiltration
custom_rules:
- name: "Block Sensitive File Access"
pattern: "/etc/passwd|/etc/shadow"
action: "block"
```
## Security Features
### 1. Guardrails
* **SQL Injection Prevention**: Detects and blocks SQL injection attempts
* **Command Injection Protection**: Prevents malicious command execution
* **Path Traversal Defense**: Blocks unauthorized file system access
* **Data Exfiltration Prevention**: Monitors and controls data egress
### 2. Access Control
* **Authentication**: API key-based authentication for all proxy requests
* **Authorization**: Role-based access control for different MCP operations
* **IP Whitelisting**: Restrict access to approved IP addresses
* **Session Management**: Secure session handling with automatic timeout
### 3. Data Protection
* **Encryption in Transit**: TLS 1.3 for all communications
* **PII Detection**: Automatic identification and protection of sensitive data
* **Data Masking**: Real-time redaction of sensitive information
* **Audit Logging**: Comprehensive logging of all requests and responses
## Monitoring & Analytics
### Dashboard Metrics
* Request volume and trends
* Guardrail detection statistics
* Blocked request analysis
* Performance metrics (latency, throughput)
* Error rates and patterns
### Alerts & Notifications
Configure alerts for security events:
```yaml
alerts:
- type: "threat_detected"
severity: "high"
channels: ["email", "slack"]
- type: "rate_limit_exceeded"
threshold: 1000
channels: ["webhook"]
```
## API Reference
### Proxy Endpoints
#### Health Check
```http
GET https://proxy.akto.io/health
Authorization: Bearer {api_key}
```
#### Response Format
```json
{
"success": true,
"data": {
"response": {...},
"metadata": {
"request_id": "req_123456",
"latency_ms": 45,
"threats_detected": [],
"guardrails_applied": ["PII Protection"]
}
}
}
```
## Best Practices
1. **Regular Policy Updates**: Keep security policies and guardrails up-to-date
2. **Monitor Alert Fatigue**: Fine-tune detection rules to reduce false positives
3. **Performance Optimization**: Use caching for frequently accessed resources
4. **Backup Configuration**: Maintain fallback options for critical MCP servers
5. **Regular Audits**: Review logs and analytics for security insights
## Troubleshooting Common Issues
### Connection Timeout
* Verify network connectivity to Akto proxy
* Check firewall rules and proxy settings
* Validate API key and authentication
### Request Blocked
* Review security detection logs for specific violations
* Check guardrail configurations
* Verify request content against security policies
### Performance Degradation
* Monitor proxy latency metrics
* Optimize guardrail rules for efficiency
* Consider geographic proxy distribution
## Get Support for your Akto setup
There are multiple ways to request support from Akto. We are 24X7 available on the following:
1. In-app `intercom` support. Message us with your query on intercom in Akto dashboard and someone will reply.
2. Join our [discord channel](https://www.akto.io/community) for community support.
3. Contact `help@akto.io` for email support.
4. Contact us [here](https://www.akto.io/contact-us).
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://ai-security-docs.akto.io/agentic-guardrails/overview/akto-mcp-proxy.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.