MCP Proxy

Overview

Akto MCP Proxy is a security and governance layer that sits between MCP (Model Context Protocol) clients and MCP servers. It enables organizations to implement threat protection, security policies, and guardrails for all MCP server requests while maintaining seamless connectivity to the original MCP servers.

Key Features

Threat Protection: Real-time scanning and blocking of malicious requests
Security Guardrails: Enforce organizational security policies and compliance requirements
Request Monitoring: Complete visibility into all MCP communications
Transparent Proxying: Zero-configuration changes required on MCP servers
Performance Optimization: Intelligent caching and request optimization

Architecture

┌─────────────┐        ┌─────────────────┐        ┌──────────────┐
│ MCP Client  │───────▶│  Akto MCP Proxy │───────▶│  MCP Server  │
└─────────────┘        └─────────────────┘        └──────────────┘
                              │
                              ▼
                       ┌──────────────────┐
                       │ Threat Detection │
                       │   & Guardrails   │
                       └──────────────────┘

Cloud setup

How It Works

Request Interception: MCP clients send requests to the Akto proxy endpoint instead of directly to MCP servers
Security Analysis: Each request undergoes threat detection and policy validation
Policy Enforcement: Requests are evaluated against configured guardrails
Request Forwarding: Validated requests are forwarded to the original MCP server
Response Processing: Server responses are analyzed and returned to the client

Configuration

Basic Setup

To use Akto MCP Proxy, simply prepend your original MCP server URL with the Akto proxy endpoint. All existing authentication and credentials for your original MCP server remain unchanged.

Proxy URL Format:

https://mcp-proxy.akto.io/proxy/{protocol}/{host}/{path}

Where the original MCP server URL is transformed by:

Replacing :// with /
Example: https://mcp.example.com/api → https/mcp.example.com/api

Configuration Examples

SSE-based MCP Server

Original configuration:

{
  "mcpServers": {
    "kite-trading": {
      "url": "https://mcp.kite.trade/sse",
      "apiKey": "your-kite-api-key"
    }
  }
}

With Akto proxy:

{
  "mcpServers": {
    "kite-trading": {
      "url": "https://mcp-proxy.akto.io/proxy/https/mcp.kite.trade/sse",
      "apiKey": "your-kite-api-key"
    }
  }
}

WebSocket MCP Server

Original configuration:

{
  "mcpServers": {
    "data-server": {
      "url": "wss://api.example.com/mcp",
      "auth": {
        "token": "bearer-token-123"
      }
    }
  }
}

With Akto proxy:

{
  "mcpServers": {
    "data-server": {
      "url": "https://mcp-proxy.akto.io/proxy/wss/api.example.com/mcp",
      "auth": {
        "token": "bearer-token-123"
      }
    }
  }
}

Important Notes

All original authentication credentials (API keys, tokens, etc.) remain the same
The proxy transparently forwards authentication headers to the original server
No changes required on the MCP server side
The proxy URL supports both HTTP/HTTPS and WebSocket protocols

Advanced Configuration

Custom Guardrails

Define custom security policies and guardrails:

guardrails:
  - name: "PII Protection"
    type: "content_filter"
    rules:
      - pattern: "ssn|social security"
        action: "block"
      - pattern: "credit card|cc number"
        action: "redact"
  
  - name: "Rate Limiting"
    type: "rate_limit"
    rules:
      - requests_per_minute: 100
        per_client: true

Threat Detection Profiles

Configure threat detection sensitivity and rules:

threat_detection:
  sensitivity: "high"
  enabled_checks:
    - sql_injection
    - command_injection
    - path_traversal
    - data_exfiltration
  custom_rules:
    - name: "Block Sensitive File Access"
      pattern: "/etc/passwd|/etc/shadow"
      action: "block"

Security Features

1. Threat Detection

SQL Injection Prevention: Detects and blocks SQL injection attempts
Command Injection Protection: Prevents malicious command execution
Path Traversal Defense: Blocks unauthorized file system access
Data Exfiltration Prevention: Monitors and controls data egress

2. Access Control

Authentication: API key-based authentication for all proxy requests
Authorization: Role-based access control for different MCP operations
IP Whitelisting: Restrict access to approved IP addresses
Session Management: Secure session handling with automatic timeout

3. Data Protection

Encryption in Transit: TLS 1.3 for all communications
PII Detection: Automatic identification and protection of sensitive data
Data Masking: Real-time redaction of sensitive information
Audit Logging: Comprehensive logging of all requests and responses

Monitoring & Analytics

Dashboard Metrics

Request volume and trends
Threat detection statistics
Blocked request analysis
Performance metrics (latency, throughput)
Error rates and patterns

Alerts & Notifications

Configure alerts for security events:

alerts:
  - type: "threat_detected"
    severity: "high"
    channels: ["email", "slack"]
  
  - type: "rate_limit_exceeded"
    threshold: 1000
    channels: ["webhook"]

API Reference

Proxy Endpoints

Health Check

GET https://proxy.akto.io/health
Authorization: Bearer {api_key}

Response Format

{
  "success": true,
  "data": {
    "response": {...},
    "metadata": {
      "request_id": "req_123456",
      "latency_ms": 45,
      "threats_detected": [],
      "guardrails_applied": ["PII Protection"]
    }
  }
}

Best Practices

Regular Policy Updates: Keep security policies and guardrails up-to-date
Monitor Alert Fatigue: Fine-tune detection rules to reduce false positives
Performance Optimization: Use caching for frequently accessed resources
Backup Configuration: Maintain fallback options for critical MCP servers
Regular Audits: Review logs and analytics for security insights

Troubleshooting Common Issues

Connection Timeout

Verify network connectivity to Akto proxy
Check firewall rules and proxy settings
Validate API key and authentication

Request Blocked

Review threat detection logs for specific violations
Check guardrail configurations
Verify request content against security policies

Performance Degradation

Monitor proxy latency metrics
Optimize guardrail rules for efficiency
Consider geographic proxy distribution

Get Support for your Akto setup

There are multiple ways to request support from Akto. We are 24X7 available on the following:

In-app intercom support. Message us with your query on intercom in Akto dashboard and someone will reply.
Join our discord channel for community support.
Contact [email protected] for email support.
Contact us here.

PreviousGet Started NextAI Agent Proxy

Last updated 1 month ago

hashtagOverview

hashtagKey Features

hashtagArchitecture

hashtagCloud setup

hashtagHow It Works

hashtagConfiguration

hashtagBasic Setup

hashtagConfiguration Examples

hashtagImportant Notes

hashtagAdvanced Configuration

hashtagCustom Guardrails

hashtagThreat Detection Profiles

hashtagSecurity Features

hashtag1. Threat Detection

hashtag2. Access Control

hashtag3. Data Protection

hashtagMonitoring & Analytics

hashtagDashboard Metrics

hashtagAlerts & Notifications

hashtagAPI Reference

hashtagProxy Endpoints

hashtagHealth Check

hashtagResponse Format

hashtagBest Practices

hashtagTroubleshooting Common Issues

hashtagConnection Timeout

hashtagRequest Blocked

hashtagPerformance Degradation

hashtagGet Support for your Akto setup