MCP Endpoint Shield
Overview
MCP Endpoint Shield provides runtime security and auto-discovery of local MCP servers configured on your machine. It acts as a protective layer between the MCP client (e.g., Cursor, VS Code, Claude) and the MCP servers, requiring no changes to your setup.
What is Agentic Endpoint Shield?
Endpoint Shield continuously monitors employee devices to identify and track:
AI Agents: All deployed agents across web, desktop, and endpoint devices
MCP Servers: Model Context Protocol server instances running locally or remotely
Device Information: Complete device inventory with hardware IDs, usernames, and locations
Agent Activity: Real-time heartbeat monitoring and deployment status
MCP Connections: Server URLs, connection health, and last seen timestamps
Features
Continuous safety checks on all requests and responses to the MCP servers
Automatic blocking of unsafe interactions (via standard JSON-RPC errors)
Works out-of-the-box with popular MCP clients (Cursor, VS Code, Claude)
Zero changes required in your MCP server
Installation
The application is provided as an installble package (.app, .deb, .exe)
Please reach out to Akto Support to get your installer.
Please refer to the Manaul Setup section if you wish to run the tool without an installer.
Auto-Detection
Akto MCP Endpoint Shield automatically detects MCP client configurations:
Cursor → Reads
~/.cursor/mcp.jsonVisual Studio Code → Reads
.vscode/mcp.jsoninside your workspaceClaude Desktop → Reads Claude’s MCP config JSON
For each detected MCP server config:
The JSON file is parsed.
Each server entry is automatically wrapped with Akto MCP Endpoint Shield.
Your MCP clients transparently run through the shield without requiring manual reconfiguration.
You don’t need to manually edit your MCP config files — the wrapper handles this for you.
Example — Cursor mcp.json
Original file (before wrapping):
Automatically wrapped file (after Akto MCP Endpoint Shield):
Here how the wrap looks in the code:
What changed:
mcp-endpoint-shieldis now the entry command.Original server command (
npx -y chrome-devtools-mcp@latest) is passed through--exec.
Manual Setup
Follow these steps to manually set up and run MCP Endpoint Shield to protect your MCP servers.
Prerequisites
You have the
mcp-endpoint-shieldbinary availableYou have an Akto API token
uninstall MCP Endpoint Shield if installed previously using installers
Set Your API Token
Set the AKTO_API_TOKEN environment variable:
Make it permanent (optional):
For bash users, add to
~/.bashrc:For zsh users, add to
~/.zshrc:
Verify it's set:
Start the Agent
The agent automatically discovers and protects your MCP servers.
Expected output:
Keep this terminal running. The agent will:
Find your MCP configuration files (Cursor, VS Code, Claude Desktop)
Wrap your MCP servers with security
Sync security policies from Akto backend
Watch for changes and auto-update configs
Protecting Local MCP Servers (STDIO)
Option A: Let the Agent Wrap It (Recommended)
If the agent is running (Step 2), it will automatically detect and wrap your config. Your MCP configuration will be automatically modified to route through the security shield.
Restart your MCP client (Cursor/VS Code) to apply changes.
Option B: Manual Wrapping (If Not Using Agent)
If you're not running the agent, manually edit your MCP config file (e.g., ~/.cursor/mcp.json):
Key changes:
Change
commandto the full path ofmcp-endpoint-shieldAdd
"stdio", "--name", "<server-name>", "--akto-api-token", "<your-token>", "--exec"to the start ofargsPlace the original command (
npx) and arguments (-y,chrome-devtools) after--exec
Restart your MCP client to apply changes.
Protecting Remote MCP Servers (HTTP)
For HTTP-based MCP servers, run the HTTP proxy in a new terminal:
Expected output:
Keep this terminal running.
Note: The proxy runs on port 57294 by default.
Configure Your Remote MCP Server
Original config (direct connection to remote server):
Protected config (route through proxy):
Key changes:
Change
urltohttp://localhost:57294/mcp/streamableKeep your existing
Authorizationheader (or any other headers)Add new header
mcp-server-base-urlwith the original remote server URL
The proxy will:
Receive requests at
http://localhost:57294/mcp/streamableRead the
mcp-server-base-urlheader to know where to forwardApply security policies
Forward to your actual remote MCP server
Return the response back to your client
Restart your MCP client to apply changes.
Verify Everything is Working
Check Agent Status
Look at the agent terminal - you should see:
No errors means it's working!
Check HTTP Proxy Status
Look at the proxy terminal:
Test Your MCP Server
Open your MCP client (Cursor, VS Code, Claude Desktop) and try using your wrapped MCP server. It should work normally, but now with security protection.Step 4:
Quick Command Reference
Terminal 1 - Agent:
Terminal 2 - HTTP Proxy:
Get Help:
This protects:
STDIO servers (like
npx -y chrome-devtools) via agentHTTP servers (remote MCP servers) via proxy
Common Flags
--name <project_name>→ Friendly label used in logs and insights--akto-api-token <token>→ Your Akto API token--exec <command> [args...]→ Command to start your MCP server--env KEY=VALUE(repeatable) → Pass additional environment variables to the MCP process
Logging
Based on Log File Locations, choose from the following:
Manual Run
When you manually run mcp-endpoint-shield, logs are written to:
Example:
MacOS System Service (LaunchDaemon)
When installed and running as a system service on macOS:
Agent logs
HTTP Proxy logs
View logs
Linux System Service (systemd)
When installed and running as a systemd service on Linux:
Agent logs
HTTP Proxy logs
View logs
Windows
When MCP Endpoint Shield runs on Windows, agent logs are stored in the user’s local application data directory:
You can use this command to verify agent startup, inspect runtime errors, and confirm connectivity from the Windows endpoint.
STDIO Wrapped MCP servers (Manual and Installer)
Each wrapped STDIO MCP server gets its own log file named after the --name attribute:
Troubleshooting
Issue: AKTO_API_TOKEN is not set
Cause: Environment variable not configured.
Fix: Set the token with
export AKTO_API_TOKEN="your-token"and verify withecho $AKTO_API_TOKEN.
Issue: Port already in use (HTTP Proxy)
Cause: Port 57294 is already being used by another process.
Fix 1: Find and kill the process with
lsof -i :57294andkill -9 PID.Fix 2: Use a different port with
./mcp-endpoint-shield http --port 8080and update your config.
Issue: MCP server not working after wrapping
Cause: Multiple possible causes.
Fix:
Restart your MCP client,
Verify binary path with
which mcp-endpoint-shield,Check logs at
~/.akto-mcp-endpoint-shield/logs/or/var/log/akto-mcp-endpoint-shield/(if installed using installer)Test original command works standalone.
Issue: permission denied: ./mcp-endpoint-shield ➡
Cause: Binary doesn't have execute permissions. ➡
Fix: Run
chmod +x ./mcp-endpoint-shield.
Issue: command not found: mcp-endpoint-shield ➡
Cause: Binary not in PATH or wrong path used. ➡
Fix: Use full path (
./mcp-endpoint-shieldor/usr/local/bin/mcp-endpoint-shield) or add to PATH withexport PATH=$PATH:/path/to/binary/directory.
Akto Security Scope
Transparency: Safe traffic is never altered.
Clarity: Unsafe traffic always results in a clear JSON-RPC error.
Minimal footprint: Designed to stay invisible unless an issue occurs.
Get Support for your Akto setup
There are multiple ways to request support from Akto. We are 24X7 available on the following:
In-app
intercomsupport. Message us with your query on intercom in Akto dashboard and someone will reply.Join our discord channel for community support.
Contact
[email protected]for email support.Contact us here.
Last updated