Skip to main content
Wardin’s live proxy puts the gateway in the path of an agent’s tool calls. Connect an upstream MCP server once, point an MCP client at gw.wardin.ai/mcp/servers/<name>, and every tools/call is governed (agent identity → tool allowlist), forwarded to the upstream, and written to the tamper-evident receipt chain with its real upstream outcome. This works with any MCP client that speaks remote HTTP transport — Claude Code, Cursor, or your own agent.

1. Turn on agentic governance

In Console → Organization → Agentic Governance, set the tenant’s mode:
  • permissive — tool calls are metered and signed; only an explicit tool_allowlist denies. A good first step.
  • enforced — a covering tool_allowlist and a registered X-Wardin-Agent-Id are required (fail-closed).
While the mode is off (the default), /mcp/servers/<name> returns 404.

2. Connect the upstream server

In Console → MCP / Agents → MCP servers, connect the server you want to route:
  • Name — the <name> in the proxy URL (e.g. deepwiki).
  • URL — the remote MCP endpoint (e.g. https://mcp.deepwiki.com/mcp).
  • Transporthttp.
  • Credentialnone, a bearer token, or an API-key header. It’s encrypted at rest and never returned.
The proxy forwards to remote HTTP MCP servers with a public address. A dial that resolves to a loopback or private/link-local address is refused — this is an SSRF safeguard, so a local stdio MCP server or an internal host can’t be reached through the hosted gateway.

3. Point your MCP client at Wardin

The proxy URL is https://gw.wardin.ai/mcp/servers/<name>, authenticated with a virtual key. For Claude Code:
claude mcp add --transport http deepwiki-via-wardin \
  https://gw.wardin.ai/mcp/servers/deepwiki \
  --header "Authorization: Bearer wardin_sk_YOUR_KEY"
The client’s initialize and tools/list calls are forwarded transparently, so the handshake and tool discovery work as they would against the upstream directly (the proxy is POST-only and doesn’t consume server-initiated SSE streams). Only a tools/call is governed.

What gets governed and recorded

For each tools/call the proxy:
  • resolves the caller’s agent identity and checks the tool_allowlist;
  • on allow, forwards to the upstream with the stored credential and relays the response, recording a signed UPSTREAM: PASS/FAIL check from the real outcome;
  • on deny, returns a JSON-RPC error (the MCP-native shape) without reaching the upstream, and still writes a FAIL receipt.
Every call is bucketed into a session (or an explicit X-Wardin-Session-Id), and Console → MCP / Agents shows a per-server LAST CALL badge with the most recent forwarded outcome. The receipts appear in the same chain as your model-call receipts — verify them with the offline verifier.

Restricting which tools an agent may call

Author a tool_allowlist policy in Console → Policies — globs against the tool name:
allowed_tools:
  - read_wiki_*
  - ask_question
In permissive mode an off-list tool is denied only if a tool_allowlist policy exists; in enforced mode a tool must match a covering allowlist or it’s blocked. Either way the denial is a signed TOOL_ALLOWLIST: FAIL check.
tools/list is forwarded whole, not filtered to the allowlist — an agent may see a tool it cannot invoke. The invocation is still blocked and recorded. Filtering discovery to the allowlist is a roadmap item.