> ## Documentation Index
> Fetch the complete documentation index at: https://docs.wardin.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Connect an MCP server

> Route an agent's MCP tool calls through Wardin for in-path governance and signed receipts.

Wardin's [live proxy](/concepts/agentic-governance#the-live-proxy) puts the gateway in the path of an agent's tool calls. Connect an upstream MCP server once, point an MCP client at `gw.wardin.ai/mcp/servers/<name>`, and every `tools/call` is governed (agent identity → tool allowlist), forwarded to the upstream, and written to the tamper-evident [receipt chain](/concepts/receipts) with its real upstream outcome.

This works with any MCP client that speaks remote HTTP transport — Claude Code, Cursor, or your own agent.

## 1. Turn on agentic governance

In **Console → Organization → Agentic Governance**, set the tenant's mode:

* **permissive** — tool calls are metered and signed; only an explicit `tool_allowlist` denies. A good first step.
* **enforced** — a covering `tool_allowlist` and a registered `X-Wardin-Agent-Id` are required (fail-closed).

While the mode is **off** (the default), `/mcp/servers/<name>` returns `404`.

## 2. Connect the upstream server

In **Console → MCP / Agents → MCP servers**, connect the server you want to route:

* **Name** — the `<name>` in the proxy URL (e.g. `deepwiki`).
* **URL** — the remote MCP endpoint (e.g. `https://mcp.deepwiki.com/mcp`).
* **Transport** — `http`.
* **Credential** — `none`, a bearer token, or an API-key header. It's encrypted at rest and never returned.

<Note>
  The proxy forwards to **remote HTTP MCP servers with a public address**. A dial that resolves to a loopback or private/link-local address is refused — this is an SSRF safeguard, so a local `stdio` MCP server or an internal host can't be reached through the hosted gateway.
</Note>

## 3. Point your MCP client at Wardin

The proxy URL is `https://gw.wardin.ai/mcp/servers/<name>`, authenticated with a virtual key. For **Claude Code**:

```bash theme={null}
claude mcp add --transport http deepwiki-via-wardin \
  https://gw.wardin.ai/mcp/servers/deepwiki \
  --header "Authorization: Bearer wardin_sk_YOUR_KEY"
```

The client's `initialize` and `tools/list` calls are forwarded transparently, so the handshake and tool discovery work as they would against the upstream directly (the proxy is POST-only and doesn't consume server-initiated SSE streams). Only a `tools/call` is governed.

## What gets governed and recorded

For each `tools/call` the proxy:

* resolves the caller's [agent identity](/concepts/agentic-governance#1-agent-identity-registry) and checks the [`tool_allowlist`](/concepts/agentic-governance#2-tool-allowlist-policy);
* on **allow**, forwards to the upstream with the stored credential and relays the response, recording a signed `UPSTREAM: PASS`/`FAIL` check from the real outcome;
* on **deny**, returns a JSON-RPC error (the MCP-native shape) *without* reaching the upstream, and still writes a `FAIL` receipt.

Every call is bucketed into a [session](/concepts/sessions) (or an explicit `X-Wardin-Session-Id`), and **Console → MCP / Agents** shows a per-server **LAST CALL** badge with the most recent forwarded outcome. The receipts appear in the same chain as your model-call receipts — verify them with the [offline verifier](/concepts/offline-verification).

## Restricting which tools an agent may call

Author a `tool_allowlist` [policy](/concepts/policies) in **Console → Policies** — globs against the tool name:

```yaml theme={null}
allowed_tools:
  - read_wiki_*
  - ask_question
```

In **permissive** mode an off-list tool is denied only if a `tool_allowlist` policy exists; in **enforced** mode a tool must match a covering allowlist or it's blocked. Either way the denial is a signed `TOOL_ALLOWLIST: FAIL` check.

<Note>
  `tools/list` is forwarded whole, not filtered to the allowlist — an agent may *see* a tool it cannot *invoke*. The invocation is still blocked and recorded. Filtering discovery to the allowlist is a roadmap item.
</Note>
