MCP Boundary Server

Wrap your local MCP servers to check every tool call against policy and live state before it runs - allow, block, or request a refresh, with a reason the agent can act on.

Documentation

The core idea is simple:

Seeing a tool is not the same as permission to run every call.

An agent might know that a server has a send, delete, update, deploy, or write tool. MCP Boundary helps you decide what should happen for the concrete call the agent is asking for right now.

What You Get

MCP Boundary gives you:

  • a local mcpboundary command
  • a first-run local email demo
  • a localhost dashboard for setup, tools, Tool rules, Agent Config, and activity
  • a way to add multiple MCP server profiles
  • policy files for showing, hiding, allowing, blocking, and limiting tools
  • activity records for calls that pass through MCP Boundary

It is meant for local MCP workflows where tools can create real side effects:

  • writing records
  • creating drafts
  • sending messages
  • changing tickets
  • deleting or moving data
  • triggering deployments or scripts
  • retrying writes after state has changed

If your MCP server is read-only, MCP Boundary may be less important. If your MCP tools can change things, it gives you a place to make those calls explicit.

Multiple MCP Servers

You can add several MCP servers as separate profiles:

gmail -> mcpboundary serve gmail github -> mcpboundary serve github postgres -> mcpboundary serve postgres

The tools are not merged into one giant shared list. Your agent gets separate MCP entries, and each running serve <profile> process protects one selected downstream MCP server.

First Real Setup

For a real MCP client, start from the dashboard:

paste existing MCP config in Setup -> detect and import one server -> copy Agent Config back into your MCP client -> restart or reload the MCP client -> run one safe tool call -> check Activity

MCP Boundary does not edit your MCP client automatically. Import creates a local Boundary setup; Agent Config is the replacement entry you copy back into the MCP client.

Optional Demo

The included local email demo does not connect to Gmail, Outlook, or any real mailbox. It is a safe way to see the product behavior:

search email allowed read thread allowed create draft allowed send email blocked before execution

From a downloaded ZIP on Windows:

powershell

.\mcpboundary.exe quickstart email

From a downloaded tarball on Linux:

sh

./mcpboundary quickstart email

That starts a connected local dashboard, prepares a replacement MCP config entry for your agent, and keeps running until you stop it with Ctrl+C.

For your own server, use the dashboard import path above. Save Rules only when you want stricter behavior. In Rules, start by selecting a tool and changing its Draft rule; use the full Policy JSON editor only for complete Policy files.

How To Read These Docs

Use this order if you are new:

  • Getting Started - import an existing MCP config, copy Agent Config, and verify Activity.
  • How It Works - understand what sits between the agent and the MCP server.
  • MCP Tool Rules - see how tools become visible, allowed, blocked, limited, and bound to reviewed state.
  • Tested Servers And Limits - see what has actually been tested.
  • Real Gmail Setup - advanced guide for a real Gmail-style MCP server.
  • FAQ - common questions about retries, hidden effects, auth, and limits.

What It Is Not

MCP Boundary is not a hosted gateway, a cloud service, a replacement for your MCP server, or a dashboard approval queue. It does not provide production security, data-loss prevention, or prompt-injection protection.

Only calls routed through MCP Boundary are checked. If the agent still has a direct MCP entry for the downstream server, that direct path bypasses the boundary.

See Limitations for the full list.

The Short Version

Agent │ asks for a tool call ▼ ┌──────────────────┐ allowed ┌──────────────┐ │ MCP Boundary │ ───────────▶ │ MCP server │ │ checks call │ └──────────────┘ └──────────────────┘ │ blocked ▼ stops before the server runs — the dashboard shows what happened