Proxy Gateway Mode
Proxy Gateway Mode¶
The most powerful deployment: route any MCP client's connections to other MCP servers through Xybern. Every tool call, GitHub, Slack, database, internal APIs, passes through enforcement before execution. Zero changes to your agent or MCP server code.
Without Xybern:
Claude Code → GitHub MCP (no auth, no policies)
Claude Code → Database MCP (no auth, no policies)
Claude Code → Slack MCP (no auth, no policies)
With Xybern MCP Gateway:
Claude Code → Xybern MCP → [policy check] → GitHub MCP ✓ allowed
→ [policy check] → Database MCP ⏸ escalated
→ [policy check] → Slack MCP ✗ blocked
Xybern becomes the identity and authorisation perimeter for the entire MCP ecosystem.
Step 1, Register your MCP server¶
Register any upstream MCP server via the Authorisation Layer dashboard (MCP Gateway tab → Add Server) or via the API:
curl -X POST https://www.xybern.com/api/sentinel/mcp/servers \
-H "Cookie: <session>" \
-H "Content-Type: application/json" \
-d '{
"workspace_id": "your-workspace-id",
"server_name": "filesystem",
"upstream_url": "http://localhost:3000",
"transport_type": "streamable_http",
"auth_type": "bearer",
"auth_secret": "my-mcp-server-token",
"blocked_tools": ["delete_file", "overwrite_file"]
}'
transport_type: streamable_http (MCP spec 2025-03-26) or sse (legacy HTTP+SSE).
auth_type: none, bearer, header, or basic, auth secret stored encrypted.
Step 2, Point your client at the proxy URL¶
The proxy URL for a registered server is:
Claude Desktop / Claude Code, config.json:
{
"mcpServers": {
"filesystem": {
"url": "https://www.xybern.com/gateway/mcp/filesystem",
"headers": { "X-Xybern-API-Key": "xb_live_..." }
}
}
}
Any MCP client with HTTP transport:
MCP_SERVER_URL=https://www.xybern.com/gateway/mcp/filesystem
MCP_SERVER_HEADERS='{"X-Xybern-API-Key": "xb_live_..."}'
SSE transport (legacy clients):
# SSE stream endpoint
GET https://www.xybern.com/gateway/mcp/<server_name>/sse
X-Xybern-API-Key: xb_live_...
# Message endpoint (returned in first SSE event)
POST https://www.xybern.com/gateway/mcp/<server_name>/message?sessionId=<id>
X-Xybern-API-Key: xb_live_...
What gets enforced automatically¶
| Method | Enforcement |
|---|---|
tools/call |
Full ControlPlane, policies, trust score, agent tool policies, chain detection |
resources/read |
Sensitive URI patterns enforced; others pass through |
tools/list |
Response filtered, blocked / non-allowed tools stripped before client sees them |
initialize |
Server validated against registry, unknown servers rejected |
Agent Tool Policies¶
Define per-agent, per-server tool permission matrices, including regex constraints on arguments (e.g. SELECT-only SQL queries):
curl -X POST https://www.xybern.com/api/sentinel/mcp/agent-policies \
-H "Cookie: <session>" \
-H "Content-Type: application/json" \
-d '{
"workspace_id": "your-workspace-id",
"agent_id": "agent_abc123",
"server_name": "database",
"allowed_tools": ["execute_query", "list_tables"],
"blocked_tools": ["drop_table", "delete_rows"],
"argument_constraints": {
"execute_query": [
{"arg": "sql", "pattern": "^\\s*SELECT", "description": "SELECT queries only"}
]
}
}'