The core idea is simple:
Seeing a tool is not the same as permission to run every call.
An agent might know that a server has a send, delete, update, deploy, or write tool. MCP Boundary helps you decide what should happen for the concrete call the agent is asking for right now.
What You Get
MCP Boundary gives you:
- a local
mcpboundarycommand - a first-run local email demo
- a localhost dashboard for setup, tools, policy, and activity
- a way to add multiple MCP server profiles
- policy files for showing, hiding, allowing, blocking, and limiting tools
- activity records for calls that pass through MCP Boundary
It is meant for local MCP workflows where tools can create real side effects:
- writing records
- creating drafts
- sending messages
- changing tickets
- deleting or moving data
- triggering deployments or scripts
- retrying writes after state has changed
If your MCP server is read-only, MCP Boundary may be less important. If your MCP tools can change things, it gives you a place to make those calls explicit.
Multiple MCP Servers
If you use several MCP servers, you add one profile per server, and your agent gets one separate MCP entry per profile. Tools are never merged into a single shared list. How it works covers the per-profile model in detail.
First Thing To Try
Start with the included local email demo.
The demo does not connect to Gmail, Outlook, or any real mailbox. It is a safe way to see the product behavior:
search email allowed read thread allowed create draft allowed send email blocked before execution
From a downloaded ZIP on Windows:
That starts a connected local dashboard, prepares a replacement MCP config entry for your agent, and keeps running until you stop it with Ctrl+C.
How To Read These Docs
Use this order if you are new:
- Getting Started - run the local demo and open the dashboard.
- How It Works - understand what sits between the agent and the MCP server.
- Policy Examples - see how tools become visible, allowed, blocked, or limited.
- Tested Servers And Limits - see what has actually been tested.
- Real Gmail Setup - advanced guide for a real Gmail-style MCP server.
- FAQ - common questions about retries, hidden effects, auth, and limits.
What It Is Not
MCP Boundary is not:
- a hosted gateway
- a cloud service
- a replacement for your MCP server
- a sandbox for arbitrary downstream server internals
- DLP
- prompt-injection protection
- a guarantee that email, databases, GitHub, browsers, or files are safe
- a dashboard approval queue
Only calls routed through MCP Boundary are checked. If the agent still has a direct MCP entry for the downstream server, that direct path bypasses the boundary.
The Short Version
Agent asks for a tool call. MCP Boundary checks the call. Allowed calls go to the MCP server. Blocked calls stop before the MCP server runs. The dashboard shows what happened.