MCP Boundary

MCP Boundary

MCP Boundary is a local check layer for MCP tool calls.

It sits between your agent and the MCP servers you choose to run through it. The agent can still use MCP tools, but calls with real effects can be made visible, limited, blocked, and recorded before they reach the underlying server.

The core idea is simple:

Seeing a tool is not the same as permission to run every call.

An agent might know that a server has a send, delete, update, deploy, or write tool. MCP Boundary helps you decide what should happen for the concrete call the agent is asking for right now.

What You Get

MCP Boundary gives you:

  • a local mcpboundary command
  • a first-run local email demo
  • a localhost dashboard for setup, tools, policy, and activity
  • a way to add multiple MCP server profiles
  • policy files for showing, hiding, allowing, blocking, and limiting tools
  • activity records for calls that pass through MCP Boundary

It is meant for local MCP workflows where tools can create real side effects:

  • writing records
  • creating drafts
  • sending messages
  • changing tickets
  • deleting or moving data
  • triggering deployments or scripts
  • retrying writes after state has changed

If your MCP server is read-only, MCP Boundary may be less important. If your MCP tools can change things, it gives you a place to make those calls explicit.

Multiple MCP Servers

If you use several MCP servers, you add one profile per server, and your agent gets one separate MCP entry per profile. Tools are never merged into a single shared list. How it works covers the per-profile model in detail.

First Thing To Try

Start with the included local email demo.

The demo does not connect to Gmail, Outlook, or any real mailbox. It is a safe way to see the product behavior:

search email       allowed
read thread        allowed
create draft       allowed
send email         blocked before execution

From a downloaded ZIP on Windows:

powershell
.\mcpboundary.exe quickstart email

That starts a connected local dashboard, prepares a replacement MCP config entry for your agent, and keeps running until you stop it with Ctrl+C.

How To Read These Docs

Use this order if you are new:

What It Is Not

MCP Boundary is not:

  • a hosted gateway
  • a cloud service
  • a replacement for your MCP server
  • a sandbox for arbitrary downstream server internals
  • DLP
  • prompt-injection protection
  • a guarantee that email, databases, GitHub, browsers, or files are safe
  • a dashboard approval queue

Only calls routed through MCP Boundary are checked. If the agent still has a direct MCP entry for the downstream server, that direct path bypasses the boundary.

The Short Version

Agent asks for a tool call.
MCP Boundary checks the call.
Allowed calls go to the MCP server.
Blocked calls stop before the MCP server runs.
The dashboard shows what happened.