Solutions · MCP Gateway

Every tool call your agents make, through one reverse proxy.

Eight checks in fixed order, in both directions. Agents act freely. Nothing reaches a tool, and no result reaches the model, without passing through.

Request a trialSee the eight checks

MCP became the default agent protocol in eighteen months.

Agents now read calendars, draft pull requests, and post to Slack through the Model Context Protocol. It sits in front of every host an agent runs in.

970×

MCP install growth, Nov 2024 to Mar 2026

Source · Effloow
100M+

cumulative MCP SDK downloads

Source · Effloow
OpenAI · Anthropic · Microsoft

shipped MCP across ChatGPT, Claude, Windows and Azure

Source · Wikipedia
What it is

A reverse proxy for tool calls.

A client like Claude Desktop or Cursor calls a tool on a server like Slack or GitHub. With Proxara in place, the gateway sits on that path and inspects both directions.

In the path, not in the way

A reverse proxy between any agent and any MCP server. Both ends see no difference. The agent does not know it is there.

Eight checks, fixed order

Every JSON-RPC message runs the same sequence before it crosses the boundary, sub-microsecond on the hot path. Each stage can stop a bad outcome on its own.

Both directions, one record

The call is checked on the way out and every result on the way back, and each lands on a single signed audit row that verifies offline.

Claude DesktopMCP client
PGPostgresProtectedsees tokens only
Redaction
Injection
Policy
Audit
tools/callpostgres__querymcp://postgres
Q2 holdings for [Person_1], account [ID_1]
Allowsigned · seq 4,215
Signed into the chained record
The eight checkpoints

One call. Eight checks. One signed record.

Every tool call runs the same sequence in fixed order, and each stage can stop a bad outcome on its own. Results run the same checks in reverse on the way back.

The audit chain and cryptographic posture sit on the security page. Security details

Egress modes

Two ways a call can leave. Set per server.

Protected
Tokens leave. The downstream tool receives [Client_E], never the real value. The default for read tools that do not need a real name.
Live
Cleartext leaves, governed. Tools that write on a person’s behalf get the real value: the token is rehydrated to John Smith at the boundary, and the crossing is recorded as its own event.
Block
A separate lever. A quarantined server fails closed on every call. Block is orthogonal to the egress mode.
What gets recorded

Every call carries its own evidence row.

The record is signed and chained. Originals never enter the payload, only hashes do. Auto-tagging links each row to the framework it evidences, and any single row verifies offline without a Proxara service in the path.

CBOR canonicalEd25519 per eventMerkle batchedSigstore Rekor
SOC 2ISO 27001GDPREU AI ActNISTHIPAASEC Reg S-P
See the cryptographic posture
Deploy

Three shapes. Production-ready in a working day.

The gateway and the device proxy compose. When both run, they share one identity vault, one audit chain, and the same tokens everywhere.

Gateway only

The fast-moving MCP team.

A signed installer ships the gateway and nothing else. The audit chain stays on the device, signed and exportable on demand.

Gateway + proxy

Desktop, terminal, and tool calls in one record.

Both surfaces share one identity vault and one audit chain. The token a person gets in their browser is the token Slack receives via Notion through Cursor.

Proxy only

Chat coverage now, agents later.

The proxy covers chat surfaces and API calls. The gateway switches on later without changing the audit shape.

  1. Hour 001

    Pull the manifest

    A signed installer or a Claude Desktop extension bundle, around three megabytes. No build step.

  2. Hour 102

    Connect a client

    Claude Desktop, Cursor, or any MCP client picks up the gateway on loopback. The agent sees no difference.

  3. Hour 203

    Connect a tool

    Slack, Notion, GitHub, Linear, Drive. One YAML entry per server, auth and token isolation handled.

  4. Day 104

    Export evidence

    A first signed evidence pack opens cleanly in the offline verifier. The chain works from row one.

Managed · MDM

IT pushes the signed package through Google Workspace or Microsoft 365. Devices pick it up on the next sync, the console configured once for everyone.

BYOD

A team member installs the bundle and opens Claude Desktop. The connector is live, scoped so the gateway only runs on the work profile.

Where to next

Adjacent reads.

Threat model

Agentic Threat Protection

Tool poisoning, indirect injection, supply-chain RCE, and the lethal-trifecta pattern, with the public CVE catalogue.

Read the threat catalogue Cryptography

Security

How the audit chain is signed and anchored. CBOR canonical, Ed25519 per event, Merkle batched, Sigstore Rekor.

See the security details Sister surface

HTTP Device Proxy

OS-layer TLS interception across browsers, terminal agents, IDE copilots, and API calls, on the device.

See the proxy

The confidence you need to put AI to work without risk.

Tell us what your agents and MCP servers are doing, and our team will reply in a few hours.

Book a call