Blekline MCP Server
OfficialEnforces MCP tool policy and masks prompts before traffic reaches OpenAI's models.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Blekline MCP Servermask PII in this prompt before sending to Claude"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Blekline
Run secure AI agents and code.
AI ingress control plane — mask prompts, enforce MCP tool policy, and audit every agent call before models and sandboxes.
Documentation · Report Bug · Request Feature · Security · app.blekline.com
Blekline is the ingress governance layer for enterprise AI adoption. Agents in Cursor, Claude Desktop, and Codex call Blekline to redact sensitive data, classify risk, and enforce workspace MCP tool policy before traffic reaches LLM providers or Daytona sandboxes.
The open-source packages in this repository cover local enforcement, MCP tools, SDK clients, and an optional Docker ingress sidecar. The managed control plane at app.blekline.com adds Azure-backed PII masking, fleet policy, investigations, and billing.
Features
Area | Capabilities |
Ingress | OpenAI/Anthropic-compatible proxy paths, regional edge sidecar (Helm) |
MCP |
|
MCP proxy | Intercept downstream tool calls → allow / mask / block → forward to Daytona or other MCP |
SDK | TypeScript ( |
Local | Secret scan + tool policy in |
Audit | Metadata-oriented events; client surface labels (cursor, claude-desktop, codex) |
Platform comparison
Capability | OSS (this repo) | Cloud (app.blekline.com) |
MCP server / proxy | Yes | Yes |
Local tool enforce | Yes | Yes |
Azure authoritative PII | — | Yes |
Workspace fleet policy (SSE) | — | Yes |
Investigations / billing | — | Yes |
Browser extension wedge | — | Yes (proprietary) |
Architecture
[ Cursor | Claude Desktop | Codex ]
│ MCP (stdio / SSE)
▼
[ @blekline/mcp-server | @blekline/mcp-proxy ]
│ HTTPS (optional)
▼
[ Blekline control plane — mask · enforce · audit ]
├──────────────► [ Model providers ]
└──────────────► [ Daytona sandbox — approved tools only ]Details: docs/introduction/architecture.md · Daytona stack
Packages
Runnable packages live under packages/:
Package | npm / PyPI | License |
| (workspace) | Apache-2.0 |
|
| Apache-2.0 |
| PyPI (optional) | Apache-2.0 |
|
| AGPL-3.0 |
|
| AGPL-3.0 |
| Docker image | AGPL-3.0 |
OpenAPI spec: packages/contracts/openapi.yaml
Client libraries
TypeScript
npm install @blekline/client @blekline/mcp-serverimport { BleklineClient } from "@blekline/client";
const blekline = new BleklineClient({
workspaceToken: process.env.BLEKLINE_WORKSPACE_TOKEN!,
metadata: { clientSurface: "sdk" },
});
const { maskedText, decision } = await blekline.mask({
text: "Contact alice@corp.com — key AKIAIOSFODNN7EXAMPLE",
platform: "MyAgent",
});
const tool = await blekline.enforceToolCall({
toolName: "run_shell",
arguments: { cmd: "curl https://api.internal/deploy" },
});Python
pip install blekline-clientimport os
from blekline_client import BleklineClient
client = BleklineClient(workspace_token=os.environ["BLEKLINE_WORKSPACE_TOKEN"])
print(client.mask(text="alice@corp.com")["maskedText"])MCP (Cursor, Claude, Codex)
npx -y @blekline/mcp-serverGenerate example configs:
cp .env.example .env
pnpm install && pnpm build:packages
node scripts/generate-mcp-configs.mjsSee docs/mcp/cursor.md, docs/mcp/claude-desktop.md, docs/mcp/codex.md.
Local-only (no API token)
import { enforceToolCallLocally, scanTextForSecrets } from "@blekline/contracts";
scanTextForSecrets("export AWS_KEY=AKIAIOSFODNN7EXAMPLE");
enforceToolCallLocally({
toolName: "run_shell",
arguments: { cmd: "export AWS_KEY=AKIAIOSFODNN7EXAMPLE" },
requestId: "local-1",
});Deployments
Mode | Description |
Cloud | app.blekline.com — workspace tokens, Azure mask, audit |
OSS MCP |
|
Edge sidecar |
|
Daytona stack | Proxy → Daytona MCP — docs/integrations/daytona-stack.md |
pnpm build:packages
docker build -t blekline-ingress -f packages/ingress-proxy/Dockerfile .Quick start
Create a workspace API token at app.blekline.com (scopes:
mask:write,events:write).Set env:
export BLEKLINE_WORKSPACE_TOKEN=blw_... export BLEKLINE_API_URL=https://app.blekline.comInstall MCP in Cursor (
.cursor/mcp.json):{ "mcpServers": { "blekline": { "command": "npx", "args": ["-y", "@blekline/mcp-server"], "env": { "BLEKLINE_WORKSPACE_TOKEN": "blw_...", "BLEKLINE_CLIENT_SURFACE": "cursor" } } } }In the agent: "Use blekline_mask_prompt on: Contact John at john@acme.com"
REST
curl -s https://app.blekline.com/api/mask \
-H "Content-Type: application/json" \
-H "x-blekline-workspace-token: $BLEKLINE_WORKSPACE_TOKEN" \
-d '{"text":"Contact john@acme.com","platform":"CLI"}'Development
git clone https://github.com/Blekline/blekline-oss.git
cd blekline-oss
pnpm install
pnpm build:packages
pnpm demo:mcp-smoke
pnpm --filter @blekline/mcp-proxy testBenchmark local enforce latency:
pnpm demo:latencyDocumentation
Doc | Topic |
Tokens, first mask | |
Ingress vs runtime | |
p99 enforce, fast mask | |
Tools reference | |
Daytona downstream | |
| |
|
Contributing
Blekline OSS is open source under AGPL-3.0 (server/proxy) and Apache-2.0 (contracts/SDK). See CONTRIBUTING.md, CODE_OF_CONDUCT.md, and COPYRIGHT.
Note: Blekline OSS uses a multi-license layout. GitHub shows AGPL-3.0 as the repository default (LICENSE). Apache-2.0 components are under LICENSE-APACHE — see NOTICE.
License
Component | License |
| |
|
Managed SaaS at app.blekline.com is not licensed under this repository.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Blekline/blekline-oss'
If you have feedback or need assistance with the MCP directory API, please join our Discord server