mcp-audit
The mcp-audit server is a security and observability proxy wrapping an upstream filesystem MCP server. It provides two layers of functionality:
Filesystem Operations (via proxied server)
Read files:
read_text_file(full or first/last N lines),read_media_file(images/audio as base64),read_multiple_files(batch),read_file(deprecated)Write/Edit:
write_fileto create or overwrite;edit_filefor line-based edits with diff output and dry-run supportDirectory operations:
create_directory,list_directory,list_directory_with_sizes(sortable),directory_tree(recursive JSON tree),list_allowed_directoriesFile management:
move_fileto move or rename;search_fileswith glob patterns;get_file_infofor size, timestamps, and permissions
Security & Observability (mcp-audit proxy layer)
Audit trails: All tool calls, resource reads, and JSON-RPC methods are logged as signed JSONL or SQLite entries
Data redaction: Sensitive fields are automatically redacted before storage
Policy enforcement: Synchronous allow/deny policies can block specific tools (e.g., destructive operations), with per-tool rate limiting
Monitoring: A local read-only dashboard shows recent audit entries, top tools, and error rates; Prometheus metrics are exposed for external monitoring
mcp-audit
A drop-in security and observability proxy for MCP servers. mcp-audit sits between an MCP client and any upstream MCP server to produce signed audit trails, redact sensitive payloads, enforce allow/deny policies and per-tool rate limits, and expose a local read-only dashboard.
For a contributor-oriented map of the runtime, package boundaries, concurrency model, and design invariants, see ARCHITECTURE.md.
Why mcp-audit?
The MCP 2026 roadmap calls out enterprise needs around audit trails, gateway patterns, and operational visibility. mcp-audit fills that gap as a deployable sidecar or local wrapper: it sits between any MCP client and server, preserves protocol traffic, and records signed audit entries for tool calls, resource reads, prompt requests, and all other JSON-RPC methods.
+-------------+ JSON-RPC / MCP +-----------+ JSON-RPC / MCP +-------------+
| MCP client | <-------------------> | mcp-audit | <---------------------> | MCP server |
+-------------+ +-----------+ +-------------+
|
v
JSONL or SQLite audit log
|
v
Read-only dashboardRelated MCP server: GitHub MCP Server Plus
What This Is / Is Not
mcp-audit is not a domain-specific MCP server. It is a transparent security and observability proxy that wraps any MCP server and audits the JSON-RPC traffic passing through it.
Directories may show the tools exposed by the upstream server, not tools implemented by mcp-audit itself.
Supported Transports
stdiofor local MCP clients such as Claude Desktophttpfor MCP servers exposed over HTTP
HTTP upstreams can use custom CA bundles, TLS server name overrides, and optional mTLS client certificates. Upstream retries are disabled by default and only apply to conservative, idempotent JSON-RPC methods when enabled; tools/call is not retried.
Use Cases
Audit tool calls made by AI agents in regulated environments
Detect unexpected or dangerous MCP tool usage
Keep signed JSONL or SQLite logs for incident review
Redact sensitive fields before storing requests and responses
Block disallowed tools and apply per-tool rate limits without modifying the upstream MCP server
Demo

Install
For detailed platform-specific instructions and troubleshooting, see INSTALL.md.
Download the latest prebuilt binary and run:
# Linux/macOS: resolve latest, download, verify it starts
version=$(curl -fsSL https://api.github.com/repos/P4ST4S/mcp-audit/releases/latest \
| grep '"tag_name"' | head -n1 | cut -d'"' -f4 | sed 's/^v//')
os=$(uname | tr '[:upper:]' '[:lower:]')
arch=$(uname -m); [ "$arch" = "x86_64" ] && arch=amd64 || arch=arm64
base="https://github.com/P4ST4S/mcp-audit/releases/download/v${version}"
archive="mcp-audit_${version}_${os}_${arch}.tar.gz"
curl -L -o "${archive}" "${base}/${archive}"
tar -xzf "${archive}"
./mcp-audit --versionRun with Docker:
docker run --rm ghcr.io/p4st4s/mcp-audit:latest --versionInstall from source with Go:
go install github.com/P4ST4S/mcp-audit/cmd/mcp-audit@latestTo pin a specific release for reproducible installs, see INSTALL.md.
Quick Start
Run in stdio mode:
AUDIT_SECRET="$(openssl rand -hex 32)" \
mcp-audit --transport stdio --upstream "npx @modelcontextprotocol/server-filesystem /tmp"On Windows PowerShell, generate the secret and set it as an environment variable:
$env:AUDIT_SECRET = -join ((1..32) | ForEach-Object { '{0:x2}' -f (Get-Random -Max 256) })
.\mcp-audit.exe --transport stdio --upstream "npx @modelcontextprotocol/server-filesystem C:\Temp"Run in HTTP mode:
mcp-audit --transport http --upstream http://localhost:8080 --port 4422Run with Docker Compose:
docker compose up --buildThe dashboard is available at http://127.0.0.1:9090 by default.
Prometheus metrics are available at http://localhost:9091/metrics by default.
Examples
Configuration
mcp-audit loads config.yaml from the current directory by default. CLI flags override config values, and AUDIT_SECRET overrides audit.secret.
Key | Default | Description |
|
| Proxy transport: |
| required | Stdio command or HTTP upstream URL. |
|
| HTTP listen port. |
|
| HTTP upstream request timeout in milliseconds. |
| empty | Request headers allowed to bypass the default upstream strip list. Use |
| empty | Optional CA bundle used to verify an HTTPS upstream MCP server. |
| empty | Optional TLS server name override for the upstream MCP server. |
|
| Skip upstream TLS certificate verification. Intended only for local testing. |
| empty | Optional client certificate for upstream mTLS. Must be configured with |
| empty | Optional client key for upstream mTLS. Must be configured with |
|
| Maximum conservative retry attempts for safe HTTP upstream requests. Off by default. |
|
| Initial upstream retry backoff. |
|
| Maximum upstream retry backoff. |
|
| Client identifier written to audit entries. |
|
| Server identifier written to audit entries. |
|
| Storage backend: |
|
| JSONL audit log path. |
|
| SQLite database path. |
|
| Enable HMAC-SHA256 signatures when a secret is set. |
| empty | HMAC secret. Prefer |
|
| Enable asynchronous batched audit writes through a bounded ring buffer. |
|
| Maximum queued audit entries before backpressure blocks writers. |
|
| Maximum entries written per storage batch. |
|
| Maximum time before a partial batch is flushed. |
|
| Maximum active JSONL file size before archive rotation. |
|
| Maximum number of rotated JSONL archives to keep. |
| empty | Optional time-based JSONL rotation interval: |
|
| Delete JSONL archives whose filename rotation timestamp is older than this many days. |
|
| Enable per-client, per-tool token buckets. |
|
| Allowed requests per minute per |
|
| Enable JSON key-based PII redaction. |
| sensitive keys | Case-insensitive key fragments to redact. |
|
| Enable synchronous allow/deny policy checks for |
|
| Fallback action when no policy rule matches: |
| empty | Ordered first-match allow/deny rules for tool calls. |
|
| Serve the dashboard. |
|
| Dashboard listen address. Set explicitly, for example to |
|
| Dashboard listen port. |
| empty | Optional bearer token required as |
|
| Serve Prometheus metrics on a separate HTTP endpoint. |
|
| Metrics listen port. |
|
| Metrics HTTP path. |
|
| Include Go runtime metrics. |
|
| Include process metrics. |
|
| Include |
|
| Export |
|
| OTLP HTTP endpoint base URL. |
|
| OpenTelemetry |
| empty | Additional OTLP HTTP headers, for example |
| empty | Optional CA bundle used to verify the OTLP endpoint. |
| empty | Optional TLS server name override. |
|
| Skip OTLP TLS certificate verification. Intended only for local testing. |
|
| Maximum OTLP retry attempts after a failed export request. |
|
| Initial OTLP retry backoff. |
|
| Maximum OTLP retry backoff. |
|
| Maximum queued audit entries before trace exports are dropped. |
|
| Maximum spans per OTLP export request. |
|
| Maximum time before a partial OTLP batch is exported. |
|
| OTLP HTTP request timeout. |
By default, mcp-audit strips hop-by-hop request headers and Authorization before forwarding HTTP requests to the upstream. To pass a bearer token to a trusted authenticated upstream, opt in explicitly:
proxy:
forward_headers:
- AuthorizationSecurity note: forwarded headers, including secrets like bearer tokens, are transmitted verbatim to the upstream server. Only enable this if you control or trust the upstream MCP server. Authorization is the only sensitive header that can be opt-in forwarded because some MCP HTTP servers require it for upstream authentication. Cookie, Set-Cookie, and Proxy-Authorization are always rejected: they represent state destined for other components such as browser sessions or proxy chains and have no legitimate use in MCP request forwarding. If an existing deployment relied on implicit Authorization forwarding, add the config above.
JSONL rotation is disabled by default and supports size-based and UTC time-based triggers. Rotated archives use UTC timestamps such as audit.jsonl.20260610T214605Z; if multiple rotations happen in the same second, numeric suffixes are added. The archive timestamp reflects the wall-clock time of the rotation event, not the cutoff that was crossed. Time-based rotation is append-driven: mcp-audit does not start a background timer, so if no writes occur for several days, the active file is not rotated until the next append after the cutoff. Missed cutoffs are not caught up; the next append creates at most one archive.
audit:
storage: jsonl
rotation:
max_size_bytes: 104857600
interval: daily
max_files: 10
max_age_days: 30max_age_days uses the rotation timestamp encoded in the archive filename. This means age since rotation, not the age of the oldest entry inside the archive. Age retention runs before max_files retention. Compression and SQLite archival are not part of this release.
CLI flags:
--transport stdio | http
--upstream upstream server command or URL
--port proxy port for http mode
--upstream-timeout upstream HTTP request timeout in milliseconds
--config path to config.yaml
--storage jsonl | sqlite
--no-dashboard disable the web dashboard
--no-metrics disable Prometheus metrics
--version print version and exit
--log-level debug | info | warn | errorClaude Desktop
Configure Claude Desktop to spawn mcp-audit instead of the upstream MCP server:
{
"mcpServers": {
"filesystem-audited": {
"command": "mcp-audit",
"args": [
"--transport",
"stdio",
"--upstream",
"npx @modelcontextprotocol/server-filesystem /tmp"
],
"env": {
"AUDIT_SECRET": "replace-with-a-long-random-secret"
}
}
}
}Dashboard
The dashboard shows recent entries, filters, expandable request/result JSON, top tools, calls today, and error rate. It refreshes every five seconds.
By default the dashboard listens only on 127.0.0.1:9090. To expose it on another interface, configure dashboard.bind_address explicitly and enable authentication or place it behind a trusted access proxy.
dashboard:
enabled: true
bind_address: 127.0.0.1
port: 9090
auth:
token: "replace-with-a-long-random-token"When dashboard.auth.token is configured, requests to /, /api/entries, and /api/stats must include:
Authorization: Bearer replace-with-a-long-random-tokenMissing or invalid credentials return 401 Unauthorized with WWW-Authenticate: Bearer realm="mcp-audit-dashboard". Repeated failed authentication attempts from the same remote address are throttled with 429 Too Many Requests.
Dashboard JSON API responses include Cache-Control: no-store so intermediaries and browsers do not retain audit payloads.
Prometheus Metrics
mcp-audit exposes Prometheus metrics on a separate endpoint so platform teams can scrape operational data without exposing the dashboard.
scrape_configs:
- job_name: mcp-audit
static_configs:
- targets: ["localhost:9091"]Application metrics use the mcp_audit_ prefix and avoid unbounded labels. Tool-level labels can be disabled with metrics.tool_labels: false for stricter cardinality control. Policy decisions are exposed as mcp_audit_policy_decisions_total{action="allow|deny"}.
For a ready-made Prometheus + Grafana stack, see examples/docker-compose-observability.
Policy Engine
mcp-audit can enforce synchronous allow/deny rules before a tools/call reaches the upstream MCP server. Denied calls return a JSON-RPC error and are still written to the audit log.
policy:
enabled: true
default_action: allow
rules:
- action: deny
client_id: claude-desktop
server_id: filesystem
tool_name: delete_file
reason: "Destructive filesystem operations are blocked"Rules are evaluated in order. Empty fields and * match any value, so default_action: deny can be used with explicit allow rules for stricter deployments.
OpenTelemetry
mcp-audit can export tools/call audit entries as OTLP/HTTP JSON spans to Jaeger, Tempo, Honeycomb, or any OTLP-compatible collector.
otel:
enabled: true
endpoint: "http://localhost:4318"
service_name: "mcp-audit"
headers:
Authorization: "Bearer your-token"
timeout_ms: 5000
retry:
max_retries: 3
initial_interval_ms: 200
max_interval_ms: 2000The exporter uses current OpenTelemetry MCP and GenAI semantic conventions where possible, including mcp.method.name, jsonrpc.request.id, gen_ai.operation.name, gen_ai.tool.name, network.transport, network.protocol.name, rpc.response.status_code, and error.type. Project-specific attributes are kept link-oriented, such as mcp_audit.entry_id, mcp_audit.direction, mcp_audit.client_id, mcp_audit.server_id, mcp_audit.storage, and mcp_audit.signature.present.
Request params and tool results are not exported to spans by default. The signed JSONL or SQLite audit row remains the evidence artifact; OTLP provides correlation, latency, and operational visibility.
Exporter health is visible through Prometheus metrics under the mcp_audit_otel_ prefix, including export requests, span outcomes, dropped spans, queue depth, and queue capacity. Temporary OTLP failures are retried with bounded exponential backoff; Retry-After is honored for retryable responses up to otel.retry.max_interval_ms.
Audit Entries
Each stored entry includes a ULID, timestamp, direction, transport, JSON-RPC method, tool name when present, redacted params/result, JSON-RPC error when present, duration, client/server identifiers, and an optional HMAC-SHA256 signature.
Example JSONL entry:
{
"id": "01HY8G6Y8S6W9K6ZD7VJ4Q8X4R",
"timestamp": "2026-05-25T12:34:56Z",
"direction": "client_to_server",
"transport": "stdio",
"method": "tools/call",
"tool_name": "read_file",
"params": {
"name": "read_file",
"arguments": {
"path": "/tmp/example.txt",
"token": "[REDACTED]"
}
},
"duration_ms": 18,
"client_id": "claude-desktop",
"server_id": "filesystem",
"signature": "hmac-sha256:..."
}The signature covers:
id + timestamp + method + tool_name + raw_paramsRoadmap
SIEM-friendly exports
OTLP compression and trace context propagation
Contributing
Keep changes small, run go build ./... and go vet ./..., and prefer standard library behavior over new dependencies. Stability guarantees are documented in STABILITY.md.
See CONTRIBUTING.md for setup, PR expectations, and project principles. See CHANGELOG.md for release history.
Community
Discussions: questions, ideas, and design conversations
Issues: bug reports and concrete feature requests
Security: see SECURITY.md for the private vulnerability reporting process
License
Apache-2.0. See LICENSE.
Maintenance
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/P4ST4S/mcp-audit'
If you have feedback or need assistance with the MCP directory API, please join our Discord server