mcp-guard
Acts as a security gateway for Supabase MCP servers, allowing users to define block rules to prevent destructive operations such as DELETE, DROP, or TRUNCATE.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@mcp-guardshow the active block rules for the supabase_production server"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
mcp-guard
A simple HTTP proxy that gates MCP servers with block rules.
No SDKs. No dashboards. Just a JSON config and a toggle command.
Client (Claude, Cursor, etc.)
↕ http
mcp-guard (localhost proxy)
↕ http
Upstream MCP server (supabase, postgres, etc.)Quick Start
1. Install
npm install -g @alramalho/mcp-guardOr from source:
git clone https://github.com/alramalho/mcp-guard
cd mcp-guard
pnpm install && pnpm build && npm link --force2. Create .mcp-guard.json
In your project root (or ~/.mcp-guard.json globally). Config is auto-discovered by walking up from cwd.
{
"port": 6427,
"servers": {
"supabase_production": {
"url": "https://mcp.supabase.com/mcp?project_ref=xxx&read_only=true",
"block": ["DELETE", "UPDATE", "DROP", "TRUNCATE", "ALTER", "INSERT"],
"blockMessage": "Destructive SQL operations are not allowed in production"
}
}
}3. Update your mcp.json
Replace the direct upstream URL with the mcp-guard proxy:
{
"mcpServers": {
"supabase_production": {
"type": "http",
"url": "http://localhost:6427/supabase_production"
}
}
}4. Toggle on/off
$ mcp-guard
MCP Guard on → http://localhost:6427
$ mcp-guard
MCP Guard offDebug mode
Run in foreground to see all tool calls and block decisions live:
$ mcp-guard -dConfig
.mcp-guard.json (auto-discovered from cwd up, or ~/.mcp-guard.json, or --config <path>):
Field | Type | Default | Description |
|
|
| Port for the local HTTP proxy |
|
| — | Map of gate name → server config |
Each server:
Field | Type | Description |
|
| Upstream MCP server URL |
|
| Set to |
|
| Static Bearer token for upstream auth (optional) |
|
| Patterns to block (case-insensitive substring match) |
|
| Error message returned when blocked |
Authentication
mcp-guard handles OAuth-protected upstream servers (e.g. Supabase) automatically. On first connection, if the upstream requires auth, mcp-guard will open your browser for OAuth authorization. Tokens are cached in ~/.mcp-guard/auth/ and refreshed automatically.
Alternatively, you can provide a static token in the config:
{
"servers": {
"my_server": {
"url": "https://example.com/mcp",
"token": "your-access-token"
}
}
}How It Works
mcp-guardstarts a local HTTP serverWhen a client connects to
http://localhost:PORT/<gate_name>, it connects to the upstream MCP serverIt discovers all upstream tools and re-exposes them
On each tool call, all argument values are checked against block patterns
If any pattern matches → error returned, call never reaches upstream
If no match → call is forwarded to upstream as-is
License
MIT
This server cannot be installed
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/alramalho/mcp-guard'
If you have feedback or need assistance with the MCP directory API, please join our Discord server