Acts as a security gateway for Supabase MCP servers, allowing users to define block rules to prevent destructive operations such as DELETE, DROP, or TRUNCATE.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@mcp-guardshow the active block rules for the supabase_production server"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
mcp-guard
A simple HTTP proxy that gates MCP servers with block rules.
No SDKs. No dashboards. Just a JSON config and a toggle command.
Client (Claude, Cursor, etc.)
↕ http
mcp-guard (localhost proxy)
↕ http
Upstream MCP server (supabase, postgres, etc.)Quick Start
1. Install
npm install -g @alramalho/mcp-guardOr from source:
git clone https://github.com/alramalho/mcp-guard
cd mcp-guard
pnpm install && pnpm build && npm link --force2. Create .mcp-guard.json
In your project root (or ~/.mcp-guard.json globally). Config is auto-discovered by walking up from cwd.
{
"port": 6427,
"servers": {
"supabase_production": {
"url": "https://mcp.supabase.com/mcp?project_ref=xxx&read_only=true",
"block": ["DELETE", "UPDATE", "DROP", "TRUNCATE", "ALTER", "INSERT"],
"blockMessage": "Destructive SQL operations are not allowed in production"
}
}
}3. Update your mcp.json
Replace the direct upstream URL with the mcp-guard proxy:
{
"mcpServers": {
"supabase_production": {
"type": "http",
"url": "http://localhost:6427/supabase_production"
}
}
}4. Toggle on/off
$ mcp-guard
MCP Guard on → http://localhost:6427
$ mcp-guard
MCP Guard offDebug mode
Run in foreground to see all tool calls and block decisions live:
$ mcp-guard -dConfig
.mcp-guard.json (auto-discovered from cwd up, or ~/.mcp-guard.json, or --config <path>):
Field | Type | Default | Description |
|
|
| Port for the local HTTP proxy |
|
| — | Map of gate name → server config |
Each server:
Field | Type | Description |
|
| Upstream MCP server URL |
|
| Set to |
|
| Static Bearer token for upstream auth (optional) |
|
| Patterns to block (case-insensitive substring match) |
|
| Error message returned when blocked |
Authentication
mcp-guard handles OAuth-protected upstream servers (e.g. Supabase) automatically. On first connection, if the upstream requires auth, mcp-guard will open your browser for OAuth authorization. Tokens are cached in ~/.mcp-guard/auth/ and refreshed automatically.
Alternatively, you can provide a static token in the config:
{
"servers": {
"my_server": {
"url": "https://example.com/mcp",
"token": "your-access-token"
}
}
}How It Works
mcp-guardstarts a local HTTP serverWhen a client connects to
http://localhost:PORT/<gate_name>, it connects to the upstream MCP serverIt discovers all upstream tools and re-exposes them
On each tool call, all argument values are checked against block patterns
If any pattern matches → error returned, call never reaches upstream
If no match → call is forwarded to upstream as-is
License
MIT
This server cannot be installed
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.