safeguard-mcp
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@safeguard-mcpScan this email for sensitive data"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
SafeGuard MCP server (@the-safeguard-ai/mcp)
A Model Context Protocol server that exposes SafeGuard AI's DLP engine, Secure AI Gateway, and Shadow AI discovery as tools any MCP client (Claude Desktop, Cursor, Windsurf, Claude Code, …) can call. Speaks MCP over stdio.
The point: give an AI agent a governed way to handle and send data. Before an
agent pastes a chunk of text into some external tool, it can dlp_scan it; to
sanitize it, dlp_redact; to ask a model with policy + audit enforced, secure_chat.
Tools
Tool | Needs token? | What it does |
| no | Detect PII/secrets in text; returns findings, counts by type, and whether it would be blocked. Local — no network, no tokens. |
| no | Return a sanitized copy with |
| no | List the detector types SafeGuard recognizes (international by default). Local. |
| yes | Ask an LLM through the gateway — inbound redaction, org policy, routing (cloud/self-hosted), audit log. Returns the reply + redaction count. |
| yes | Summarize which AI tools the org uses and what data was caught on each. Read-only. |
| yes | List the org's active DLP policies as enforced by the gateway. Read-only. |
The three local DLP tools mirror crates/dlp (the Rust source of truth) and run
entirely in-process — no backend required.
Related MCP server: @actalumen/mcp-server
Configuration (environment)
Var | Default | Purpose |
| (unset) | Bearer token: a user JWT (sign in to SafeGuard) or an org API key ( |
|
| Secure AI Gateway base URL. |
|
| Control-plane (governance API) base URL. |
|
| Default model id for |
|
| Default action for the local DLP tools. |
Run
# from the repo root
bun run mcp
# or directly
bun run services/mcp/src/index.tsstdout is reserved for the MCP protocol; logs go to stderr.
Add to an MCP client
Claude Desktop / Cursor / Windsurf (mcpServers config):
{
"mcpServers": {
"safeguard": {
"command": "bun",
"args": ["run", "/absolute/path/to/safeguard-ai/services/mcp/src/index.ts"],
"env": {
"SAFEGUARD_TOKEN": "<your JWT or sg_… API key>",
"SAFEGUARD_GATEWAY_URL": "http://localhost:8080",
"SAFEGUARD_CONTROL_PLANE_URL": "http://localhost:8081"
}
}
}
}Claude Code:
claude mcp add safeguard --env SAFEGUARD_TOKEN=<token> \
-- bun run /absolute/path/to/safeguard-ai/services/mcp/src/index.tsWithout SAFEGUARD_TOKEN the local DLP tools still work; the gateway and
governance tools return a clear "set SAFEGUARD_TOKEN" message.
Typecheck
bun run typecheckThis server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/the-safeguard-ai/safeguard-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server