- Everything you need to start:
- Proxy 1 MCP server
- 5 MCP tool permissions
- Audit log
- Auto-discovery
- CLI access
Your AI has root access
Your AI tools have
no guardrails
MCP servers run with full access to your API keys, files, and databases. One proxy between your AI and the damage.
Your AI can see everything
Your AI tools have
no boundaries
Your AI tools have access to everything on your machine. This scans what they can see and blocks what they shouldn't touch.
Field report: MCP security
MCP configs are
wide open
MCP configs store secrets in plaintext. Agent graphs inherit permissions without boundaries. These tools audit and enforce.
How it works
The difference is what sits between
Raw MCP gives every tool full access. DevSafe MCP Gateway enforces boundaries.
Capabilities
Everything between your AI and the damage
Eight features that make every MCP connection auditable and controlled.
Auto-discovery
Finds servers from Claude Desktop, Cursor, VS Code. No manual configuration required.
Per-tool permissions
Allow or deny individual tools per server. Grant read access, block delete. Granular control.
Encrypted vault
API keys from DevSafe Vault, not plaintext configs. Injected at runtime, never written to disk.
Hash-chained audit
Every call logged with SHA-256 chain integrity. Each entry depends on the previous one.
Tools/list filtering
AI client never sees tools it cannot use. Blocked tools are invisible, not just denied.
Default-deny
Nothing runs until you explicitly allow it. Every new tool starts blocked. Opt in, not opt out.
Tamper detection
devsafe mcp audit verify catches any modification to the log chain.
Single binary
No Node.js, no Python, no Docker. One Go binary. Download, run, done.
Comparison
See how we compare
Side by side. No footnotes needed.
| DevSafe MCP | Raw MCP | Custom Scripts | |
|---|---|---|---|
| Per-tool permissions | Yes | No | Partial |
| Encrypted credentials | Yes | No | No |
| Tamper-evident audit | Yes | No | No |
| Auto-discovery | Yes | No | No |
| Default-deny | Yes | No | Partial |
| Tool list filtering | Yes | No | No |
| Single binary | Yes | N/A | No |
| Zero configuration | Yes | Yes | No |
Pricing
Simple plans.
No per-server fees.
Every plan includes auto-discovery, audit logging, and the single binary. Pay for scale, not per connection.
- Everything in Free, plus:
- Proxy unlimited MCP servers
- Unlimited MCP tool permissions
- Vault integration
- Priority support
- Export audit reports
- Everything in Pro, plus:
- Shared policies
- Team audit dashboard
- SSO integration
- Compliance reporting
- All features included:
- Up to 200 seats
- SSO / SAML / OIDC
- Org-wide policy templates
- Compliance audit export
- Dedicated onboarding
Questions
Honest answers. No hedging.
What is MCP?
Model Context Protocol lets AI assistants call external tools.
Claude Desktop, Cursor, and VS Code all use it. DevSafe MCP Gateway secures those connections.
Do I need to change my MCP config?
No. DevSafe discovers your existing servers and proxies them.
Your AI client connects to DevSafe instead of directly to the server.
What happens when a tool is blocked?
The AI client receives a clean JSON-RPC error response. No crash, no timeout.
The blocked call is logged to the audit chain.
Can the audit log be tampered with?
Each entry includes the SHA-256 hash of the previous entry. Changing any entry breaks the chain.
Run devsafe mcp audit verify to check.
Where are my API keys stored?
In DevSafe Vault, encrypted with AES-256-GCM.
Keys are injected into the server process at runtime and never written to disk in plaintext.
Stop giving AI tools
the keys to everything.
Default-deny. Encrypted vault. Tamper-evident audit.
Secure your MCP serversYour AI should ask
before it acts.
One tool blocks what your AI shouldn't touch. Takes 2 minutes to set up.
Get started freeShip agents with
permission boundaries.
Per-tool allow/deny. Context window auditing. Credential injection from encrypted vault.
Deploy the gateway