Arbitus is an open-source security proxy that sits between AI agents and MCP servers. It enforces per-agent policies including authentication, rate limiting, payload filtering, and audit logging before any tool call reaches your upstream MCP server.

How do I install Arbitus?

Install Arbitus with: cargo install arbitus. You can also use Docker (docker pull ghcr.io/arbitusgateway/arbitus:latest) or download pre-built binaries from the GitHub releases page.

What security features does Arbitus provide?

Arbitus provides per-agent authentication (API key, JWT/OIDC, mTLS), rate limiting, encoding-aware payload filtering, prompt injection detection, schema validation, OPA/Rego policies, human-in-the-loop approval, shadow mode for dry runs, supply-chain verification with SHA-256 and cosign, and complete audit logging.

Is Arbitus free and open source?

Yes, Arbitus is MIT licensed and fully open source. It's written in pure Rust with sub-millisecond overhead and is available for free on GitHub and crates.io.

The security proxy for AI agents and MCP servers

Auth, rate limiting, payload filtering, and audit — before any tool call reaches your upstream.

Get Started GitHub

cargo install arbitus

MIT Licensed · Pure Rust · Sub-millisecond overhead

Arbitus acts as a security proxy between AI agents and MCP servers

Pure Rust MIT License crates.io Docker Helm Chart Sub-ms Overhead

Why Arbitus Exists

The MCP protocol has no built-in security layer. Arbitus fills that gap.

"92% of MCP servers have security issues"

iEnable Research, 2026

Per-agent auth (JWT/OIDC/mTLS), encoding-aware payload filtering, and prompt injection detection — before requests reach upstream.

"Agents can access anything — no guardrails"

MCP spec has no built-in access control

Per-agent tool allowlists and denylists with glob wildcards, rate limiting, OPA/Rego policies, and schema validation.

"No visibility into what AI agents do"

No audit trail in standard MCP

Full audit log (SQLite, webhook, CloudEvents, OpenLineage), Prometheus metrics, OpenTelemetry traces, and a built-in dashboard.

Everything you need to secure MCP

The only open-source gateway with the full security stack.

Human-in-the-Loop

Suspend sensitive tool calls until an operator approves or rejects via REST API. Auto-reject after configurable timeout. No other OSS MCP gateway has this.

Shadow Mode

Intercept and log tool calls without forwarding to upstream. Dry-run risky operations before enforcing policies. Observe what new agents would do.

Encoding-Aware Filtering

Block patterns catch Base64, URL-encoded, double-encoded, and Unicode-obfuscated payloads. Regex alone is not enough — Arbitus decodes before matching.

OPA/Rego Policies

Industry-standard policy engine used by Kubernetes and Terraform. Organizations with existing OPA policies adopt without rewriting.

Per-Agent Auth

API key, JWT/OIDC, mTLS — each agent gets its own policy.

Rate Limiting

Per-agent, per-tool, per-IP sliding window with standard headers.

Schema Validation

Validate tool arguments against inputSchema before forwarding.

Prompt Injection Detection

7 built-in patterns with always-block mode.

Supply-Chain Security

SHA-256 + cosign verification of MCP server binaries.

Tool Federation

Aggregate tools from multiple upstreams into a single view.

OpenAI Bridge

/openai/v1/tools and /execute for function-calling clients.

Circuit Breaker

Automatic upstream failure isolation with half-open recovery.

Config Hot-Reload

SIGUSR1 or automatic every 30 seconds — no restart needed.

Transport Agnostic

HTTP+SSE or stdio — same config, same policies.

One YAML file. Full security stack.

No code, no plugins, no sidecar daemons. Configure everything in a single file.

gateway.yml

transport:
  type: http
  addr: "0.0.0.0:4000"
  upstream: "http://localhost:3000/mcp"

agents:
  cursor:
    allowed_tools: [read_file, "list_*"]
    rate_limit: 30
    api_key: "${CURSOR_API_KEY}"

  claude-code:
    denied_tools: [delete_file, drop_table]
    approval_required: [delete_file]
    shadow_tools: ["exec_*"]

rules:
  block_patterns: ["password", "api_key"]
  block_prompt_injection: true
  opa:
    policy_path: policy.rego

agents:

Each agent gets its own policies, auth, and rate limits

approval_required:

Human-in-the-loop — dangerous calls wait for operator approval

shadow_tools:

Shadow mode — observe without forwarding to upstream

block_patterns:

Encoding-aware — catches Base64, URL-encoded, and Unicode obfuscation

opa:

Plug in OPA/Rego for complex organizational policies

Try the interactive builder

Up and running in 60 seconds

Three commands. No agents to install, no sidecars, no config servers.

Install

cargo install arbitus

Single binary, no runtime dependencies.

Configure

cp gateway.example.yml gateway.yml
# edit gateway.yml with your policies

One YAML file controls everything.

Run

arbitus gateway.yml

Point your agents at Arbitus instead of the MCP server.

Also available via: Docker Helm Pre-built binaries

How Arbitus compares

The only open-source gateway with the complete security stack for MCP.

Feature	Arbitus	agentgateway	Direct MCP	Commercial WAF
Per-agent authentication	✓	✓	✗	✓
Encoding-aware filtering	✓	✗	✗	~
Human-in-the-loop	✓	✗	✗	~
Shadow mode	✓	✗	✗	✗
OPA/Rego policies	✓	✗	✗	~
Supply-chain verification	✓	✗	✗	~
HTTP + stdio transports	✓	✓	✓	✓
Sub-millisecond overhead	✓	✓	✓	~
Open source (MIT)	✓	✓	✓	✗