The security proxy for AI agents and MCP servers

Auth, rate limiting, payload filtering, and audit — before any tool call reaches your upstream.

cargo install arbitus

MIT Licensed · Pure Rust · Sub-millisecond overhead

Agent (Cursor, Claude, etc.)
        │  JSON-RPC
        ▼
      arbitus  ← auth, rate limit, HITL, filter, audit
        │
        ▼
  MCP Server (filesystem, database, APIs...)

Pure Rust MIT License crates.io Docker Helm Chart Sub-ms Overhead

Why Arbitus Exists

The MCP protocol has no built-in security layer. Arbitus fills that gap.

"92% of MCP servers have security issues"

iEnable Research, 2026

Per-agent auth (JWT/OIDC/mTLS), encoding-aware payload filtering, and prompt injection detection — before requests reach upstream.

"Agents can access anything — no guardrails"

MCP spec has no built-in access control

Per-agent tool allowlists and denylists with glob wildcards, rate limiting, OPA/Rego policies, and schema validation.

"No visibility into what AI agents do"

No audit trail in standard MCP

Full audit log (SQLite, webhook, CloudEvents, OpenLineage), Prometheus metrics, OpenTelemetry traces, and a built-in dashboard.

Everything you need to secure MCP

The only open-source gateway with the full security stack.

Human-in-the-Loop

Suspend sensitive tool calls until an operator approves or rejects via REST API. Auto-reject after configurable timeout. No other OSS MCP gateway has this.

Shadow Mode

Intercept and log tool calls without forwarding to upstream. Dry-run risky operations before enforcing policies. Observe what new agents would do.

Encoding-Aware Filtering

Block patterns catch Base64, URL-encoded, double-encoded, and Unicode-obfuscated payloads. Regex alone is not enough — Arbitus decodes before matching.

OPA/Rego Policies

Industry-standard policy engine used by Kubernetes and Terraform. Organizations with existing OPA policies adopt without rewriting.

Per-Agent Auth

API key, JWT/OIDC, mTLS — each agent gets its own policy.

Rate Limiting

Per-agent, per-tool, per-IP sliding window with standard headers.

Schema Validation

Validate tool arguments against inputSchema before forwarding.

Prompt Injection Detection

7 built-in patterns with always-block mode.

Supply-Chain Security

SHA-256 + cosign verification of MCP server binaries.

Tool Federation

Aggregate tools from multiple upstreams into a single view.

OpenAI Bridge

/openai/v1/tools and /execute for function-calling clients.

Circuit Breaker

Automatic upstream failure isolation with half-open recovery.

Config Hot-Reload

SIGUSR1 or automatic every 30 seconds — no restart needed.

Transport Agnostic

HTTP+SSE or stdio — same config, same policies.

One YAML file. Full security stack.

No code, no plugins, no sidecar daemons. Configure everything in a single file.

gateway.yml

transport:
  type: http
  addr: "0.0.0.0:4000"
  upstream: "http://localhost:3000/mcp"

agents:
  cursor:
    allowed_tools: [read_file, "list_*"]
    rate_limit: 30
    api_key: "${CURSOR_API_KEY}"

  claude-code:
    denied_tools: [delete_file, drop_table]
    approval_required: [delete_file]
    shadow_tools: ["exec_*"]

rules:
  block_patterns: ["password", "api_key"]
  block_prompt_injection: true
  opa:
    policy_path: policy.rego

agents:

Each agent gets its own policies, auth, and rate limits

approval_required:

Human-in-the-loop — dangerous calls wait for operator approval

shadow_tools:

Shadow mode — observe without forwarding to upstream

block_patterns:

Encoding-aware — catches Base64, URL-encoded, and Unicode obfuscation

opa:

Plug in OPA/Rego for complex organizational policies

Up and running in 60 seconds

Three commands. No agents to install, no sidecars, no config servers.

Install

cargo install arbitus

Single binary, no runtime dependencies.

Configure

cp gateway.example.yml gateway.yml
# edit gateway.yml with your policies

One YAML file controls everything.

Run

arbitus gateway.yml

Point your agents at Arbitus instead of the MCP server.

Also available via: Docker Helm Pre-built binaries

How Arbitus compares

The only open-source gateway with the complete security stack.

Feature	Arbitus	Other OSS	Commercial
Per-agent authentication	✓	~	✓
Encoding-aware payload filtering	✓	✗	~
Human-in-the-loop approval	✓	✗	~
Shadow mode	✓	✗	✗
OPA/Rego policies	✓	✗	✗
Supply-chain verification	✓	✗	~
HTTP + stdio transports	✓	~	✓
Sub-millisecond overhead	✓	~	~
Open source (MIT)	✓	✓	✗

Start securing your MCP servers today

Drop Arbitus between your agents and servers. Zero code changes, full visibility.

Get Started View on GitHub

MIT Licensed · Community-driven · Production-ready