Quick Start
Get a secured gateway URL for any MCP server in under 5 minutes. Every tool call through this URL is authenticated, authorized, and audited — no code changes required.
1. Create an account and a host
- Sign up at app.agent.security
- Connect your Permit.io organization with an organization-scoped API key
- Go to Dashboard → Create Host — pick a subdomain, project, and environment
Your gateway base URL is now live:
https://<your-subdomain>.agent.security/mcp
2. Get a gateway URL for your target MCP server
There are two ways to route traffic through the gateway to an upstream MCP server. Pick the one that fits your setup.
Option A: Dynamic MCP (quickest path)
If you enable Dynamic MCPs on your host, you can point to any MCP server by appending a query parameter — no need to pre-import it.
- In app.agent.security, go to your host's Settings and toggle Allow Dynamic MCPs on
- Build your gateway URL by appending
?upstream_mcp=with the target server's URL:
https://<your-subdomain>.agent.security/mcp?upstream_mcp=<url-of-target-mcp-server>
Examples:
| Target MCP server | Gateway URL |
|---|---|
| Linear | https://acme-brave-coral-37.agent.security/mcp?upstream_mcp=https://mcp.linear.app/mcp |
| GitHub | https://acme-brave-coral-37.agent.security/mcp?upstream_mcp=https://api.githubcopilot.com/mcp/ |
| A custom server | https://acme-brave-coral-37.agent.security/mcp?upstream_mcp=https://internal.example.com/mcp |
Dynamic MCPs let users connect to any MCP server, bypassing the admin allow-list. Only enable this if your organization is comfortable with that. You can disable it at any time.
Option B: Pre-imported MCP server
If you want admin control over which servers are available, import the server first and then use the base URL or a pre-selected URL.
- Go to MCP Servers → Create Server
- Enter the upstream URL (e.g.,
https://mcp.linear.app/mcp) and click Connect - Review the auto-classified tools, adjust trust levels if needed, and click Import
- Grant yourself (or your users) access on the Humans page
Your gateway URL is the host base URL — users pick the server during consent:
https://acme-brave-coral-37.agent.security/mcp
To skip the server-selection step, append the upstream URL as a query parameter or use a path-based URL:
https://acme-brave-coral-37.agent.security/mcp?upstream_mcp=https://mcp.linear.app/mcp
https://acme-brave-coral-37.agent.security/mcp/linear
3. Connect your MCP client
Paste the gateway URL into your MCP client config. Replace the example URL with your own.
Cursor / VS Code
Add to .cursor/mcp.json (Cursor) or your VS Code MCP settings:
{
"mcpServers": {
"linear": {
"url": "https://acme-brave-coral-37.agent.security/mcp?upstream_mcp=https://mcp.linear.app/mcp"
}
}
}
Claude Desktop
Add to your Claude Desktop config file (~/Library/Application Support/Claude/claude_desktop_config.json on macOS, %APPDATA%\Claude\claude_desktop_config.json on Windows):
{
"mcpServers": {
"linear": {
"url": "https://acme-brave-coral-37.agent.security/mcp?upstream_mcp=https://mcp.linear.app/mcp"
}
}
}
Claude Code
claude mcp add linear \
--url "https://acme-brave-coral-37.agent.security/mcp?upstream_mcp=https://mcp.linear.app/mcp"
4. Authenticate and use
On first connection, your MCP client opens a browser for the consent flow:
- Sign in — create an account or log in
- Select the MCP server — pick the server you want to connect to (or it is pre-selected if you used
upstream_mcp) - Set a trust level — choose what your agent is allowed to do (read, write, or destructive actions)
- Accept — your agent is now connected through the gateway
Every tool call is now authenticated, authorized by trust level, and logged. Ask your agent to perform an action (e.g., "list my Linear issues") and verify it works.
What's next?
- Getting Started Guide — full walkthrough including trust levels, user management, and audit logs
- n8n + Linear demo — end-to-end example with an n8n workflow
- Platform Reference — admin UI for managing hosts, servers, and users
- Overview — security model, architecture, and how it compares to existing tools