v1.0 shipped — 47/47 whitepaper requirements

Secure your AI agents
with Sentinel

A single-binary Rust gateway that secures AI agent tool calls with JWT authentication, RBAC, rate limiting, and audit logging.

View Source Deploy Now →
~14
MB binary
<50
MB RAM
145
Tests
<1ms
Overhead
Threat Landscape

The problem is real

AI agents connect directly to MCP servers with no security layer — no auth, no access control, no audit trail. Any process on the same host can call any tool. This isn't theoretical.

Threat Severity Detail
CVE-2026-25253 CVSS 8.8 One-click RCE via stolen auth tokens in OpenClaw Control UI
Exposed Instances CRITICAL 1,800+ OpenClaw instances found leaking API keys and credentials
Plugin Attack Surface HIGH 92% exploitation probability with just 10 MCP plugins (Pynt)
Microsoft Advisory HIGH “Treat as untrusted code execution. Not for standard workstations.”
No MCP Auth CRITICAL Any local process can call MCP servers directly — no authentication
No Audit Trail HIGH Zero visibility into which tools were called, by whom, with what data

Sentinel sits between your agent and its MCP servers. Every tool call passes through authentication, authorization, rate limiting, and audit logging before reaching any backend.

Architecture

How it works

All backends are optional and configurable. Use any combination of HTTP and stdio MCP servers — the gateway doesn't care what's behind it, only that it's secured.

AI Agent (OpenClaw, Claude Code, Cursor, ...) | v [ SENTINEL GATEWAY ] ─── single Rust binary | |── JWT Auth validate every session |── RBAC per-role tool permissions |── Rate Limiting sliding window per tool |── Audit Log PostgreSQL request trail |── Circuit Breaker isolate failing backends |── Kill Switch emergency disable, no restart |── Metrics Prometheus endpoint | +───> MCP Server A (stdio or HTTP) +───> MCP Server B +───> MCP Server N
Capabilities

Everything you need

Enterprise security controls for AI agent tool calls, without modifying either the agent or the MCP servers.

🔑
JWT Auth
Session-level token validation. Every request authenticated before reaching any backend.
🛡
RBAC
Role-based access control with per-tool deny lists. Admin, developer, viewer — or define your own.
Rate Limiting
Per-tool configurable limits with sliding window. Prevent runaway agents from burning API credits.
📝
Audit Logging
PostgreSQL-backed request/response trail. Who called what, when, and what came back.
Circuit Breakers
Automatic backend isolation on failure. One bad server doesn't take down the rest.
🛑
Kill Switch
Emergency disable for individual tools or entire backends. No restart required.
Process Manager
stdio backends spawned and managed as child processes. Auto-restart on crash with configurable retries.
🔄
Hot Reload
SIGHUP reloads kill switch and rate limits without restarting. Zero downtime config changes.
📊
Prometheus
Metrics endpoint with request counts, latencies, error rates, and backend health status.
Production Tested

Validated across architectures

Sentinel has been tested end-to-end in a distributed multi-server deployment: an OpenClaw agent on a Hetzner ARM64 server invoking tools through Sentinel running on a Hostinger x86_64 server, connected via WireGuard VPN.

OpenClaw Agent (Hetzner, ARM64) | |── mcporter skill invocation | v SSH stdio tunnel ─── over WireGuard VPN (10.0.0.x) | v [ SENTINEL GATEWAY ] (Hostinger, x86_64) | |── JWT Auth + RBAC + Rate Limiting |── Audit Log → PostgreSQL | +───> Firecrawl web scraping +───> Context7 library docs +───> Playwright browser automation +───> n8n workflow API +───> SQLite database ops
18.8s
End-to-end
<1ms
Gateway overhead
ARM64
Agent arch
x86_64
Gateway arch

The 18.8 second end-to-end time includes SSH tunnel setup, WireGuard hop, JWT authentication, a full website scrape via Firecrawl, LLM summarization of results, and audit logging to PostgreSQL. The gateway itself adds under 1ms of overhead for auth and routing.

Get Started

Up and running in 5 commands

# Clone and setup git clone https://github.com/wallybrain/sentinel-mcp-gateway.git cd sentinel-mcp-gateway ./scripts/setup.sh # Build (~14 MB binary) cargo build --release # Start PostgreSQL (audit logs) docker compose up -d postgres # Register with Claude Code ./add-mcp.sh

The setup script generates secrets and config automatically. Edit sentinel.toml to uncomment the backends you need. Full deployment guide in the docs.

Using OpenClaw? See the dedicated integration guide for step-by-step setup including SSH stdio tunnels, recommended RBAC policies, and multi-server deployment patterns.

Comparison

vs Alternatives

Sentinel RunLayer No Gateway
Self-hosted YES No (SaaS)
Open source BSL 1.1 Proprietary
JWT + RBAC YES Limited NO
Audit logging PostgreSQL Yes NO
Circuit breakers YES NO NO
Kill switch YES NO NO
Single binary ~14 MB Rust No
Offline capable YES NO Yes
Status

Project status

v1.0 shipped — 47/47 requirements from the IBM/Anthropic MCP Gateway whitepaper, 145 tests, 3,776 LOC Rust.

Production-tested with Claude Code (local stdio) and OpenClaw (remote SSH stdio tunnel via mcporter). Cross-architecture validated: ARM64 agent ↔ x86_64 gateway over WireGuard VPN.

Licensed under BSL 1.1 — free to use, modify, and deploy. Converts to Apache 2.0 in 2030. The only restriction: you can't resell it as a hosted gateway service.

Tested it with OpenClaw? Open an issue — we want to hear about your experience.