Skip to content
DeepintShield DeepintShield

MCP Gateway URL

Overview

Section titled “Overview”

DeepIntShield can act as an MCP server, exposing all your connected MCP tools to external MCP clients like Claude Desktop, Cursor, or any other MCP-compatible application.

This enables a powerful pattern:

  • Connect DeepIntShield to multiple MCP servers (filesystem, web search, databases, etc.)
  • Expose all those tools through a single MCP endpoint
  • External clients connect to DeepIntShield and get access to all aggregated tools

Diagram

Endpoints

Section titled “Endpoints”
EndpointMethodPurpose
/mcpPOSTJSON-RPC 2.0 messages for tool discovery and execution
/mcpGETServer-Sent Events (SSE) for persistent connections

POST /mcp (JSON-RPC)

Section titled “POST /mcp (JSON-RPC)”

Handle JSON-RPC 2.0 messages for tool listing and execution:

Terminal window
# List available tools
curl -X POST https://app.deepintshield.com/mcp \
  -H "Authorization: Bearer sk-bf-your-virtual-key" \
  -H "Content-Type: application/json" \
  -d '{
    "jsonrpc": "2.0",
    "id": 1,
    "method": "tools/list"
  }'


# Call a tool
curl -X POST https://app.deepintshield.com/mcp \
  -H "Authorization: Bearer sk-bf-your-virtual-key" \
  -H "Content-Type: application/json" \
  -d '{
    "jsonrpc": "2.0",
    "id": 2,
    "method": "tools/call",
    "params": {
      "name": "filesystem-read_file",
      "arguments": {
        "path": "/tmp/test.txt"
      }
    }
  }'

GET /mcp (SSE)

Section titled “GET /mcp (SSE)”

Establish a persistent SSE connection for real-time communication:

Terminal window
curl -N https://app.deepintshield.com/mcp \
  -H "Authorization: Bearer sk-bf-your-virtual-key" \
  -H "Accept: text/event-stream"

The SSE endpoint sends:

  • connection/opened message on connect
  • Keeps connection alive until client disconnects

External MCP Client Integration

Section titled “External MCP Client Integration”

The /mcp endpoint supports any MCP-compatible client that can communicate via HTTP or SSE:

  • Claude Desktop - macOS and Windows desktop application
  • Cursor - IDE with MCP support
  • Custom Applications - Any app implementing the MCP protocol
  • Browser Extensions - Tools with MCP client capability

To connect an external MCP client, configure it to connect to:

https://app.deepintshield.com/mcp

Include your Virtual Key authentication header (Authorization: Bearer sk-bf-your-virtual-key) so the gateway can resolve the tools available to that key.

Virtual Key Authentication

Section titled “Virtual Key Authentication”

DeepIntShield supports per-Virtual Key MCP servers, allowing you to expose different tools to different clients.

Global Server (No Virtual Key)

Section titled “Global Server (No Virtual Key)”

When enforce_governance_header is false, requests without a Virtual Key use the global MCP server with all available tools.

Virtual Key-Specific Servers

Section titled “Virtual Key-Specific Servers”

When using Virtual Keys, each VK gets its own MCP server with filtered tools based on its configuration.

Authenticate with Virtual Key (Virtual Keys start with the sk-bf- prefix):

Terminal window
# Via Authorization header
curl -X POST https://app.deepintshield.com/mcp \
  -H "Authorization: Bearer sk-bf-your-virtual-key" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc": "2.0", "id": 1, "method": "tools/list"}'


# Via x-api-key header
curl -X POST https://app.deepintshield.com/mcp \
  -H "x-api-key: sk-bf-your-virtual-key" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc": "2.0", "id": 1, "method": "tools/list"}'


# Via x-bf-vk header
curl -X POST https://app.deepintshield.com/mcp \
  -H "x-bf-vk: sk-bf-your-virtual-key" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc": "2.0", "id": 1, "method": "tools/list"}'

Claude Desktop with Virtual Key:

{
  "mcpServers": {
    "deepintshield-production": {
      "url": "https://app.deepintshield.com/mcp",
      "headers": {
        "Authorization": "Bearer sk-bf-your-production-key"
      }
    },
    "deepintshield-development": {
      "url": "https://app.deepintshield.com/mcp",
      "headers": {
        "Authorization": "Bearer sk-bf-your-development-key"
      }
    }
  }
}

Tool Filtering for MCP Clients

Section titled “Tool Filtering for MCP Clients”

Control which tools are exposed to MCP clients using Virtual Keys:

Per-Virtual Key Tool Access

Section titled “Per-Virtual Key Tool Access”

Configure which tools each Virtual Key can access from the Virtual Keys section of the Web UI: create or edit a key and, under MCP Client Configurations, add the clients and the tools that key may use. For example, a production key might be limited to read_file and list_directory on a filesystem client while allowing all tools (*) on a web_search client.

Learn more about Virtual Key tool filtering in MCP Tool Filtering.

Advanced Gateway Features

Section titled “Advanced Gateway Features”

Health Monitoring

Section titled “Health Monitoring”

DeepIntShield monitors connected MCP clients for you. If a client stops responding it is marked disconnected, its tools drop out of the aggregated registry, and DeepIntShield reconnects it in the background - external clients see the tools return automatically once it recovers. You can choose the check method per client with the is_ping_available toggle (see Connecting to MCP Servers).

To force a reconnection yourself, open the client in the MCP Gateway and click Reconnect.

Request ID Tracking

Section titled “Request ID Tracking”

For Agent Mode operations, DeepIntShield tags each intermediate tool-execution step with its own request ID, so autonomous tool runs produce detailed, per-step audit trails. See Agent Mode for details.

Dynamic Tool Discovery

Section titled “Dynamic Tool Discovery”

The tools exposed through the gateway stay in sync automatically. When you connect a new client, a connected server’s tool list changes, or you edit a client’s tools_to_execute, the change is reflected for external MCP clients without them needing to reconnect - they always see the current, filtered set of tools.

Security Considerations

Section titled “Security Considerations”

1. Enable Virtual Key Enforcement

Section titled “1. Enable Virtual Key Enforcement”

Always require a Virtual Key on every MCP request in production. Turn on governance header enforcement from the gateway settings in the Web UI so that requests without a valid Virtual Key are rejected. This ensures all MCP requests require a valid Virtual Key.

2. Use HTTPS

Section titled “2. Use HTTPS”

All traffic to https://app.deepintshield.com/mcp is served over TLS - always use the https:// endpoint so credentials and tool traffic stay encrypted in transit.

3. Limit Tool Access

Section titled “3. Limit Tool Access”

Use Virtual Keys to limit which tools each client can access. Follow the principle of least privilege.

4. Network Restrictions

Section titled “4. Network Restrictions”

Use per-Virtual Key access controls to limit which clients can reach the MCP endpoint and which tools they can call.

Troubleshooting

Section titled “Troubleshooting”
Claude Desktop not connecting
  1. Verify the URL is correct and DeepIntShield is running
  2. Check if DeepIntShield is accessible from Claude Desktop’s network
  3. Restart Claude Desktop after configuration changes
  4. Check DeepIntShield logs for connection attempts
No tools showing up
  1. Verify MCP clients are connected in DeepIntShield
  2. Check that tools_to_execute includes the expected tools
  3. If using Virtual Keys, verify the VK has MCP tool access configured
Virtual Key authentication failing
  1. Ensure the Virtual Key exists and is active
  2. Check the header format (Bearer prefix for Authorization)
  3. Verify enforce_governance_header setting matches your setup

Next Steps

Section titled “Next Steps”

Tool Filtering

Control which tools are available per request

Open →

Virtual Key MCP Tools

Configure per-VK tool access

Open →