Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.igrisecurity.com/llms.txt

Use this file to discover all available pages before exploring further.

Quickstart

This guide walks you through signing up, creating a connection, writing your first policy, and making a governed MCP tool call.

1. Sign Up

Navigate to app.igris.dev/signup and create an account using email/password or OAuth (GitHub, Google). After signup you’ll be prompted to create your first organization.

2. Create a Connection

Connections are encrypted credential vaults for your upstream MCP servers. Go to Governance → Connections and click New Connection. Provide:
  • Name — a human-readable label (e.g., “GitHub Production”)
  • Slug — a URL-safe identifier (e.g., github-prod)
  • Upstream URL — where the real MCP server lives (e.g., https://mcp.github.com)
  • Credential — the upstream API key or token (encrypted at rest)
Once created, Igris gives you a gateway URL: 
https://api.igrisecurity.com/v1/mcp/github-prod

3. Install the SDK

bun add @igris-security/sdk

4. Generate an MCP Config

import { Igris } from "@igris-security/sdk";

const igris = new Igris({
  apiKey: "ig_your_api_key",  // from Settings → API Keys
});

const config = igris.connectHttp("github-prod", {
  user: "alice@company.com",
  metadata: { role: "developer" },
});

// Use with any MCP client
const client = new McpClient({
  transport: new StreamableHttpTransport(config.baseUrl, {
    headers: {
      Authorization: `Bearer ${config.apiKey}`,
      ...config.headers,
    },
  }),
});
Or for direct MCP client usage (Claude Desktop, Cursor): 
{
  "mcpServers": {
    "github": {
      "url": "https://api.igrisecurity.com/v1/mcp/github-prod",
      "headers": {
        "Authorization": "Bearer ig_your_api_key"
      }
    }
  }
}
Every tool call now flows through Igris before reaching the upstream server.

5. Create Your First Policy

Go to Governance → Policies and click Create Policy. Example: block destructive operations for interns. 
{
  "connectionSlug": "github-prod",
  "name": "Block destructive ops for interns",
  "rules": [
    { "tool": "delete_*", "action": "deny", "conditions": { "metadata.role": "intern" } },
    { "tool": "drop_*", "action": "deny", "conditions": { "metadata.role": "intern" } },
    { "tool": "*", "action": "allow" }
  ]
}
Rules are evaluated first match wins. The catch-all * at the end allows everything not explicitly denied. Conditions on metadata.role only apply when the SDK passes that metadata.

6. Trigger a Tool Call

Use your MCP client as normal. The gateway will:
  • Authenticate your API key
  • Inject the upstream credential (from the connection)
  • Evaluate policies (including metadata conditions)
  • Log everything to the audit trail

7. View the Audit Trail

Go to Monitoring → Audit Trail to see every tool call, including:
  • User (from X-Igris-User header)
  • Trace ID (for correlating multi-step requests)
  • Tool name + arguments
  • Policy action (allowed / denied / alerted)
  • Connection used
  • Latency
Filter by user, trace ID, or connection to drill down.

What’s Next?

SDK Deep Dive

Learn about identity, metadata, trace IDs, and resource management.

Connections

Manage encrypted credentials, rotate tokens, and control access.

Policy Conditions

Metadata-based rules, deny-by-default, and condition operators.

Anomaly Detection

Set up rate spike and destructive pattern alerts.