Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.igrisecurity.com/llms.txt

Use this file to discover all available pages before exploring further.

Connections

Connections are encrypted credential vaults for upstream MCP servers. Instead of putting real API keys in your code, you create a connection in Igris that stores the credential securely and gives you a clean gateway URL.

How Connections Work

Without connections:
  Your app → real upstream credential in code → MCP server

With connections:
  Your app → Igris API key only → Igris Gateway → injects real credential → MCP server
Benefits:
  • Real credentials never leave Igris — encrypted at rest with AES-256-GCM
  • Rotate credentials instantly without changing any code
  • Revoke access by disabling the connection
  • Full audit trail of every request per connection

Create a Connection

In the dashboard: Governance → Connections → New Connection Or via API: 
curl -X POST https://api.igrisecurity.com/api/v1/connections \
  -H "Authorization: Bearer ig_..." \
  -H "Content-Type: application/json" \
  -d '{
    "slug": "github-prod",
    "name": "GitHub Production",
    "upstreamUrl": "https://mcp.github.com",
    "authType": "bearer",
    "credential": "ghp_your_github_token"
  }'
The credential is encrypted and stored. It will never be returned in any API response.

Auth Types

Connections support three authentication types for upstream credential injection:
Auth TypeBehavior
bearerInjects credential as Authorization: Bearer <credential> (default)
headerInjects credential as a raw header value with a custom header name
noneNo credential injection — upstream doesn’t require auth

Custom Auth Headers

Some MCP servers expect credentials in a non-standard header. Use authType: "header" with authHeaderName: 
curl -X POST https://api.igrisecurity.com/api/v1/connections \
  -H "Authorization: Bearer ig_..." \
  -H "Content-Type: application/json" \
  -d '{
    "slug": "custom-api",
    "name": "Custom API",
    "upstreamUrl": "https://my-api.example.com/mcp",
    "authType": "header",
    "authHeaderName": "X-API-Key",
    "credential": "sk_my_secret_key"
  }'
This injects the credential as X-API-Key: sk_my_secret_key to the upstream server.

Use a Connection

With the SDK

const config = igris.connectHttp("github-prod", {
  user: "alice@company.com",
  metadata: { role: "developer" },
});

// config.baseUrl = "https://api.igrisecurity.com/v1/mcp/github-prod"
// config.apiKey  = "ig_..."   (set as Authorization: Bearer when calling the gateway)
// config.headers = { "X-Igris-Trace-Id": "...", "X-Igris-User": "...", "X-Igris-Metadata": "..." }

Direct MCP Client Config

{
  "mcpServers": {
    "github": {
      "url": "https://api.igrisecurity.com/v1/mcp/github-prod",
      "headers": {
        "Authorization": "Bearer ig_your_api_key"
      }
    }
  }
}

Credential Injection

When the gateway receives a request, it:
  1. Strips your Igris API key (never forwarded upstream)
  2. Decrypts the connection’s credential
  3. Injects it using the configured auth type:
    • bearer: Authorization: Bearer <credential>
    • header: <authHeaderName>: <credential>
    • none: no credential injected
The upstream server only sees its own credential. Your users only see the Igris API key.

Rotate Credentials

Update a credential without changing any SDK configs: 
curl -X POST https://api.igrisecurity.com/api/v1/connections/github-prod/rotate \
  -H "Authorization: Bearer ig_..." \
  -H "Content-Type: application/json" \
  -d '{ "credential": "ghp_new_token_here" }'
All requests immediately use the new credential. Zero downtime.

Slug Format

Connection slugs must be:
  • Lowercase letters, numbers, underscores, hyphens
  • 3-64 characters
  • Start with a letter or number
Examples: github-prod, slack-mcp, analytics01