Skip to content
MCPFirewall

CLI Commands

The mcpfw binary is the single entry point for the gateway, shim, service management, and administrative tasks. All commands operate against the local database at ~/.mcpfw/.

mcpfw serve

Section titled “mcpfw serve”

Start the gateway. This is the default command (running mcpfw with no arguments does the same thing).

Terminal window
mcpfw serve [flags]
FlagDefaultDescription
--port8765Port to listen on
--bind-addr127.0.0.1Bind address (0.0.0.0 on WSL2)
--no-browserfalseDo not open the dashboard in a browser
--no-trayfalseDo not start the tray helper
--versionPrint version and exit

mcpfw shim

Section titled “mcpfw shim”

Stdio bridge between an AI client and the gateway. Not typically run manually. AI client configs are rewritten to use this command.

Terminal window
mcpfw shim --server <id>
FlagDescription
--serverServer ID (or set MCPFW_SERVER_ID)
--versionPrint version to stderr and exit

Shim auth (team tier)

Section titled “Shim auth (team tier)”
Terminal window
mcpfw shim auth set-token --url <gateway-url> --token <token>
mcpfw shim auth get-token
mcpfw shim auth clear-token

mcpfw status

Section titled “mcpfw status”

Check if the gateway is running. Returns exit code 0 if healthy, 1 if not.

Terminal window
mcpfw status

mcpfw service

Section titled “mcpfw service”

Manage the gateway as a login service.

Terminal window
mcpfw service <subcommand>
SubcommandDescription
installRegister as a login service
uninstallRemove the service
startStart the service
stopStop the service
restartRestart the service
statusShow service and gateway status (--json for machine output)
logsTail the gateway log (--n 50 to set line count)

mcpfw doctor

Section titled “mcpfw doctor”

Run diagnostic health checks. Returns exit code 0 if all pass, 1 if any warn or fail.

Terminal window
mcpfw doctor [--json]

Checks: gateway connectivity, database integrity, vault key, server registrations, client configs.

mcpfw logs

Section titled “mcpfw logs”

View logs for a specific server.

Terminal window
mcpfw logs <server-name> [--follow]

The --follow flag polls for new lines every 500ms.

mcpfw ruleset

Section titled “mcpfw ruleset”

Manage governance rulesets.

SubcommandDescription
listList all rulesets
create <name>Create a new ruleset
apply <name>Write .mcpfw/ruleset to a directory (--dir to specify)
export <name>Print ruleset as JSON to stdout
importRead JSON from stdin and create a ruleset
Terminal window
mcpfw ruleset create "strict"
mcpfw ruleset apply "strict" --dir ~/projects/myapp
mcpfw ruleset export "strict" > strict.json
cat strict.json | mcpfw ruleset import

mcpfw secrets

Section titled “mcpfw secrets”

Vault encryption key management.

SubcommandDescription
export-keyPrint the vault key in base64
import-key <base64>Import a vault key

mcpfw vault

Section titled “mcpfw vault”
Terminal window
mcpfw vault export-key --out <path>

Export the vault key to a file. The --out flag is required.

mcpfw oauth

Section titled “mcpfw oauth”
Terminal window
mcpfw oauth revoke <server-name>

Delete a stored OAuth token locally. No revocation request is sent to the provider.

mcpfw tui

Section titled “mcpfw tui”

Start the terminal UI dashboard. Automatically starts the gateway if not running.

Terminal window
mcpfw tui

mcpfw registry

Section titled “mcpfw registry”
Terminal window
mcpfw registry classify [--force] [--llm]

Classify registry entries by category. --force reclassifies all entries. --llm runs an LLM correction pass.

mcpfw guard

Section titled “mcpfw guard”

Start an inbound MCP governance proxy. Protects an upstream MCP server with rate limiting, IP filtering, and MCPA compliance.

Terminal window
mcpfw guard --upstream <url> [flags]
FlagDefaultDescription
--upstreamrequiredUpstream MCP server URL
--port8766Listen port
--rate100/minRate limit (N/min or N/s)
--burst20Rate limit burst capacity
--domainDomain for automatic HTTPS (Let’s Encrypt)
--certTLS certificate file (PEM)
--keyTLS private key file (PEM)
--github-client-idGitHub OAuth client ID
--github-client-secretGitHub OAuth client secret
--google-client-idGoogle OAuth client ID
--google-client-secretGoogle OAuth client secret
--allowAllow CIDR (repeatable)
--denyDeny CIDR (repeatable)

TLS modes

Section titled “TLS modes”

Automatic HTTPS: use --domain for Let’s Encrypt (requires ports 80 and 443):

Terminal window
mcpfw guard --upstream http://localhost:3000 --domain mcp.example.com

Bring your own cert: use --cert and --key:

Terminal window
mcpfw guard --upstream http://localhost:3000 --cert cert.pem --key key.pem

Plain HTTP: omit TLS flags (localhost or behind a reverse proxy):

Terminal window
mcpfw guard --upstream http://localhost:3000

Key rotation

Section titled “Key rotation”
Terminal window
mcpfw guard rotate-key

Rotate the MCPA signing key used for receipt chain signatures.