Quick Start

Prerequisites

Before you begin setting up MCP Fortress, ensure you have the following:

  • A valid MCP Fortress account at mcpfortress.com
  • API credentials from the Admin Dashboard
  • Node.js 16+ or Python 3.8+
  • Basic understanding of REST APIs and JSON
  • Access to your identity provider (IdP) for SSO configuration
  • Network connectivity to gateway.mcpfortress.com

Setup Steps

  1. 1

    Create an API Key

    Generate an API key in your MCP Fortress Admin Dashboard under Settings → API Keys. Store this securely as you'll need it for all API requests.

    export MCP_API_KEY="your_api_key_here"
export MCP_GATEWAY="gateway.mcpfortress.com"
  2. 2

    Initialize Your Environment

    Set up your development environment with the MCP Fortress SDK or direct HTTP calls.

    npm install @mcpfortress/sdk
# or
pip install mcpfortress-sdk
  3. 3

    Authenticate with the Gateway

    Establish your first connection to the MCP Fortress Gateway API.

    const mcp = require('@mcpfortress/sdk');

const client = new mcp.Client({
  apiKey: process.env.MCP_API_KEY,
  gateway: 'gateway.mcpfortress.com'
});

client.connect();
  4. 4

    Add Your First Connector

    Connect your first external system (Slack, GitHub, Salesforce, etc.) using the Connector Setup wizard.

    const connector = await client.connectors.create({
  type: 'slack',
  name: 'Primary Workspace',
  credentials: {
    token: 'xoxb-...'
  }
});
  5. 5

    Configure Access Policies

    Define who can access which connectors and what actions they can perform using policy rules.

    const policy = await client.policies.create({
  name: 'Engineering Team Policy',
  rules: [
    {
      resource: 'slack:primary',
      actions: ['read', 'write'],
      subjects: ['role:engineer']
    }
  ]
});
  6. 6

    Test Your Integration

    Verify that your connector and policies are working correctly by making test requests.

    const result = await client.test({
  connector: 'slack:primary',
  action: 'postMessage',
  params: {
    channel: '#general',
    text: 'Testing MCP Fortress'
  }
});

console.log(result); // { success: true, message_ts: '...' }

What Happens Behind the Scenes

When you initialize the MCP Fortress SDK and connect to the Gateway, several processes occur to ensure secure and authenticated access:

Authentication Flow

Your API key is validated against the Auth Service (auth.mcpfortress.com). Upon successful validation, you receive a temporary session token with a default 24-hour expiration. This token is used for subsequent API calls.

Connector Initialization

When you add a connector, MCP Fortress establishes a secure tunnel to the external service. Credentials are encrypted using AES-256 and stored in the Vault service. The connector then performs an initial health check to verify connectivity and permissions.

Policy Evaluation

Every request is evaluated against your configured policies before reaching the connector. This includes role-based access control (RBAC), conditional rules, and PII redaction. Requests that fail policy evaluation are logged and rejected with a 403 Forbidden response.

Audit Logging

All connector interactions are logged for compliance and debugging purposes. Logs include the user, connector, action, timestamp, and result status. Sensitive data is automatically redacted based on your PII redaction rules.

Connector Setup

Credential Types by Tier

MCP Fortress supports different credential types depending on your service tier. Each tier offers varying levels of security and complexity.

Starter

Supported Credential Types:

  • Basic Auth (Username/Password)
  • API Keys
  • Bearer Tokens

Single connector per service. Shared API endpoint.

Professional

Supported Credential Types:

  • Basic Auth
  • OAuth 2.0
  • API Keys
  • Bearer Tokens
  • SAML

Multiple connectors per service. Dedicated subdomain.

Enterprise

Supported Credential Types:

  • All Professional types
  • mTLS (Mutual TLS)
  • Custom Auth Handlers
  • Hardware Key Integration
  • SCIM Provisioning

Unlimited connectors. Private infrastructure.

Adding a Connector

Follow these steps to add a new connector to your MCP Fortress instance:

  1. 1

    Navigate to Connectors

    In the Admin Dashboard, click on "Connectors" in the left sidebar.

  2. 2

    Click "Add Connector"

    Select the service type you want to connect (e.g., Slack, GitHub, Salesforce).

  3. 3

    Enter Credentials

    Provide the required credentials based on your service tier. Credentials are encrypted immediately upon submission.

  4. 4

    Configure Connector Settings

    Set optional parameters like rate limits, timeout values, and retry policies.

  5. 5

    Test Connection

    Click "Test" to verify that MCP Fortress can successfully connect to the external service.

  6. 6

    Create Connector

    Click "Create" to finalize the connector. It will now appear in your Connectors list.

Connector Lifecycle

Connectors go through different states during their lifecycle:

ACTIVE

The connector is fully operational and can process requests. Health checks are performed every 5 minutes.

INACTIVE

The connector exists but is disabled. No requests will be routed through it. You can reactivate it from the Dashboard.

PENDING

The connector was recently created or its credentials were updated. It's undergoing initial verification and will transition to ACTIVE once ready.

ARCHIVED

The connector has been archived and cannot be used. You can restore it from the archive if needed, though this is not recommended for security reasons.

Testing Your Connector

After creating a connector, it's essential to test it to ensure it's working correctly. MCP Fortress provides several testing options:

Dashboard Test

The simplest way to test is using the Dashboard. Navigate to your connector and click the "Test" button. MCP Fortress will make a simple API call to verify connectivity.

API Test

For more comprehensive testing, use the Gateway API:

curl -X POST https://gateway.mcpfortress.com/v1/connectors/test \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "connector_id": "slack:primary",
    "action": "listChannels"
  }'

Webhook Testing

For connectors that support webhooks, you can test by triggering events in the external service. MCP Fortress logs all webhook deliveries for debugging.

Test Limitations

Test calls are not subject to rate limits but are counted in your audit logs. They do not trigger policy evaluations or PII redaction by default (unless explicitly configured).

SSO & SCIM

Supported Identity Providers (IdPs)

MCP Fortress supports enterprise-grade single sign-on (SSO) integration with the following identity providers:

IdP Protocol Tier Support Status
Okta SAML 2.0 / OpenID Connect Professional + Fully Supported
Azure AD / Entra ID SAML 2.0 / OpenID Connect Professional + Fully Supported
Google Workspace OpenID Connect Professional + Fully Supported
OneLogin SAML 2.0 Professional + Fully Supported
Ping Identity SAML 2.0 / OpenID Connect Enterprise Fully Supported
Keycloak OpenID Connect Enterprise Community Supported

SSO Configuration (4-Step Guide)

Enable enterprise single sign-on for your MCP Fortress organization:

  1. 1

    Obtain Metadata from MCP Fortress

    In the Admin Dashboard, navigate to Settings → SSO & SCIM. Under "SAML Configuration," copy your Service Provider (SP) metadata URL:

    https://auth.mcpfortress.com/saml/metadata

    Keep this handy for your IdP configuration.

  2. 2

    Configure SAML Settings in Your IdP

    In your identity provider (e.g., Okta), create a new SAML application with these settings:

    Single Sign-On URL: https://auth.mcpfortress.com/saml/acs
Audience URI: https://auth.mcpfortress.com
Name ID Format: emailAddress
Attribute Mappings:
  - email → http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  - firstName → http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
  - lastName → http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
  - groups → http://schemas.xmlsoap.org/claims/Group
  3. 3

    Upload IdP Metadata to MCP Fortress

    In MCP Fortress Settings → SSO & SCIM, click "Upload IdP Metadata" and select your IdP's metadata XML file.

    // Example IdP metadata structure (will be auto-populated)
{
  "sso_url": "https://idp.example.com/app/abc123/sso/saml",
  "certificate": "-----BEGIN CERTIFICATE-----\n...",
  "entity_id": "https://idp.example.com/app/abc123"
}
  4. 4

    Enable SSO and Test

    Toggle "Enable SAML SSO" to activate single sign-on. Log out and test by clicking "Sign in with SSO" on the login page. A successful redirect to your IdP confirms the configuration is correct.

    Fallback Access

    Until you confirm SSO is working, keep your original login credentials. You can disable password-based login from the same settings page once SSO is fully operational.

SCIM Provisioning

System for Cross-domain Identity Management (SCIM) allows your IdP to automatically provision and deprovision users in MCP Fortress, keeping your organization's access synchronized with your authoritative identity source.

Enable SCIM in MCP Fortress

In Settings → SSO & SCIM, find the "SCIM Configuration" section:

  • Click "Generate SCIM Credentials" to get a unique API token
  • Your SCIM endpoint is: https://api.mcpfortress.com/scim/v2
  • Copy this information to your IdP's SCIM configuration

SCIM Operations Supported

MCP Fortress fully supports the following SCIM 2.0 operations:

  • User Provisioning: Automatically create users when they're added to your IdP
  • User Updates: Sync profile changes (name, email, phone) to MCP Fortress
  • User Deprovisioning: Automatically suspend users when removed from the IdP
  • Group Provisioning: Create groups and manage group membership based on IdP groups
  • Attribute Mapping: Map custom attributes from your IdP to MCP Fortress roles
SCIM Best Practices

Only enable SCIM if your IdP supports it. Ensure your IdP configuration is correct before enabling, as incorrect settings can lead to duplicate users or access conflicts.

Policy Configuration

Overview: 3 Layers of Policy

MCP Fortress enforces access control through three complementary policy layers, allowing you to define granular, organization-specific security rules:

Layer 1: Connector Policies

Define which users or roles can access specific connectors. Example: "Only the engineering team can access the GitHub connector."

Layer 2: Role Policies

Define granular actions users with specific roles can perform. Example: "Developers can read and write code, but only maintainers can delete repositories."

Layer 3: Conditional Rules

Add dynamic conditions based on time, rate limits, IP addresses, or other factors. Example: "Allow access only during business hours from the office network."

Role Policies with JSON Configuration

Role policies are the foundation of access control in MCP Fortress. You define a JSON policy document that specifies which actions are allowed for each role and resource.

Example Role Policy

{
  "version": "1.0",
  "name": "Engineering Team Policy",
  "description": "Access policies for the engineering team",
  "statements": [
    {
      "sid": "AllowGitHubAccess",
      "effect": "allow",
      "actions": [
        "github:readRepository",
        "github:readPullRequest",
        "github:createPullRequest",
        "github:reviewPullRequest"
      ],
      "resources": ["github:primary"],
      "principals": ["role:engineer"]
    },
    {
      "sid": "AllowSlackMessaging",
      "effect": "allow",
      "actions": [
        "slack:readChannels",
        "slack:postMessage",
        "slack:createChannel"
      ],
      "resources": ["slack:*"],
      "principals": ["role:engineer", "role:manager"]
    },
    {
      "sid": "RestrictDangerousOperations",
      "effect": "deny",
      "actions": [
        "github:deleteRepository",
        "github:modifyTeamAccess"
      ],
      "resources": ["github:*"],
      "principals": ["role:*"]
    }
  ]
}

Policy Structure

  • sid: Unique statement identifier for logging and audit purposes
  • effect: Either "allow" or "deny" (deny takes precedence)
  • actions: Array of action identifiers in format service:action
  • resources: Array of resource identifiers; use * for wildcards
  • principals: Array of role identifiers or user IDs; use "role:*" for all roles

Conditional Rules

Extend your policies with conditional logic for time-based, rate-limited, IP-restricted, and contextual access:

Time Window Rule

Restrict access to specific times of day or days of the week:

{
  "type": "timeWindow",
  "name": "Business Hours Only",
  "condition": {
    "dayOfWeek": ["Monday", "Tuesday", "Wednesday", "Thursday", "Friday"],
    "startTime": "09:00",
    "endTime": "17:00",
    "timezone": "America/New_York"
  },
  "effect": "allow"
}

Rate Limit Rule

Control request frequency to prevent abuse:

{
  "type": "rateLimit",
  "name": "API Rate Limit",
  "condition": {
    "requestsPerMinute": 100,
    "requestsPerHour": 5000,
    "windowType": "sliding"
  },
  "effect": "allow"
}

IP Restriction Rule

Allow access only from specific IP addresses or ranges:

{
  "type": "ipRestriction",
  "name": "Office Network Only",
  "condition": {
    "allowedIPs": [
      "203.0.113.0/24",
      "198.51.100.42"
    ],
    "mode": "whitelist"
  },
  "effect": "allow"
}

PII Redaction Rules

Automatically redact personally identifiable information (PII) from API responses to comply with data protection regulations:

Built-in PII Patterns

MCP Fortress can automatically detect and redact:

  • Email addresses
  • Phone numbers
  • Social Security Numbers (SSNs)
  • Credit card numbers
  • API keys and tokens
  • IP addresses
  • Names (optional, if configured)

Custom PII Rules

Define custom PII detection with regular expressions:

{
  "rules": [
    {
      "name": "Employee ID",
      "pattern": "EMP-\\d{6}",
      "replacement": "[REDACTED_EMP_ID]",
      "scope": ["response_body"],
      "connectors": ["hrms:*"]
    },
    {
      "name": "Customer Data",
      "pattern": "customer_[a-z0-9]{20}",
      "replacement": "[REDACTED_CUSTOMER_ID]",
      "scope": ["response_body", "logs"],
      "connectors": ["salesforce:*", "hubspot:*"]
    }
  ]
}
PII Redaction Limitations

Redaction is applied at the API response layer. Data stored in external systems remains unchanged. For maximum privacy, combine PII redaction with field-level access controls in your role policies.

API Reference

MCP Gateway API

The MCP Fortress Gateway API uses JSON-RPC 2.0 for all communication. All requests are made over HTTPS to gateway.mcpfortress.com.

Authentication

Include your API token in the Authorization header:

Authorization: Bearer YOUR_API_TOKEN

JSON-RPC Request Format

{
  "jsonrpc": "2.0",
  "id": "unique-request-id",
  "method": "connectors.list",
  "params": {
    "limit": 10,
    "offset": 0
  }
}

JSON-RPC Response Format

{
  "jsonrpc": "2.0",
  "id": "unique-request-id",
  "result": {
    "connectors": [
      {
        "id": "slack:primary",
        "type": "slack",
        "name": "Primary Workspace",
        "status": "active",
        "created_at": "2024-01-15T10:30:00Z"
      }
    ],
    "total": 1
  }
}

Error Response

{
  "jsonrpc": "2.0",
  "id": "unique-request-id",
  "error": {
    "code": -32600,
    "message": "Invalid Request",
    "data": {
      "details": "Missing required parameter: connector_id"
    }
  }
}

Core Gateway Methods

connectors.list

List all connectors in your organization.

Parameters:
  • limit (optional, integer): Max 100, default 20
  • offset (optional, integer): For pagination
  • status (optional, string): Filter by "active", "inactive", "pending"
Returns: Array of connector objects with metadata

connectors.get

Retrieve a specific connector by ID.

Parameters:
  • connector_id (required, string): Format "service:name"
Returns: Connector object with full configuration

connectors.create

Create a new connector.

Parameters:
  • type (required, string): Service type (slack, github, etc.)
  • name (required, string): Display name
  • credentials (required, object): Authentication credentials
Returns: Created connector object

connectors.execute

Execute an action through a connector.

Parameters:
  • connector_id (required, string): Target connector
  • action (required, string): Action to execute
  • params (required, object): Action parameters
Returns: Action result object

Admin API

The Admin API provides management functions for organization-level operations. Access is restricted to users with admin privileges.

Admin API Endpoints

Method Endpoint Description
GET /admin/users List all users in organization
POST /admin/users Create a new user
GET /admin/users/{id} Get user details
PUT /admin/users/{id} Update user information
DELETE /admin/users/{id} Deactivate a user
GET /admin/roles List all roles
POST /admin/roles Create custom role
GET /admin/policies List access policies
POST /admin/policies Create new policy
GET /admin/audit View audit logs

Webhook Events

MCP Fortress sends webhook events for important system changes. Configure webhooks in Settings → Webhooks.

Supported Event Types

  • connector.created: New connector added
  • connector.updated: Connector configuration changed
  • connector.deleted: Connector removed
  • connector.status_changed: Connector status changed (active/inactive)
  • user.created: New user provisioned
  • user.updated: User profile changed
  • user.deleted: User deprovisioned
  • policy.created: New policy created
  • policy.updated: Policy modified
  • access.denied: Request denied by policy
  • access.granted: Request allowed (high-volume)
  • alert.security: Security alert triggered

Webhook Payload Format

{
  "id": "evt_abc123",
  "type": "connector.created",
  "timestamp": "2024-03-02T15:30:00Z",
  "organization_id": "org_xyz",
  "data": {
    "connector_id": "slack:primary",
    "connector_type": "slack",
    "connector_name": "Primary Workspace",
    "created_by": "user@example.com"
  }
}
Webhook Delivery Guarantee

MCP Fortress uses exponential backoff to retry failed webhook deliveries up to 5 times over 24 hours. Webhook requests include an X-MCP-Signature header for verification.

Admin Dashboard

Dashboard Overview

The MCP Fortress Admin Dashboard provides comprehensive visibility into your organization's connectors, users, access patterns, and security posture.

Status Board

The Status Board is your first view when opening the Dashboard. It displays:

  • Connected Connectors: Total count of active, inactive, and pending connectors
  • Active Users: Number of logged-in users in the last 24 hours
  • API Requests: Request volume in the last hour, day, and week
  • System Health: Status of all MCP Fortress services (gateway, auth, vault)
  • Security Alerts: Recent security events requiring attention
  • Upcoming Maintenance: Scheduled maintenance windows
Real-time Updates

The Status Board updates in real-time using WebSocket connections. Refresh rates vary: connectors update every 30 seconds, API metrics every minute, and health status every 5 seconds.

Policy Radar

Policy Radar visualizes your organization's access control configuration. It shows:

  • Policy Coverage: Which connectors have active policies assigned
  • Role Distribution: How users are distributed across roles
  • Access Patterns: Most-used connectors and actions
  • Policy Conflicts: Overlapping or contradicting policy rules
  • Unused Policies: Policies that haven't been evaluated recently

Use Policy Radar to:

  • Identify overly permissive policies that should be restricted
  • Find unused policies that can be archived
  • Detect privilege creep and excessive access accumulation
  • Optimize policy efficiency and reduce complexity

Traffic Feed

The Traffic Feed displays real-time logs of all connector access requests. Each entry shows:

  • Timestamp: When the request was made
  • User: Who made the request
  • Connector: Which connector was accessed
  • Action: What action was performed
  • Status: Allowed, denied, or error
  • Duration: Request execution time
  • Details: Additional context or error messages

Filter the Traffic Feed by:

  • User or role
  • Connector type or instance
  • Action name
  • Status (allowed/denied/error)
  • Time range
  • Response time (slow requests)
Traffic Feed Retention

Traffic logs are retained for 30 days on the free tier, 90 days on Professional, and unlimited on Enterprise. Export logs via API for long-term storage.

Vault

The Vault section provides visibility into your encrypted secrets and credentials:

  • Stored Credentials: Count and types of credentials in the vault
  • Credential Age: When credentials were last rotated
  • Expiration Warnings: Alerts for credentials approaching expiration
  • Access Audit: Who accessed which credentials and when

From the Vault, you can:

  • Rotate credentials for any connector
  • View credential age and expiration dates
  • Set automatic rotation policies
  • Audit credential access history
Credential Visibility

For security reasons, you cannot view the full credential values in the Dashboard. You can only verify that credentials exist and review their metadata. To update credentials, you must provide new values through the connector setup process.

Change Log

The Change Log tracks all modifications to your MCP Fortress configuration:

  • Connector Changes: Added, updated, or deleted connectors
  • Policy Changes: Created, modified, or removed policies
  • User Changes: New users, role assignments, deactivations
  • Setting Changes: Configuration updates to organization settings
  • Integration Changes: SSO, SCIM, or webhook configuration updates

Each change log entry includes:

  • Timestamp of the change
  • User who made the change
  • Type of change (create/update/delete)
  • Resource affected (connector, policy, user, etc.)
  • Before/after values for updates
  • Reason or notes (if provided)

The Change Log provides a complete audit trail for compliance and troubleshooting purposes. Export the entire log via the Dashboard.

Billing & Metering

How User Metering Works

MCP Fortress measures usage based on the number of unique users accessing connectors each month. This "active user" model ensures you only pay for the team members actually using the platform.

Active User Definition

A user is counted as active if they:

  • Successfully authenticate to the MCP Fortress Gateway
  • Make at least one API request through any connector
  • During a calendar month

Users are counted once per month regardless of the number of requests they make. A user making 100 requests counts the same as a user making 1 request.

Monthly Reset

The active user count resets on the first day of each month (UTC). Users who accessed MCP Fortress in January are counted toward January's billing; February's count starts fresh on February 1st.

Service Accounts

Service accounts and API-only access methods are counted differently. Each unique API key or OAuth client ID counts as one user. Monitor your service accounts separately in the Dashboard.

User Packs and Overage

MCP Fortress pricing is based on prepaid user packs with a predictable overage model:

Starter Pack
$150

Includes: 25 active users

Overage: $8/user/month

Professional Pack
$400

Includes: 100 active users

Overage: $5/user/month

Enterprise Pack
Custom

Includes: Unlimited users

Annual contract pricing

Overage Example

If you purchase a Professional Pack (100 users at $400/month) and 120 users are active in a month, you'll be charged:

  • Professional Pack: $400
  • Overage: 20 users × $5 = $100
  • Total: $500

Pricing Tiers

Choose the pricing tier that best fits your organization's needs. All tiers include unlimited connectors and API requests.

Starter
$150/mo

Best for: Small teams testing MCP Fortress

  • 25 active users included
  • Unlimited connectors
  • Basic connector setup
  • Email support
  • 30-day audit logs
  • RBAC with basic policies
Professional
$400/mo

Best for: Growing teams with multiple services

  • 100 active users included
  • Unlimited connectors
  • Advanced connector setup
  • Priority email & chat support
  • 90-day audit logs
  • Advanced RBAC and conditional rules
  • SAML/OIDC SSO
  • Webhook events
  • PII redaction
Enterprise
Custom

Best for: Large organizations with specialized needs

  • Unlimited active users
  • Unlimited connectors
  • Dedicated setup support
  • 24/7 phone & email support
  • Unlimited audit logs
  • Advanced policy engine
  • SCIM provisioning
  • mTLS and custom auth handlers
  • SLA guarantees
  • Custom integrations
  • Dedicated account manager

Billing Management

Manage your billing and subscription in the Admin Dashboard under Settings → Billing & Subscription:

Invoice History

View and download all past invoices. Invoices are automatically generated on your billing date and emailed to your billing contact.

Payment Methods

Update your credit card or payment method at any time. MCP Fortress accepts all major credit cards and supports ACH transfers for Enterprise customers.

Billing Alerts

Set up email notifications for:

  • When usage approaches pack limits
  • When overages are incurred
  • When payment fails
  • When renewal is approaching

Usage Dashboard

Monitor your active user count throughout the month:

  • Current Month: Real-time count of active users so far
  • Forecast: Estimated month-end total based on current trend
  • Previous Months: Historical usage data for comparison
  • User List: See which users are counted as active this month

Plan Upgrade / Downgrade

Change your pricing tier at any time from the Billing page. Upgrades take effect immediately; downgrades take effect at your next renewal date. Prorated adjustments are applied automatically.

No Long-term Lock-in

MCP Fortress offers month-to-month billing by default. You can cancel at any time with no penalty. Enterprise customers can negotiate annual contracts with volume discounts.

Common Billing Questions

Do inactive users count toward billing?

No. Only users who successfully authenticate and make at least one API request during the month are counted. If a user has credentials in MCP Fortress but never uses them, they won't be counted.

Can I use the same user account across multiple organizations?

Each organization has its own user base. A person can have accounts in multiple organizations, and each organization's billing is independent.

What happens if I exceed my pack limits?

MCP Fortress will continue to work normally. You'll be charged overage fees on your next invoice. You can upgrade your pack at any time to reduce per-user overage costs.

Are there free trial offers?

Yes! New organizations get a 14-day free trial of the Professional tier (100 users). No credit card required to start the trial.

How are connectors and API requests billed?

Connectors and API requests are unlimited on all tiers. You pay only for active users, not for the number of connectors or requests.