Enforgate
Start free
Browse documentation

What endpoints does the Enforgate API expose?

The gateway has two authenticated surfaces — a verdict check and an MCP proxy — plus public, token-capability approve/deny links. Examples use the gateway at the URL below.

Authentication

All /v1/* and /mcp requests use a Bearer API key. The gateway looks up the sha256 hash of the key; missing, invalid, revoked, or expired keys get a 401. The matched key's policy is what your call is evaluated against.

auth header
Authorization: Bearer bwb_your_api_key

POST /v1/check

Returns a verdict for a single tool call and writes one audit-log entry. Use it to gate a call from your own code without proxying through MCP.

Request bodyserverName and toolName are required; args is optional and evaluated in memory only (never stored):

request
curl -s https://api.enforgate.com/v1/check \
  -H "Authorization: Bearer bwb_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{
    "serverName": "demo",
    "toolName": "send_email",
    "args": { "to": "someone@example.com" }
  }'

Responsedecision is allow, deny, or require_approval:

200 response
{
  "decision": "allow",
  "reason": "matched rule 0 of policy \"default\"",
  "policyId": "8f3c…",
  "toolCallId": "1a2b…",
  "latencyMs": 6
}

Treat anything other than allowas “do not proceed.” If the audit write fails, the endpoint returns 500and no verdict — Enforgate never allows a call it couldn't record.

POST /mcp

The MCP proxy. Connect any MCP client here with your Bearer key. On initialize the gateway opens a session bound to your key and connects to that key's upstreams. tools/listreturns the upstreams' tools namespaced <upstream>__<tool>; tools/call is guarded by your policy — allowed calls are forwarded, blocked ones return an MCP error result with the reason, and approvals are held. See the integration guides for client config.

Approve / deny endpoints

These are public (no Bearer key): the capability is the single-use token in the URL, sent in the approval notification. They are rate-limited per IP.

  • GET /v1/approve/:token?action=approve — shows a duration picker (once / 1h / 8h / 24h).
  • GET /v1/approve/:token?action=deny — denies the held call.
  • POST /v1/approve/:token — resolves the approval (JSON or form): { "action": "approve", "duration": "1h" }. Used or expired tokens return 410.
resolve an approval
curl -s -X POST https://api.enforgate.com/v1/approve/THE_TOKEN \
  -H "Content-Type: application/json" \
  -d '{ "action": "approve", "duration": "1h" }'