ToolMesh
Let AI agents touch real systems
— safely.
ToolMesh is a self-hosted gateway that enforces authorization, secret injection, audit logging, and output policies on every AI agent tool call. One Go binary between your agents and your infrastructure.
Turn any REST API into agent tools.
No server. No deployment.
DADL describes any REST API as MCP tools in a single YAML file.
Ask your LLM to generate a .dadl — it works instantly.
import { Server } from "@modelcontextprotocol/sdk";
import express from "express";
const app = express();
const server = new Server({ name: "github" });
server.setRequestHandler("tools/list", () => ({
tools: [{
name: "list_repos",
description: "List repositories",
inputSchema: {
type: "object",
properties: {
sort: {
type: "string",
enum: ["created", "updated"]
}
}
}
}]
}));
server.setRequestHandler("tools/call",
async (req) => {
const resp = await fetch(
"https://api.github.com/user/repos",
{ headers: {
Authorization: "Bearer " + TOKEN
}}
);
return { content: [
{ type: "text", text: await resp.text() }
]};
});
app.use(server.transport);
app.listen(3000);
// + error handling, pagination,
// retries, auth refresh, types...spec: "https://dadl.ai/spec/v0.1"
backend:
name: github
type: rest
base_url: https://api.github.com
auth:
type: bearer
credential: github_token
defaults:
pagination:
strategy: link_header
tools:
list_repos:
method: GET
path: /user/repos
description: "List repositories"
params:
sort:
type: string
enum: [created, updated]What happens when an agent calls your API?
Agent receives: "List open invoices from Stripe"
trusted stripe_list_invoices sk_live_4eC39HqL... GET /v1/invoices?status=open [REDACTED] Agents calling production systems is terrifying.
Credentials in prompts. No audit trail. No content control. One hallucinated API call away from a data breach.
ToolMesh adds the missing layer.
Every call authenticated, authorized, credential-injected, content-gated, and logged. Fail-closed pipeline — if any check fails, nothing executes.
Ship agents faster. With confidence.
Connect more tools. Trust what runs. Prove compliance. Your AI can act — your secrets stay yours.
What you get
Connect anything
MCP servers, REST APIs via DADL — one gateway for all your backends. No new code needed.
Save context window
Code Mode: LLMs write typed JS instead of calling tools one by one. Two meta-tools replace hundreds.
See every call
Structured, SQL-queryable audit trail. Every tool invocation attributed to a user, plan, and caller.
Control who can do what
OpenFGA-based authorization. User → Plan → Tool. Deny by default, allow by policy.
Keep secrets from the model
API keys injected at runtime. The LLM never sees credentials — not in prompts, not in responses.
Block unsafe output
JavaScript policies filter PII, redact sensitive data, enforce compliance rules. Pre and post execution.
Know which agent is calling — and trust accordingly.
ToolMesh is the only known MCP gateway that differentiates which AI client triggers each tool call. Claude Code gets full access. An unknown third-party agent gets PII filtering and restricted tools. Same infrastructure, tiered trust.
| CallerClass | PII Filtering | Tool Access |
|---|---|---|
trusted | Credentials only | Full |
standard | High-risk PII + credentials | Full |
untrusted | All PII patterns | Sensitive tools blocked |
Nginx made web apps production-ready — reverse proxy, SSL, load balancing.
ToolMesh makes AI agent tool calls production-ready — authorization, credentials, audit, content gating.
Running in 60 seconds.
git clone https://github.com/DunkelCloud/ToolMesh.git && cd ToolMeshcp .env.example .env.env — set TOOLMESH_AUTH_PASSWORD and add your CREDENTIAL_* keys. docker compose upclaude mcp add toolmesh http://localhost:8123/mcpconfig/backends.yaml