Skip to content

Secure MCP control layer for AI agent tools

The open, self-hosted Enterprise Tool Library

Let AI agents touch real systems
— safely.

ToolMesh is the secure control layer between AI agents and your backends. Every tool call runs through one fail-closed pipeline: authenticate → authorize → inject credentials → gate output → execute → audit. It plugs in front of any MCP server you already run — and turns any REST API into governed tools via declarative DADL files.

Auth verified AuthZ allowed sk_live_4eC3... ******** Creds injected [email protected] [REDACTED] Gate filtered Exec executed 200 OK tool:list_repos Audit logged AI Agent API Backend REQ
MCP gateway + REST connector 3,338+ tools across 27 APIs (via DADL) Secrets hidden from LLM Every call logged (SQL audit) Harness-agnostic Open Source (Apache 2.0) Self-hosted
Works today

27 systems you can plug in out of the box.

3,338 agent-ready tools

One tool = one callable API action — list a repo, create an invoice, reboot a server. Each backend is a single YAML file; ToolMesh serves them all as governed tools behind one endpoint.

Category

ToolMesh is what an Enterprise Tool Library looks like in practice.

MCP solves how an agent talks to one tool. It does not solve how a company governs a four-digit catalog of tools across many backends. That gap is what an Enterprise Tool Library closes — and what ToolMesh + DADL implement, open and self-hosted, without a vendor in the middle.

  • One auth/authz boundary. Callers authenticate once; per-tool, per-user access via OpenFGA.
  • One coherent audit line. Every tool call lands in one SQL-queryable log — who, what, when, with which payload.
  • One declarative description language. DADL describes any REST API in YAML — versionable in git, generatable from an OpenAPI spec.
  • Constant context footprint. Code Mode keeps token cost flat as the catalog grows — see Code Mode.
Ingress path #1 — any REST API

Your LLM writes the integration.
Almost any REST API — agent-ready in minutes.

Once governance is in place, you also need a fast way to add tools. DADL describes almost any REST API as agent tools in pure YAML — your LLM can generate it from an existing OpenAPI spec, and ToolMesh exposes it through the same governance pipeline.

mcp-server.js ~120 LOC
import { Server } from "@modelcontextprotocol/sdk";
import express from "express";

const app = express();
const server = new Server({ name: "github" });

server.setRequestHandler("tools/list", () => ({
  tools: [{
    name: "list_repos",
    description: "List repositories",
    inputSchema: {
      type: "object",
      properties: {
        sort: {
          type: "string",
          enum: ["created", "updated"]
        }
      }
    }
  }]
}));

server.setRequestHandler("tools/call",
  async (req) => {
    const resp = await fetch(
      "https://api.github.com/user/repos",
      { headers: {
          Authorization: "Bearer " + TOKEN
      }}
    );
    return { content: [
      { type: "text", text: await resp.text() }
    ]};
  });

app.use(server.transport);
app.listen(3000);
// + error handling, pagination,
// retries, auth refresh, types...
Also needed: Node.js runtime npm dependencies Docker image Process manager Health checks Deployment
github.dadl 15 LOC
spec: "https://dadl.ai/spec/v0.1"
backend:
  name: github
  type: rest
  base_url: https://api.github.com
  auth:
    type: bearer
    credential: github_token
  defaults:
    pagination:
      strategy: link_header
  tools:
    list_repos:
      method: GET
      path: /user/repos
      description: "List repositories"
      params:
        sort:
          type: string
          enum: [created, updated]
Prompt "Generate a DADL file for the Hetzner Cloud API"
Result Working hetzner-cloud.dadl — 98 tools, ready to use
Ingress path #2 — existing MCP servers

Or aggregate the MCP servers you already run.

ToolMesh works without DADL too — point it at the MCP servers you already operate and every call goes through the same authorization, credential, gating and audit layers.

Without DADL AI Agent Context Window Overflow hundreds of individual tools github-mcp Node.js GitHub API stripe-mcp Node.js Stripe API hetzner-mcp Python Hetzner API deepl-mcp Go DeepL API 4 servers · 4 runtimes · 4 deployments Each server: deps, Docker, health checks, maintenance With DADL + Code Mode AI Agent Code Mode list_tools + execute_code ToolMesh github.dadl GitHub stripe.dadl Stripe hetzner.dadl Hetzner deepl.dadl DeepL YAML files · no code · no servers · no deployment 2 meta-tools replace hundreds of individual tools

What DADL is — and what it is not.

It is An open format.

The DADL specification is published under CC BY-SA 4.0 — like OpenAPI, but optimized for LLM tool use. Write your own files, version them in git, share them, fork them.

It is Local to your config.

ToolMesh reads .dadl files from your own config/ directory. The server runs fully offline and self-hosted — your DADLs never leave your infrastructure.

It is not A runtime dependency on dadl.ai.

dadl.ai is an optional community catalog — like Docker Hub for tool definitions. ToolMesh does not call dadl.ai at runtime. Pull files at build time, mirror them, write your own — all valid.

It is not Required to use ToolMesh.

ToolMesh works as a plain MCP aggregator too. Put your existing MCP servers behind it — DADL is one ingress path, not a precondition.

Runtime is Apache 2.0, spec is CC BY-SA 4.0 — nothing here is proprietary. DADL details →

What happens when an agent calls your API?

Agent receives: "List open invoices from Stripe"

Caller verified claude-code → trusted
Authorization checked User plan allows stripe_list_invoices
🔑
API key injected LLM never sees sk_live_4eC39HqL...
Request executed GET /v1/invoices?status=open
🛡️
PII redacted customer emails → [REDACTED]
📋
Call logged Queryable SQL audit trail
The risk

Agents calling production systems is terrifying.

Credentials in prompts. No audit trail. No content control. One hallucinated API call away from a data breach.

The relief

ToolMesh adds the missing layer.

Every call authenticated, authorized, credential-injected, content-gated, and logged. Fail-closed pipeline — if any check fails, nothing executes.

The power

Any API, integrated in minutes.

Point your LLM at an API spec, get a working DADL file back. No wrapper code, no deployment, no maintenance. Connect more tools — faster than ever.

Architecture at a glance

Every tool call flows through a fail-closed pipeline. If any stage rejects, nothing executes.

Claude Code trusted Claude Desktop trusted 3rd Party Agent untrusted MCP + CallerID ToolMesh Secure Execution Layer Auth OAuth 2.1 AuthZ OpenFGA Credentials Secret Inject Gate JS Policies Execute MCP / REST Audit slog / SQLite MCP Servers HTTP / STDIO Any existing MCP server DADL Library Declarative REST API descriptions — no code, no servers dadl.ai Stripe GitHub Hetzner DeepL Cloudflare any REST API 3,338+ tools across 27 APIs — community-driven registry at dadl.ai

What you get

🔌

Any API in minutes

30 lines of DADL replace a whole MCP server. LLM-generated from API specs, with auth, pagination, and retries built in.

💻

Flat token cost for 27+ backends

Code Mode swaps every tool definition for two meta-tools and a SQL-style discovery API. ~142,000 tokens to advertise 3,338+ tools collapses to ~1,000 — a factor of about 142, regardless of how big your catalog grows.

🔑

Keep secrets from the model

API keys injected at runtime by the ToolMesh server. The LLM never sees credentials — not in prompts, not in client configs, not in responses.

🔐

Control who can do what

Per-tool, per-user authorization via OpenFGA. Example: free users get read-only tools, pro users get everything.

🛡️

Multi-stage Output Gate

Layer 1 is shipping today: deterministic goja-based JS policies that block confidential payloads pre-execution and redact PII in responses. Further layers (semantic, model-assisted) are in development.

📋

See every call

SQL-queryable audit trail. Every tool invocation attributed to a user, plan, and caller. Answer 'what did that agent do?' with a query.

Know which agent is calling — and trust accordingly.

ToolMesh is the only known MCP gateway that differentiates which AI client triggers each tool call. Claude Code gets full access. An unknown third-party agent gets PII filtering and restricted tools. Same infrastructure, tiered trust.

CallerClass PII Filtering Tool Access
trusted Credentials only Full
standard High-risk PII + credentials Full
untrusted All PII patterns Sensitive tools blocked

Nginx made web apps production-ready — reverse proxy, SSL, load balancing.
ToolMesh makes AI agent tool calls production-ready — authorization, credentials, audit, content gating.

For harness builders

ToolMesh is not a harness. It is what makes a harness good.

Recent research treats an agent harness as six components — execution loop, tool registry, context, state, lifecycle hooks, verification/audit. ToolMesh implements the last three, reachable over MCP. Bring any harness, keep your observe-think-act loop; ToolMesh owns tool governance for all of them.

Claude Code OpenHands DeepAgents SemaClaw + your own

Two ways to start.

Hosted demo

Try it in 60 seconds.

Connect Claude Desktop, Claude Code or ChatGPT to our public ToolMesh instance — no install, no credentials of yours involved. The fastest way to feel what governed tool calls look like.

Open the hosted demo Demo instance — for production, self-host.
Self-host

Run your own instance.

Multi-step setup, no time promise — clone, configure your .env and backends, then start under Docker Compose. Your audit log, your credentials, your data.

1
Clone and configure
git clone https://github.com/DunkelCloud/ToolMesh.git && cd ToolMesh
cp .env.example .env
Edit .env — set TOOLMESH_AUTH_PASSWORD, TOOLMESH_API_KEY, and your CREDENTIAL_* backend keys.
2
Start
docker compose up
3
Connect your AI agent
claude mcp add -t http -H "Authorization: Bearer MY_API_KEY" -s user toolmesh http://localhost:8123/mcp
ToolMesh is now running on localhost:8123 — add backends in config/backends.yaml

Every backend, ready today

27 backends · 3,338 agent-ready tools, straight from the live registry.

NetBox NetBox DCIM/IPAM API -- full v4 coverage: sites, racks, devices, modules, interfaces, cables, power, IPAM (prefixes, IPs, VLANs, VRFs, route-targets, VLAN translation), virtualization, circuits (including virtual circuits), tenants, contacts, VPN (IKE/IPSec/L2VPN), wireless, extras (webhooks, event-rules, scripts, config-templates, bookmarks, notifications), users/permissions/tokens, and core data sources & jobs 608 tools MikroTik MikroTik RouterOS REST API -- manage interfaces, IP addresses, routing, firewall, DHCP, DNS, PPP, queues, wireless, system configuration, users, certificates, files, logs, and diagnostics on RouterOS v7.1+ devices 297 tools GitHub GitHub REST API — repositories, issues, pull requests, commits, and code search 249 tools Xen Orchestra Xen Orchestra REST API (XO 6.4+, current through 6.5) -- complete coverage: VMs (incl. PATCH update + snapshot revert), VM controllers, hosts, pools, storage (SR/VDI/VBD), networks (VIF/PIF/PBD), VM/VDI snapshots, VM templates, hardware (PCI/PGPU/SM), tasks, backups (jobs/logs/repositories/restore), schedules, messages, alarms, events (SSE), RBAC v2 (users/groups/acl-roles/acl-privileges), proxies, servers, dashboards, auth tokens, SDN traffic rules, health check 245 tools Graylog Graylog REST API -- log search (Views/Search + legacy universal), streams, pipelines, inputs, alerts, events, dashboards, users, roles, sidecars, index management, and cluster administration. Targets Graylog 6.x. 236 tools Zammad Zammad helpdesk REST API -- tickets, articles, users, organizations, groups, roles, knowledge base, SLAs, calendars, object manager (custom fields), macros, triggers, overviews, reports, time accounting, and full admin surface. Supports X-On-Behalf-Of impersonation on every endpoint. 209 tools Cloudflare Cloudflare API -- DNS, Pages, Workers, KV, R2, D1, Zones, SSL/TLS, Cache, Load Balancers, Firewall/WAF, Page Rules, Access (Zero Trust), and account management 200 tools Linode Linode (Akamai) cloud infrastructure API -- compute instances, volumes, DNS, networking, Kubernetes, databases, object storage, and account management 179 tools Hetzner Cloud Hetzner Cloud API -- servers, volumes, networks, load balancers, firewalls, floating IPs, primary IPs, images, SSH keys, placement groups, certificates, and infrastructure metadata 123 tools Zulip Zulip REST API — messages, channels (streams), topics, users, user groups, subscriptions, reactions, drafts, scheduled messages, saved snippets, presence, real-time events, invitations, attachments, custom emoji, linkifiers, and server settings. Self-hosted or Zulip Cloud. 117 tools Mastodon Mastodon REST API — statuses, timelines, accounts, notifications, search, media, lists, polls, conversations, trends, filters, and instance info. Base URL must be set to the target Mastodon instance (e.g. https://mastodon.social). 115 tools Stripe Stripe REST API — payment processing, billing, subscriptions, invoices, products, and financial infrastructure 96 tools Mempool mempool.space — Bitcoin block explorer, mempool visualizer, fee estimator, Lightning Network explorer, and transaction accelerator 93 tools Umami Umami open-source web analytics — privacy-friendly alternative to Google Analytics 89 tools Peeringdb PeeringDB v2 API -- the public peering database of networks (ASNs), Internet Exchanges, and colocation facilities: full CRUD over net, ix, fac, org, carrier, campus, point-of-contact records, and the netixlan/netfac/ixfac/carrierfac/ixlan/ixpfx relationships that map who peers where 85 tools GitLab GitLab REST API v4 — projects, issues, merge requests, pipelines, CI/CD, and code search 75 tools BookStack BookStack wiki and documentation platform REST API -- shelves, books, chapters, pages (HTML/Markdown content), attachments, image gallery, comments, cross-entity search, exports (HTML/Markdown/PDF/ZIP), ZIP imports, users, roles, content permissions, recycle bin, audit log and tags. Hierarchy: shelves > books > chapters > pages. 69 tools Tailscale Tailscale API -- devices, users, auth keys, DNS, ACL/policy, webhooks, contacts, posture integrations, log streaming, and tailnet settings 60 tools Victron VRM Victron Energy VRM API -- monitor and control solar installations, batteries, inverters, and energy systems via the Victron Remote Management portal 44 tools DokuWiki DokuWiki JSON-RPC API — wiki pages, media files, search, ACL management, and user administration 33 tools DeepL DeepL REST API — text translation (with style profiles, translation memory, glossaries and improved tag handling), document translation, multilingual glossary management, style rules CRUD, text improvement (Write), language metadata and usage tracking. Mixes /v2 and /v3 endpoints. 27 tools Vikunja Vikunja open-source task management — project planning, kanban boards, and task tracking 23 tools Elitedomains ELITEDOMAINS domain registrar API -- register/transfer/manage .de and gTLD domains, redirector & inline DNS, AuthInfo/AuthInfo2 transfer codes, RGP catcher backorders, contact handles, and marketplace offers (Sedo, sale pages) 17 tools Shelly Cloud Shelly Cloud Control API — monitor and control Shelly IoT devices (switches, covers, lights) via the Shelly Cloud 15 tools Hacker News Hacker News API — read-only access to stories, comments, polls, jobs, users, and live feeds from news.ycombinator.com 13 tools Alertmanager Prometheus Alertmanager API v2 -- alerts, silences, receivers, alert groups, status, and operational health 12 tools Algolia HN Search Algolia Hacker News Search API — full-text search, filtering, and retrieval for stories, comments, and users on Hacker News 9 tools + any REST API ~30 lines of YAML

Source: dadl.ai/registry.json — schema v1.0, refreshed on every deploy.

Project status Open source · actively developed · early stage Production usage exists in-house at Dunkel Cloud; expect API and config surface to keep moving until 1.0.
Maintained by Built by Dunkel Cloud GmbH A German cloud-engineering company. Questions or commercial support: contact.
Pricing Open source & self-hosted today. Managed service planned, not announced. No paywalled features, no “enterprise edition” today.
Research The design is written up in a paper. DADL — and the ~142× context-cost reduction — is described on arXiv (cs.SE) and archived on Zenodo with a DOI.