Open-Source Guard Proxy for MCP

Security Middleware
for AI Agents

Latch sits between your agents and its MCP tools. Every tool call is intercepted, classified, and enforced against your policies.

Self-hosted · MIT Licensed

Audit Log

All tool calls logged & redacted

email_send

SEND

shell_exec

EXECUTE

notes_read

READ

file_write

WRITE

db_query

READ

email_send

SEND

fs_delete

DELETE

api_call

EXECUTE

Policy Rules

Most-specific rule wins

Searches targeting sensitive filesDeny

External sends to unknown domainsApprove

Allow all read operationsAllow

Shell execution in project rootApprove

Database write operationsDeny

Approval Required

Agent paused — awaiting human review

Toolemail_send

ActionSEND

RiskMedium

AgentClaude Desktop

Guard Proxy for MCP

Latch wraps your MCP servers. Safe operations flow instantly — shell commands, external sends, and destructive actions get caught.

Human in the Loop

Your agent wants to search for passwords or nuke a database? Latch pauses it, notifies you on Telegram, and waits for your call.

Self-Hosted. MIT Licensed.

Run on your own infrastructure with Docker. No cloud dependency. Your data never leaves your control. Read every line of code.

LLM-Evaluated Policies

Write rules
in plain English.

No regex. No YAML. Write policy conditions in natural language and an LLM evaluates each tool call against them in real-time. Or skip the LLM entirely — create rule-based policies by tool name, action class, or domain.

LLM-evaluated policy conditions

"Block password file access"·"Approve external emails"

Searches targeting sensitive filesDeny

Outbound sends to external recipientsApprove

Pending Approval

Claude Desktop requested a shell command

$ agent requested:

shell_exec "rm -rf ./photos/family/*"

Action

EXECUTE

Risk Level

High

Approval workflow

One tap to approve.
One tap to block.

Risky tool calls pause and notify you via dashboard or Telegram. Single-use approval tokens prevent replay attacks. Time-limited leases auto-expire.

Full audit trail

Every tool call.
Every decision.

Full history of every request, what Latch decided, and why. Sensitive arguments are automatically redacted. See what your agent tried — even when it was blocked.

Live Activity

Streaming

StatusToolActionRiskTime

email_sendSENDMed2s ago

shell_execEXECUTEHigh5s ago

notes_readREADLow12s ago

file_writeWRITELow18s ago

email_sendSENDMed25s ago

shell_execEXECUTEHigh31s ago

How it works

Three tiers of defense

Every tool call your agent makes passes through Latch. Each one is classified by action type, matched against your policies, and routed accordingly.

MCP Protocol (stdio)

Claude Desktop

Cursor IDE

Custom Agent

↓

Latch CLI@latchagent/cli

Intercepts calls·Classifies actions·Routes to server

HTTPS API ↓

Latch Server

Policy Engine

Match & precedence

LLM Evaluator

Semantic analysis

Approval Queue

Human-in-the-loop

ALLOW

APPROVE

DENY

If allowed ↓

Filesystem

GitHub

Database

Shell

TIER 1

Pass Through

Reads and internal writes flow automatically. Zero latency for safe operations your policies explicitly allow.

TIER 2

Require Approval

Shell commands, external sends, and risky actions pause until you approve — via dashboard or Telegram with one tap.

TIER 3

Block Entirely

Payments, destructive operations, password searches — blocked before they ever execute. Most-specific rule wins.

Under the hood

One proxy, full coverage

Policy Engine

Rules by tool name, action class, domain, and recipient. Most-specific rule wins.

LLM Policies

Write conditions in plain English. An LLM evaluates each tool call against them in real-time.

Approval Workflow

Risky actions pause for your approval. Single-use tokens and time-limited leases prevent replay.

Telegram Alerts

Get notified when your agent needs permission. Approve or deny with one tap from your phone.

Audit Log

Full history of every tool call, decision, and outcome. Sensitive arguments auto-redacted.

Action Classification

Every tool call classified — read, write, execute, send — so your policies make sense.

Tool Discovery

Auto-discovers tools from upstream MCP servers. Write per-tool policies without config.

Upstream Management

Import from Claude Desktop or Cursor configs. Supports stdio and HTTP transports.

Self-Hosted

Run on your own infrastructure with Docker. No cloud dependency. Your data stays yours.

Open Source

MIT licensed. Read the code, contribute, or fork it. Security through openness.

Common questions

FAQ

Latch is an open-source guard proxy that sits between your AI agent and its MCP tools. Every tool call is intercepted, classified by action type, and enforced against your security policies — before it ever reaches the upstream server.

Security Middlewarefor AI Agents

Audit Log

Policy Rules

Approval Required

Guard Proxy for MCP

Human in the Loop

Self-Hosted. MIT Licensed.

Write rulesin plain English.

Pending Approval

One tap to approve.One tap to block.

Every tool call.Every decision.

Three tiers of defense

Pass Through

Require Approval

Block Entirely

One proxy, full coverage

Policy Engine

LLM Policies

Approval Workflow

Telegram Alerts

Audit Log

Action Classification

Tool Discovery

Upstream Management

Self-Hosted

Open Source

FAQ

Ready in five minutes.

Security Middleware
for AI Agents

Write rules
in plain English.

One tap to approve.
One tap to block.

Every tool call.
Every decision.