ToolMesh — Secure MCP control layer for AI agent tools
Let AI agents touch real systems
— safely.
ToolMesh is the secure control layer between AI agents and your backends. Every tool call runs through one fail-closed pipeline: authenticate → authorize → inject credentials → gate output → execute → audit. It plugs in front of any MCP server you already run — and turns any REST API into governed tools via declarative DADL files.
ToolMesh is what an Enterprise Tool Library looks like in practice.
MCP solves how an agent talks to one tool. It does not solve how a company governs a four-digit catalog of tools across many backends. That gap is what an Enterprise Tool Library closes — and what ToolMesh + DADL implement, open and self-hosted, without a vendor in the middle.
- One auth/authz boundary. Callers authenticate once; per-tool, per-user access via OpenFGA.
- One coherent audit line. Every tool call lands in one SQL-queryable log — who, what, when, with which payload.
- One declarative description language. DADL describes any REST API in YAML — versionable in git, generatable from an OpenAPI spec.
- Constant context footprint. Code Mode keeps token cost flat as the catalog grows — see Code Mode.
Your LLM writes the integration.
Almost any REST API — agent-ready in minutes.
Once governance is in place, you also need a fast way to add tools. DADL describes almost any REST API as agent tools in pure YAML — your LLM can generate it from an existing OpenAPI spec, and ToolMesh exposes it through the same governance pipeline.
import { Server } from "@modelcontextprotocol/sdk";
import express from "express";
const app = express();
const server = new Server({ name: "github" });
server.setRequestHandler("tools/list", () => ({
tools: [{
name: "list_repos",
description: "List repositories",
inputSchema: {
type: "object",
properties: {
sort: {
type: "string",
enum: ["created", "updated"]
}
}
}
}]
}));
server.setRequestHandler("tools/call",
async (req) => {
const resp = await fetch(
"https://api.github.com/user/repos",
{ headers: {
Authorization: "Bearer " + TOKEN
}}
);
return { content: [
{ type: "text", text: await resp.text() }
]};
});
app.use(server.transport);
app.listen(3000);
// + error handling, pagination,
// retries, auth refresh, types...spec: "https://dadl.ai/spec/v0.1"
backend:
name: github
type: rest
base_url: https://api.github.com
auth:
type: bearer
credential: github_token
defaults:
pagination:
strategy: link_header
tools:
list_repos:
method: GET
path: /user/repos
description: "List repositories"
params:
sort:
type: string
enum: [created, updated]hetzner-cloud.dadl — 98 tools, ready to use Or aggregate the MCP servers you already run.
ToolMesh works without DADL too — point it at the MCP servers you already operate and every call goes through the same authorization, credential, gating and audit layers.
What DADL is — and what it is not.
The DADL specification is published under CC BY 4.0 — like OpenAPI, but optimized for LLM tool use. Write your own files, version them in git, share them, fork them.
ToolMesh reads .dadl files from your own config/ directory. The server runs fully offline and self-hosted — your DADLs never leave your infrastructure.
dadl.ai is an optional community catalog — like Docker Hub for tool definitions. ToolMesh does not call dadl.ai at runtime. Pull files at build time, mirror them, write your own — all valid.
ToolMesh works as a plain MCP aggregator too. Put your existing MCP servers behind it — DADL is one ingress path, not a precondition.
Runtime is Apache 2.0, spec is CC BY 4.0 — nothing here is proprietary. DADL details →
What happens when an agent calls your API?
Agent receives: "List open invoices from Stripe"
trusted stripe_list_invoices sk_live_4eC39HqL... GET /v1/invoices?status=open [REDACTED] Agents calling production systems is terrifying.
Credentials in prompts. No audit trail. No content control. One hallucinated API call away from a data breach.
ToolMesh adds the missing layer.
Every call authenticated, authorized, credential-injected, content-gated, and logged. Fail-closed pipeline — if any check fails, nothing executes.
Any API, integrated in minutes.
Point your LLM at an API spec, get a working DADL file back. No wrapper code, no deployment, no maintenance. Connect more tools — faster than ever.
Architecture at a glance
Every tool call flows through a fail-closed pipeline. If any stage rejects, nothing executes.
What you get
Any API in minutes
30 lines of DADL replace a whole MCP server. LLM-generated from API specs, with auth, pagination, and retries built in.
Flat token cost for 23+ backends
Code Mode swaps every tool definition for two meta-tools and a SQL-style discovery API. ~142,000 tokens to advertise 2,982+ tools collapses to ~1,000 — a factor of about 142, regardless of how big your catalog grows.
Keep secrets from the model
API keys injected at runtime by the ToolMesh server. The LLM never sees credentials — not in prompts, not in client configs, not in responses.
Control who can do what
Per-tool, per-user authorization via OpenFGA. Example: free users get read-only tools, pro users get everything.
Multi-stage Output Gate
Layer 1 is shipping today: deterministic goja-based JS policies that block confidential payloads pre-execution and redact PII in responses. Further layers (semantic, model-assisted) are in development.
See every call
SQL-queryable audit trail. Every tool invocation attributed to a user, plan, and caller. Answer 'what did that agent do?' with a query.
Know which agent is calling — and trust accordingly.
ToolMesh is the only known MCP gateway that differentiates which AI client triggers each tool call. Claude Code gets full access. An unknown third-party agent gets PII filtering and restricted tools. Same infrastructure, tiered trust.
| CallerClass | PII Filtering | Tool Access |
|---|---|---|
trusted | Credentials only | Full |
standard | High-risk PII + credentials | Full |
untrusted | All PII patterns | Sensitive tools blocked |
Nginx made web apps production-ready — reverse proxy, SSL, load balancing.
ToolMesh makes AI agent tool calls production-ready — authorization, credentials, audit, content gating.
ToolMesh is not a harness. It is what makes a harness good.
Recent research treats an agent harness as six components — execution loop, tool registry, context, state, lifecycle hooks, verification/audit. ToolMesh implements the last three, reachable over MCP. Bring any harness, keep your observe-think-act loop; ToolMesh owns tool governance for all of them.
Two ways to start.
Try it in 60 seconds.
Connect Claude Desktop, Claude Code or ChatGPT to our public ToolMesh instance — no install, no credentials of yours involved. The fastest way to feel what governed tool calls look like.
Open the hosted demo Demo instance — for production, self-host.Run your own instance.
Multi-step setup, no time promise — clone, configure your .env and backends, then start under Docker Compose. Your audit log, your credentials, your data.
git clone https://github.com/DunkelCloud/ToolMesh.git && cd ToolMeshcp .env.example .env.env — set TOOLMESH_AUTH_PASSWORD, TOOLMESH_API_KEY, and your CREDENTIAL_* backend keys. docker compose upclaude mcp add -t http -H "Authorization: Bearer MY_API_KEY" -s user toolmesh http://localhost:8123/mcpconfig/backends.yaml 
