Enterprise AI bastion host for secure AI API and MCP access, with unified proxying, RBAC, audit logs, rate limiting, and cost tracking across OpenAI, Anthropic, Gemini, and self-hosted LLMs.
# Add to your Claude Code skills
git clone https://github.com/ThinkWatchProject/ThinkWatchGuides for using mcp servers skills like ThinkWatch.
Last scanned: 5/8/2026
{
"issues": [],
"status": "PASSED",
"scannedAt": "2026-05-08T05:57:34.625Z",
"semgrepRan": false,
"npmAuditRan": true,
"pipAuditRan": true
}No comments yet. Be the first to share your thoughts!
Top skills in this category by stars
The enterprise-grade secure gateway for AI. Secure, audit, and govern every AI API call and MCP tool invocation across your organization — from a single control plane.
Just as an SSH secure gateway is the single gateway through which all server access must flow, ThinkWatch is the single gateway through which all AI access must flow. Every model request. Every tool call. Every token. Authenticated, authorized, rate-limited, logged, and accounted for.
┌──────────────────────────────────────┐
Claude Code ──────>│ │──> OpenAI
Cursor ───────────>│ Gateway :3000 │──> Anthropic
Custom Agent ─────>│ AI API + MCP Unified Proxy │──> Google Gemini
CI/CD Pipeline ───>│ │──> Azure OpenAI / AWS Bedrock
└──────────────────────────────────────┘
┌──────────────────────────────────────┐
Admin Browser ────>│ Console :3001 │
│ Management UI + Admin API │
└──────────────────────────────────────┘
As AI agents proliferate across engineering teams, organizations face a growing governance challenge:
.env files, shared in Slack, rotated neverThinkWatch solves all of this with a single deployment.
/v1/chat/completions), Anthropic Messages (/v1/messages), and OpenAI Responses (/v1/responses) APIs on a single port; works as a drop-in replacement for Cursor, Continue, Cline, Claude Code, and the OpenAI/Anthropic SDKsgpt-/o1-/o3-/o4- for OpenAI, claude- for Anthropic, gemini- for Google) route automatically; Azure and Bedrock require explicit model registrationtw- keys; the same tw- token works on both the AI gateway and the MCP gateway via a per-key surfaces allowlistinput_multiplier / output_multiplierThinkWatch's MCP gateway is built on a single design choice that most MCP proxies skip: the upstream server sees the real end user, not a shared service account. Every other capability follows from that. See MCP Gateway: how we compare below.
mcp_user_credentials. Most "MCP gateways" pin one shared admin token to the server config — so the upstream's audit log shows every action as the same service account. ThinkWatch propagates real identity end to end.tw- keys to different upstream accounts on the same server. Your Cursor key uses your personal GitHub; the CI key uses the service-bot. One user, multiple agents, multiple identities — without re-issuing credentials.WWW-Authenticate from a JSON-RPC initialize, follows the resource_metadata hint, fetches AS metadata at the path-aware well-known location, and runs Dynamic Client Registration if the upstream advertises it. When DCR isn't supported the UI shows three concrete next steps (copy callback URL → register app upstream → paste Client ID back) with no protocol jargon.token_endpoint_auth_methods_supported: ["none"] and propagates is_public_client end to end. The Client Secret input is hidden for issuers like Feishu that don't use one.tools/list is cached in mcp_user_tools and only ever returned to that user. The system-level mcp_tools catalog only stores anonymous-discoverable tools. No cross-user leakage; auth-required servers are no longer "0 tools" until someone manually fixes it./connections shows real upstream identities (@octocat, alice@acme.com, Slack Bob). Resolver tries JWT decode (free) → userinfo endpoint (priority-ranked extractor: preferred_username → sub → accountId → login → email) → .well-known discovery. Pre-seeded for GitHub, Notion, Slack, Atlassian, Cloudflare, GitLab, Discord, Google._meta: { requires_user_auth: true, server_id, server_name, authorize_url }. tools/call against an unauthorized server returns JSON-RPC error code -32050 with the authorize URL, so Cursor / Claude Desktop / any compliant MCP client can prompt the user to authorize without the gateway hiding the catalog.allowed_mcp_tools allowlist on the API-key side (bounded by the issuing role's grants). A locked-down service key can hold exactly two tools and nothing else.mcp:connect permission — gates the /connections page and authorize/revoke flow. Granted to admin / team_manager / developer by default.(user, account_label) — MCP response cache never serves Alice's authorized response to Bob. Direct-mode (no per-user creds) servers still get global caching.pg_advisory_xact_lock keyed by (server, user, label) so concurrent tool calls don't race two refresh attempts. Terminal refresh failure purges the row so the next call cleanly surfaces NeedsUserCredentials.auth_required (amber), not disconnected (red). The /mcp/servers list shows "—" tool count with a hover tooltip for that state.