Tool and Resource Filtering Configuration
Control which tools, resources, and prompts are exposed from each MCP server.
Filtering
RouterMCP provides powerful filtering to control which tools, resources, and prompts are exposed from each upstream server.
Tool Filtering
Control which tools are exposed from each server:
{
"allowedTools": ["tool1", "tool2", "read_file"],
"denyTools": ["delete_file", "dangerous_tool"],
"allowedToolsGlob": ["read_*", "list_*", "get_*"],
"denyToolsGlob": ["delete_*", "remove_*", "*_admin"]
}| Option | Description |
|---|---|
allowedTools | Exact tool names to allow |
denyTools | Exact tool names to deny |
allowedToolsGlob | Glob patterns to allow |
denyToolsGlob | Glob patterns to deny |
Resource Filtering
Control which resources are exposed:
{
"allowedResources": ["file:///safe/path", "https://api.example.com/data"],
"denyResources": ["file:///secret/path"],
"allowedResourcesGlob": ["file:///safe/*", "https://api.example.com/public/*"],
"denyResourcesGlob": ["**/secret/**", "file:///private/*"]
}Prompt Filtering
Control which prompts are exposed:
{
"allowedPrompts": ["commit_message", "pr_description"],
"denyPrompts": ["admin_prompt", "dangerous_prompt"],
"allowedPromptsGlob": ["safe_*", "public_*"],
"denyPromptsGlob": ["admin_*", "*_secret"]
}Filter Precedence
Filters are evaluated in this order:
- Deny List (Exact) - If name exactly matches
denyTools/denyResources/denyPrompts, it is denied - Deny Glob - If name matches any pattern in deny globs, it is denied
- Allow List (Exact) - If allow lists are defined and name exactly matches, it is allowed
- Allow Glob - If allow globs are defined and name matches a pattern, it is allowed
- Default - If no allow rules are defined, everything is allowed; otherwise, everything else is denied
Glob Pattern Syntax
RouterMCP uses standard glob patterns:
| Pattern | Matches |
|---|---|
* | Any characters except / |
** | Any characters including / |
? | Single character |
[abc] | Character class |
[!abc] | Negated character class |
Examples
| Pattern | Matches | Doesn't Match |
|---|---|---|
read_* | read_file, read_config | write_file |
*_file | read_file, write_file | read_dir |
*_* | read_file, list_items | query |
**secret** | /a/secret/b, secret | /public |
Filtering Examples
Allow-Only Approach
Only allow specific patterns:
{
"allowedToolsGlob": ["read_*", "list_*"]
}Result: Only tools starting with read_ or list_ are exposed.
Deny-Only Approach
Allow everything except specific patterns:
{
"denyToolsGlob": ["delete_*", "remove_*", "*_admin"]
}Result: All tools except those matching deny patterns are exposed.
Mixed Approach
Combine allow and deny:
{
"allowedToolsGlob": ["read_*"],
"denyTools": ["read_sensitive_file"]
}Result: Tools starting with read_ are allowed, except read_sensitive_file which is explicitly denied.
Deny rules always take precedence over allow rules. An item that matches both will be denied.
Complex Filtering
Comprehensive filtering example:
{
"mcpServers": {
"restricted": {
"command": "npx",
"args": ["-y", "mcp-server"],
"allowedToolsGlob": ["read_*", "list_*", "get_*"],
"denyTools": ["read_secret_file", "read_admin_config"],
"allowedResourcesGlob": ["file:///safe/*", "https://public-api.com/*"],
"denyResourcesGlob": ["**/secret/**", "**/private/**"],
"allowedPromptsGlob": ["safe_*", "public_*"],
"denyPromptsGlob": ["admin_*", "*_secret"]
}
}
}No Filters
If you don't specify any filtering options, all tools/resources/prompts from the server are exposed:
{
"mcpServers": {
"unfiltered": {
"command": "npx",
"args": ["-y", "mcp-server"]
}
}
}Best Practices
- Start restrictive - Use
allowedToolsGlobto whitelist specific patterns - Block dangerous operations - Always deny destructive tools like
delete_*,drop_* - Use glob patterns - More maintainable than listing every tool
- Test your filters - Start the gateway and verify the exposed tools match expectations
- Document your filters - Use JSONC comments to explain why certain filters exist