RouterMCP
Security

Security Best Practices

Recommendations for securing your RouterMCP deployment.

Security Best Practices

Follow these recommendations to secure your RouterMCP deployment.

Tool Access Control

Principle of Least Privilege

Only expose the tools your use case requires:

{
  "mcpServers": {
    "filesystem": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-filesystem", "/safe/path"],
      "allowedToolsGlob": ["read_*", "list_*"],
      "denyToolsGlob": ["*delete*", "*write*", "*remove*"]
    }
  }
}

Default Deny

When in doubt, use allowlists instead of denylists:

{
  "allowedTools": ["read_file", "list_directory"],
  // Everything else is denied
}

Credential Management

Environment Variables

Never hardcode credentials:

{
  "mcpServers": {
    "api": {
      "url": "${API_URL}",
      "headers": {
        "Authorization": "Bearer ${API_TOKEN}"
      }
    }
  }
}

Per-Server Credentials

Use separate credentials for each server:

# Good
GITHUB_TOKEN=ghp_xxx
LINEAR_TOKEN=lin_yyy
NOTION_TOKEN=secret_zzz

# Bad - shared token for everything
API_TOKEN=shared_token

Key Rotation

Rotate API keys periodically:

  1. Create a new key
  2. Update clients to use the new key
  3. Monitor for traffic on the old key
  4. Revoke the old key

Network Security

HTTPS Only

Always use HTTPS for production endpoints:

https://gateway.routermcp.com/v1/mcp/project/request

IP Restrictions

If available, restrict access by IP address.

Rate Limiting

RouterMCP enforces rate limits per-project. Configure appropriately for your use case.

Monitoring

Audit Logs

Review audit logs regularly:

  • Watch for failed authentication attempts
  • Monitor for unusual tool call patterns
  • Track configuration changes

Alerts

Set up alerts for:

  • Authentication failures
  • Rate limit hits
  • Upstream server errors

Code Mode Security

Code Mode allows JavaScript execution. Only enable if you understand the implications.

When using Code Mode:

  1. Limit timeout - Set reasonable execution limits
  2. Disable fetch if not needed - allowFetch: false
  3. Review tool access - Code can call any enabled tool
  4. Monitor execution - Watch for resource abuse
{
  "codeMode": {
    "enabled": true,
    "timeout": 10000,
    "allowFetch": false
  }
}

Checklist

  • API key authentication enabled
  • Tool filtering configured
  • Credentials in environment variables
  • Per-server credentials
  • HTTPS endpoints only
  • Audit logging enabled
  • Rate limits configured
  • Key rotation schedule

Authentication

API keys, OAuth, and access control for RouterMCP.

Reference - Architecture, FAQ & Troubleshooting

Architecture, troubleshooting, and FAQ for RouterMCP.

On this page

Security Best PracticesTool Access ControlPrinciple of Least PrivilegeDefault DenyCredential ManagementEnvironment VariablesPer-Server CredentialsKey RotationNetwork SecurityHTTPS OnlyIP RestrictionsRate LimitingMonitoringAudit LogsAlertsCode Mode SecurityChecklist