How Arc Relay works
A proxy between your MCP clients and servers that adds auth, policy, middleware, and management without modifying your existing MCP servers.
The middleware pipeline in action
Every tool call passes through Arc Relay before reaching your MCP servers. Here is the request lifecycle, stage by stage.
Authenticate
Client connects via SSE. Arc Relay identifies the user and loads their profile, role, and per-tool permissions.
Authorize
Tool call is checked against the user's profile, access tier, and rate limits. Calls to tools the user does not have access to are rejected before any work happens.
Sanitizer middleware
PII patterns - credit cards, SSNs, emails, custom regex - are stripped from arguments. Sensitive data never leaves your environment.
Content sizer middleware
Response size limits enforced per server or per tool. Large responses are truncated or rejected before they blow your context budget.
Alerter middleware
Pattern monitoring fires alerts when specific tools are called, when arguments match thresholds, or when error rates spike.
Execute against local containerized MCPs
For Docker-managed MCPs, the Docker lifecycle layer auto-starts the container if needed, runs health checks, and recovers crashes. The cleaned, authorized call is forwarded to the local server inside your environment.
Execute against remote hosted MCPs
For remote hosted MCPs (Shortcut, Sentry, GitHub, etc.), the call is passed straight through to the upstream service. No Docker lifecycle, no local container - the same auth, policy, and middleware still apply.
Archive middleware
Full request/response recorded with user, timing, status, and result. Local by default, optionally encrypted and shipped to a compliance endpoint.
Security controls
TLS 1.3 in transit
All data encrypted in transit with modern TLS. No exceptions.
NaCl Box encryption
Optional archive records encrypted at the source using NaCl Box (Curve25519 + XSalsa20 + Poly1305) before leaving your environment.
Tenant key isolation
Every tenant gets isolated encryption keys. Your data is cryptographically separated from every other customer.
Tamper-evident records
Hash chains ensure archived records cannot be modified after ingestion. Any tampering is detectable.
Credential encryption at rest
All stored secrets - API keys, tokens, server credentials - are encrypted at rest in the local database.
Per-user session management
Authenticated sessions with configurable expiry. Every action is tied to a specific user identity.
Compliance controls
Per-user identity on every call
Every tool invocation is bound to an authenticated user. No anonymous access, no shared service accounts.
Full audit trail
Request logs capture user, server, tool, arguments, result, timing, and status. Searchable from the web UI.
Per-tool access control - the 2 of 15 problem
Most MCP servers ship 15 tools where 2 are dangerous. Profiles let you map roles to specific capabilities - accounting writes to QuickBooks but cannot delete transactions, reporting gets read-only across financial MCPs, only trusted admins reach the dangerous tools.
PII redaction at the boundary
Sanitizer middleware strips configured patterns before they leave your environment for upstream services.
Optional compliance archive
Connect to an external archive endpoint to ship encrypted records for retention and legal hold.
Rate limiting and quotas
Per-user, per-tool, per-server limits keep runaway agents from generating unlimited cost or load.
See Arc Relay in action
Walk through the architecture with our team - or just run it yourself.