--- title: "MCP Tool Filtering" description: "Control which MCP tools are available for each Virtual Key." icon: "grid-2" --- ## Overview MCP Tool Filtering allows you to control which tools are available to AI models on a per-request basis using Virtual Keys (VKs). By configuring a VirtualKey, you can create a strict allow-list of MCP clients and tools, ensuring that only approved tools can be executed. Make sure you have at least one MCP client set up. Read more about it [here](../../mcp/overview). ## How It Works The filtering logic is determined by the Virtual Key's configuration: 1. **No MCP Configuration on Virtual Key (Default)** - If a Virtual Key has no specific MCP configurations, **no MCP tools are available** (deny-by-default). - You must explicitly add MCP client configurations to allow tools. 2. **With MCP Configuration on Virtual Key** - When you configure MCP clients on a Virtual Key, its settings take full precedence. - Bifrost automatically generates an `x-bf-mcp-include-tools` header based on your VK configuration (unless `disable_auto_tool_inject` is enabled or the caller already sent the header). This acts as a strict allow-list for the request. - If the caller already includes an `x-bf-mcp-include-tools` header, auto-injection is skipped — but the VK allow-list is enforced at inference time and still enforced again at MCP tool execution time. For each MCP client associated with a Virtual Key, you can specify the allowed tools: - **Select specific tools**: Only the chosen tools from that client will be available. - **Use `*` wildcard**: All available tools from that client will be permitted. - **Leave tool list empty**: All tools from that client will be **blocked**. - **Do not configure a client**: All tools from that client will be **blocked** (if other clients are configured). ## Setting MCP Tool Restrictions You can configure which tools a Virtual Key has access to via the UI. 1. Go to **Virtual Keys** page. 2. Create/Edit virtual key ![Virtual Key MCP Tool Restrictions](../../media/ui-virtual-key-mcp-filter.png) 3. In **MCP Client Configurations** section, add the MCP client you want to restrict the VK to 4. Select the specific tools to allow, or choose **Allow All Tools** to permit all current and future tools from that client (stored as `*`). Leaving the list empty blocks all tools for that client. 5. Click on the **Save** button You can configure this via the REST API when creating (`POST`) or updating (`PUT`) a virtual key. **Create Virtual Key:** ```bash curl -X POST http://localhost:8080/api/governance/virtual-keys \ -H "Content-Type: application/json" \ -d '{ "name": "vk-for-billing-support", "mcp_configs": [ { "mcp_client_name": "billing-client", "tools_to_execute": ["check-status"] }, { "mcp_client_name": "support-client", "tools_to_execute": ["*"] } ] }' ``` **Update Virtual Key:** ```bash curl -X PUT http://localhost:8080/api/governance/virtual-keys/{vk_id} \ -H "Content-Type: application/json" \ -d '{ "mcp_configs": [ { "mcp_client_name": "billing-client", "tools_to_execute": ["check-status"] }, { "mcp_client_name": "support-client", "tools_to_execute": ["*"] } ] }' ``` **Behavior:** - The virtual key can only access the `check-status` tool from `billing-client`. - It can access all tools from `support-client`. - Any other MCP client is implicitly blocked for this key. You can also define MCP tool restrictions directly in your `config.json` file. The `mcp_configs` array under a virtual key should reference the MCP client by name. ```json { "governance": { "virtual_keys": [ { "id": "vk-billing-support-only", "name": "VK for Billing and Support", "mcp_configs": [ { "mcp_client_name": "billing-client", "tools_to_execute": ["check-status"] }, { "mcp_client_name": "support-client", "tools_to_execute": ["*"] } ] } ] } } ``` ## Example Scenario **Available MCP Clients & Tools:** - **`billing-client`**: with tools `[create-invoice, check-status]` - **`support-client`**: with tools `[create-ticket, get-faq]` **Configuration:** - `billing-client` -> Allowed Tools: `[*]` (wildcard) - `support-client` -> Allowed Tools: `[*]` (wildcard) **Result:** A request with this Virtual Key can access all four tools: `create-invoice`, `check-status`, `create-ticket`, and `get-faq`. **Configuration:** - `billing-client` -> Allowed Tools: `[check-status]` - `support-client` -> Not configured **Result:** A request with this Virtual Key can only access the `check-status` tool. All other tools are blocked. **Configuration:** - `billing-client` -> Allowed Tools: `[]` (empty list) **Result:** A request with this Virtual Key cannot access any tools. All tools from all clients are blocked. When a Virtual Key has MCP configurations, Bifrost enforces the allow-list at both inference time and MCP tool execution time. Auto-injection of the `x-bf-mcp-include-tools` header is skipped if the caller already provides it or if `disable_auto_tool_inject` is enabled — but the VK's restrictions are always applied regardless. You can still use the `x-bf-mcp-include-clients` header to filter MCP clients per request.