Skip to main content
In development mode, every MCP client that connects to the MCPJungle proxy can call tools from any registered server — no credentials needed. In enterprise mode this changes completely: no client can access any server unless you explicitly grant it. You do this by creating a named MCP client record in MCPJungle and specifying which servers it is allowed to reach.

Creating an MCP client

Use the create mcp-client command and pass a comma-separated list of server names with --allow: 
mcpjungle create mcp-client cursor-local --allow "calculator, github"
MCPJungle prints the generated access token once — store it securely: 
MCP client 'cursor-local' created successfully!
Servers accessible: calculator,github

Access token: 1YHf2LwE1LXtp5lW_vM-gmdYHlPHdqwnILitBhXE4Aw
Your client should send the access token in the `Authorization: Bearer {token}` HTTP header.
If you omit --allow, the client record is created but cannot access any server. You can also use the wildcard --allow "*" to grant access to all servers, though this is strongly discouraged in production.

Configuring the client to use the token

Pass the token in the Authorization: Bearer HTTP header from your MCP client. For example, in Cursor’s mcp.json: 
{
  "mcpServers": {
    "mcpjungle": {
      "url": "http://localhost:8080/mcp",
      "headers": {
        "Authorization": "Bearer 1YHf2LwE1LXtp5lW_vM-gmdYHlPHdqwnILitBhXE4Aw"
      }
    }
  }
}

Supplying a custom access token via CLI

If you manage tokens externally (for example through a central identity provider), pass your own value: 
mcpjungle create mcp-client cursor-local --allow "calculator, github" --access-token my_custom_token
When a custom token is provided the generated token is not printed, because the server stores only the value you supplied.

Creating an MCP client from a config file

For automated or GitOps-style workflows, provide a JSON config file instead of CLI flags: 
mcpjungle create mcp-client --conf ./cursor-local.json
The config file format: 
{
  "name": "cursor-local",
  "allowed_servers": ["calculator", "github"],
  "access_token": "my_secret_token_123",
  "access_token_ref": {
    "file": "/path/to/token-file.txt",
    "env": "ENV_VAR_NAME"
  }
}
FieldTypeRequiredDescription
namestringYesUnique name for this MCP client.
allowed_serversstring arrayNoList of server names the client may access. Omit or leave empty to deny all.
access_tokenstringNoInline token value. For testing only — avoid committing to version control.
access_token_ref.filestringNoPath to a file that contains only the token string.
access_token_ref.envstringNoName of an environment variable that contains the token string.
When creating a client from a config file, you must supply a token via access_token or access_token_ref — MCPJungle cannot print a generated token back to the console when reading from a file.

Three ways to supply a token in config files

1

Inline (testing only)

Place the token directly in the access_token field. Do not use this in production environments or commit the file to version control.
{
  "name": "my-agent",
  "allowed_servers": ["calculator"],
  "access_token": "my_secret_token_123"
}
2

From a file

Store the token in a plain text file (no trailing newline required — MCPJungle trims whitespace) and point to it with access_token_ref.file:
{
  "name": "my-agent",
  "allowed_servers": ["calculator"],
  "access_token_ref": {
    "file": "/run/secrets/mcpjungle_token"
  }
}
3

From an environment variable

Export the token as an environment variable and reference it by name with access_token_ref.env:
{
  "name": "my-agent",
  "allowed_servers": ["calculator"],
  "access_token_ref": {
    "env": "MCPJUNGLE_CLIENT_TOKEN"
  }
}
If both env and file are set, the environment variable takes precedence. If the variable is not set, MCPJungle falls back to the file.

Environment variable substitution in config files

Anywhere a string value appears in the JSON config, you can use ${VAR_NAME} placeholders. The CLI resolves them before sending the request to the server — the variable must be set in the shell where you run the command: 
{
  "name": "${MCP_CLIENT_NAME}",
  "allowed_servers": ["${PRIMARY_SERVER}", "time"],
  "access_token_ref": {
    "env": "CLIENT_TOKEN_ENV_NAME"
  }
}
If a referenced variable is not set, the command fails with a descriptive error.

Creating user accounts

In addition to MCP clients (which represent AI agents or IDE integrations), you can create user accounts for human operators who need authenticated access to the MCPJungle admin API. A standard user can:
  • List and view registered MCP servers and their tools
  • Check tool usage statistics
  • Invoke tools
A standard user cannot register or remove servers, create MCP clients, create other users, or perform any other write operation — those actions require an admin account. 
# Auto-generate a token for the user
mcpjungle create user bob

# Specify a custom token
mcpjungle create user alice --access-token alice_token_123

# Create from a config file
mcpjungle create user --conf /path/to/user-config.json
After the user is created, the CLI prints a mcpjungle login command the user should run on their own machine to store the token in their local ~/.mcpjungle.conf.

User config file format

{
  "name": "charlie",
  "access_token": "charlies_secret_token",
  "access_token_ref": {
    "file": "/path/to/token-file.txt",
    "env": "ENV_VAR_NAME"
  }
}
The same three token-supply strategies (inline, file, env) and ${VAR_NAME} placeholder substitution work for user config files as well. When using a config file you must supply a token — MCPJungle cannot print a generated one back to the console.
Use access_token_ref.env together with a secrets manager to avoid ever writing tokens to disk. Export the secret to an environment variable before running the create command, and remove it from the environment afterwards.