Skip to main content
hc
Submit
toolsSource-backedReview first Safety Privacy

Casdoor Agent MCP Gateway

Apache-2.0 AI-first IAM, auth server, and agent/MCP gateway with a web UI, OAuth/OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, MFA, OpenClaw/A2A positioning, an `/api/mcp` endpoint for Casdoor administration tools, and configurable upstream MCP server proxying with tool allowlists and bearer-token forwarding.

by Casdoor·added 2026-06-18·
CLI
HarnessCLI
Review first review before installing

Open the source and read safety notes before installing.

Safety notes

  • Casdoor is an IAM and authentication control plane. Mistakes can lock users out, weaken SSO, expose tokens, or grant access across applications.
  • The README documents fresh-install credentials of `built-in/admin` / `123`; rotate credentials and configure database/secrets before exposing Casdoor.
  • The `/api/mcp` handler can call application and user CRUD tools. Write scopes can add, update, or delete applications and users, so use narrow OAuth scopes and audit tool calls.
  • The server proxy route forwards MCP JSON-RPC calls to configured upstream MCP URLs and can attach a stored bearer token. Treat every configured server URL and token as privileged infrastructure.
  • Casdoor's proxy enforces configured tool allowlists for `tools/call`, but an empty or stale allowlist can make a gateway endpoint more permissive than intended.
  • MCP scanning and intranet discovery helpers should only target authorized private networks and should use strict host, port, timeout, and concurrency limits.

Privacy notes

  • Casdoor may process users, organizations, applications, providers, roles, permissions, OAuth/OIDC/SAML/LDAP/SCIM identifiers, MFA/WebAuthn state, access tokens, logs, audit events, and webhook payloads.
  • MCP requests can include tool names, tool arguments, tool results, user/application records, upstream server URLs, bearer tokens, access scopes, and proxy metadata.
  • OpenClaw, A2A, agent, transcript, and session graph features may expose prompts, agent actions, identity context, and workflow traces depending on deployment and retention settings.
  • Do not paste admin tokens, provider secrets, upstream MCP bearer tokens, database credentials, SSO metadata, or exported user records into public examples, issues, PRs, or model prompts.

Prerequisites

  • A deployment plan for Casdoor itself: Docker all-in-one for a local trial, Docker Compose, Helm, or source install with Go 1.25, Node.js 20, Yarn 1.x, and a supported database.
  • Immediate credential rotation for the fresh-install `built-in/admin` / `123` account before any shared, networked, or production exposure.
  • Identity architecture for organizations, applications, providers, OAuth/OIDC clients, SAML, LDAP, SCIM, MFA, WebAuthn, and user lifecycle behavior.
  • MCP client and auth plan for the `/api/mcp` endpoint, including token issuance, scopes, session handling, and least-privilege access.
  • Reviewed upstream MCP server URLs, bearer tokens, tool inventory, and allowlist policy before using Casdoor as an MCP proxy.

Schema details

Install type
cli
Troubleshooting
No
Source repository stats
Scope
Source repo
Collection metadata
Estimated setup
45 minutes
Difficulty
advanced
Tool listing metadata
Pricing
free
Disclosure
editorial
Application category
DeveloperApplication
Operating system
Cross-platform
Full copyable content
docker run -p 127.0.0.1:8000:8000 casbin/casdoor-all-in-one

# Fresh local installs are bound to loopback on port 8000.
# Change the default built-in/admin password before any non-local bind or exposure.

About this resource

Overview

Casdoor is an open-source identity and access management platform that now positions itself as an AI-first IAM, auth server, and MCP gateway. The project combines a web UI for users, organizations, applications, providers, SSO, MFA, and enterprise identity flows with agent-facing routes for MCP server proxying and Casdoor administration tools.

Use it when the agent stack needs identity infrastructure near the MCP layer: OAuth/OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP/MFA, application/user management, upstream MCP server inventory, and controlled gateway access from a single open-source service.

Install

For a quick local trial, the README documents the all-in-one Docker image:

docker run -p 8000:8000 casbin/casdoor-all-in-one

Then open the local web UI on port 8000. Fresh installs use built-in/admin / 123 according to the README; change that password before exposing the instance.

Source installs require Go, Node.js, Yarn, and database configuration. The README also documents Docker Compose and Helm deployment paths.

Agent and MCP Capabilities

Area Casdoor Coverage
IAM control plane Web UI and APIs for users, organizations, applications, providers, MFA, SSO, and enterprise identity configuration
Protocols OAuth 2.0/OIDC, SAML, CAS, LDAP, SCIM, WebAuthn/passkeys, TOTP, MFA, Face ID, Google Workspace, and Azure AD positioning
MCP self endpoint /api/mcp handles MCP JSON-RPC methods such as initialize, ping, tools/list, and tools/call
MCP admin tools Current handler dispatches application and user tools such as get_applications, add_application, get_users, and update_user
Scope filtering OAuth token claims are mapped to tool access through built-in scopes such as application:read, application:write, user:read, and user:write
MCP proxy /api/server/:owner/:name proxies configured upstream MCP servers over HTTP/HTTPS and can forward stored bearer tokens
Tool controls Configured upstream server tools can be synced and marked allowed/forbidden before tools/call requests are proxied
Agent surfaces Repository metadata and UI/API files include agent, A2A, MCP gateway, OpenClaw session graph, and transcript-related surfaces

Use Cases

  • Put IAM and OAuth/OIDC controls near an agent or MCP deployment.
  • Expose selected Casdoor administration operations to MCP clients with scoped access.
  • Proxy a reviewed upstream MCP server through an IAM-backed gateway route.
  • Maintain an allowlist for MCP tools before agent clients can invoke them.
  • Manage application and user records from an agent workflow while keeping identity changes auditable.
  • Evaluate OpenClaw-adjacent identity, agent gateway, and transcript/session workflows in a self-hosted stack.

Source Review

Verified on 2026-06-18:

  • The upstream repository describes Casdoor as an open-source agent-first IAM, LLM MCP and agent gateway, and auth server with web UI support.
  • The repository metadata includes mcp, mcp-gateway, agent, ai-gateway, iam, oauth, oidc, openclaw, saml, scim, and webauthn topics.
  • The README identifies Casdoor as an AI-first IAM and AI MCP gateway, with OAuth/OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD, MCP, and A2A support.
  • The README documents source, Docker all-in-one, Docker Compose, and Helm install paths, and notes fresh-install credentials of built-in/admin / 123.
  • routers/router.go registers /api/mcp for Casdoor's own MCP handler and /api/server/:owner/:name for upstream server proxying.
  • mcpself/base.go implements MCP JSON-RPC handling for initialize, notifications/initialized, ping, tools/list, and tools/call, with server info Casdoor MCP Server version 1.0.0.
  • mcpself/base.go, mcpself/application.go, and mcpself/user.go expose application and user read/write tools through the current MCP self handler.
  • mcpself/auth.go extracts bearer tokens, resolves token applications, parses JWT claims, and reads OAuth scopes for MCP authorization.
  • mcpself/permission.go maps built-in scopes to tool access and expands convenience scopes such as read, write, and admin.
  • controllers/mcp_server.go validates configured upstream MCP server URLs, limits proxy schemes to HTTP/HTTPS, forwards stored bearer tokens, and checks configured tool allowlists for tools/call requests.
  • object/server.go stores upstream MCP server URL, token, application, and synced tool metadata, with per-tool isAllowed flags.
  • mcp/util.go uses the official Model Context Protocol Go SDK to connect to upstream servers and list tools, and includes intranet scanning helpers with scheme, timeout, concurrency, port, path, and CIDR sanitizers.
  • controllers/agent.go and object/agent.go implement CRUD APIs and storage for agent records.
  • The latest GitHub release is v3.97.1, published on 2026-06-18.
  • The repository license is Apache-2.0.

Safety and Privacy

Casdoor sits on a sensitive trust boundary. It can manage identities, applications, SSO providers, MFA settings, access tokens, and MCP gateway routes. Start with a private deployment, rotate default credentials, configure least-privilege OAuth scopes, and test agent-accessible write tools before connecting production users or applications.

Gateway mode should be treated as infrastructure, not just an app shortcut. Configured upstream MCP URLs, stored bearer tokens, synced tool lists, and allowlist state determine what an agent can reach. Review each upstream server and keep proxy endpoints, logs, tokens, and SSO metadata out of public examples.

Duplicate Check

Checked current content/tools/, content/mcp/, content/agents/, content/skills/, guides, open pull requests, and repository-wide content for Casdoor, casdoor/casdoor, Casdoor MCP Gateway, Casdoor Agent MCP Gateway, OpenClaw auth server, AI-first IAM, MCP auth gateway, and matching source URLs. No dedicated Casdoor entry, exact source URL duplicate, target file, or open duplicate PR was found.

Disclosure

Editorial listing. No paid placement or affiliate link is used. Casdoor is Apache-2.0 open-source software; identity providers, SSO platforms, databases, container registries, Helm deployments, model providers, MCP clients, upstream MCP servers, and hosted infrastructure may have separate licenses, billing, terms, privacy controls, and operational requirements.

#casdoor#mcp#mcp-gateway#iam#oauth#oidc#sso#openclaw

Source citations

Add this badge to your README

Show that Casdoor Agent MCP Gateway is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.

Listed on HeyClaude
[![Listed on HeyClaude](https://heyclau.de/badge/tools/casdoor-agent-mcp-gateway.svg)](https://heyclau.de/entry/tools/casdoor-agent-mcp-gateway)

How it compares

Casdoor Agent MCP Gateway side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.

FieldCasdoor Agent MCP Gateway

Apache-2.0 AI-first IAM, auth server, and agent/MCP gateway with a web UI, OAuth/OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, MFA, OpenClaw/A2A positioning, an `/api/mcp` endpoint for Casdoor administration tools, and configurable upstream MCP server proxying with tool allowlists and bearer-token forwarding.

Open dossier 		LiteLLM

Open-source AI gateway and Python SDK for routing LLM calls through a unified OpenAI-compatible interface.

Open dossier 		MLflow

Open-source AI engineering platform for tracing, evaluating, prompt-managing, and deploying agents, LLM applications, and ML models.

Open dossier 		AnythingLLM

Local-first AI application for private chat, document RAG, workspace agents, MCP-compatible tools, model routing, memories, scheduled tasks, multimodal workflows, multi-user Docker deployments, and self-hosted agent automation.

Open dossier
Trust
Install riskReview firstReview firstReview firstReview first
Notes Safety Privacy Safety Privacy Safety Privacy Safety Privacy
Categorytoolstoolstoolstools
Sourcesource-backedsource-backedsource-backedsource-backed
AuthorCasdoorBerriAIMLflow ProjectMintplex Labs
Added2026-06-182026-06-032026-06-032026-06-18
Platforms
CLI
CLI
CLI
CLI
Source repo
Safety notesCasdoor is an IAM and authentication control plane. Mistakes can lock users out, weaken SSO, expose tokens, or grant access across applications. The README documents fresh-install credentials of `built-in/admin` / `123`; rotate credentials and configure database/secrets before exposing Casdoor. The `/api/mcp` handler can call application and user CRUD tools. Write scopes can add, update, or delete applications and users, so use narrow OAuth scopes and audit tool calls. The server proxy route forwards MCP JSON-RPC calls to configured upstream MCP URLs and can attach a stored bearer token. Treat every configured server URL and token as privileged infrastructure. Casdoor's proxy enforces configured tool allowlists for `tools/call`, but an empty or stale allowlist can make a gateway endpoint more permissive than intended. MCP scanning and intranet discovery helpers should only target authorized private networks and should use strict host, port, timeout, and concurrency limits.LiteLLM can proxy requests to multiple model providers, so route and fallback behavior should be reviewed before production use. Gateway deployments can expose model access to teams or applications; configure authentication, budgets, rate limits, and network access intentionally. Avoid logging sensitive prompt, response, or credential material when enabling debugging, observability, or admin features.MLflow evaluations, traces, judges, and dashboards are review signals, not proof that an agent, LLM application, prompt, model, or deployment is correct, safe, fair, or production-ready. Autologging, decorators, OpenTelemetry ingestion, manual spans, and framework integrations can wrap live application code and record intermediate agent steps, retrievals, tool calls, model requests, and model responses. LLM-as-a-judge scorers and prompt optimization workflows can call configured model providers, consume quota, hit rate limits, and produce evaluator-model errors that require separate handling. AI Gateway and serving workflows can centralize model access, routing, rate limits, and credentials; incorrect configuration can route traffic to the wrong provider or expose more access than intended. Production tracing, async logging, tracking servers, registries, artifact stores, and deployment endpoints should be reviewed for authentication, TLS, network exposure, backups, and incident response before production use. Model registry and deployment workflows can influence real production behavior, so promotion, rollback, and approval rules should be separated from exploratory eval results.AnythingLLM can run agents, scheduled tasks, MCP-compatible tools, browser-like workspace actions, developer APIs, and external model calls; scope tools and credentials before enabling them for users. The upstream Docker guide includes examples that add the SYS_ADMIN capability to the container. Review whether that capability is acceptable for the host before copying production run commands. Multi-user Docker deployments need normal production controls: authentication, TLS, network isolation, secret management, persistent-volume ownership, backups, and upgrade planning. Agent tools, custom agents, model routing, memories, and scheduled tasks can change behavior over time; use least privilege, logging, review gates, and rollback plans for write-capable workflows. Localhost services such as Ollama, Chroma, LocalAI, or LM Studio may need Docker host routing adjustments; avoid exposing local provider ports wider than intended.
Privacy notesCasdoor may process users, organizations, applications, providers, roles, permissions, OAuth/OIDC/SAML/LDAP/SCIM identifiers, MFA/WebAuthn state, access tokens, logs, audit events, and webhook payloads. MCP requests can include tool names, tool arguments, tool results, user/application records, upstream server URLs, bearer tokens, access scopes, and proxy metadata. OpenClaw, A2A, agent, transcript, and session graph features may expose prompts, agent actions, identity context, and workflow traces depending on deployment and retention settings. Do not paste admin tokens, provider secrets, upstream MCP bearer tokens, database credentials, SSO metadata, or exported user records into public examples, issues, PRs, or model prompts.Prompts and responses pass through the LiteLLM process and then to the selected upstream model provider. Gateway logs, spend tracking, and observability integrations may retain request metadata or payload excerpts depending on configuration. Self-hosted deployments still depend on the privacy terms of each configured model provider.MLflow traces and evaluations can capture prompts, completions, retrieved context, tool arguments, tool outputs, spans, metadata, latency, token usage, costs, scores, datasets, expectations, and human feedback. Agent traces may contain customer data, private documents, source snippets, proprietary prompts, internal identifiers, secrets accidentally passed to tools, or model outputs that need redaction before storage or sharing. LLM-as-a-judge scorers, prompt optimization, AI Gateway calls, and serving endpoints may send prompts, outputs, context, or traces to configured model providers unless a reviewed local or private provider path is used. Tracking servers, backend databases, artifact stores, evaluation datasets, prompt registries, model registries, and exported reports should follow normal access-control, retention, audit-log, and deletion policies. Public demos, notebooks, and examples should not be copied into production workflows with real API keys, raw customer traces, unreleased prompts, or sensitive evaluation data.Uploaded documents, parsed chunks, embeddings, workspace memories, prompts, chat history, agent state, scheduled task inputs, MCP payloads, provider responses, logs, and API calls may contain sensitive data. The README documents anonymous telemetry and an opt-out through DISABLE_TELEMETRY=true or the in-app privacy setting; review this before using regulated or confidential data. Even with telemetry disabled, outbound calls may still go to configured LLMs, embedding models, vector databases, external tools, cdn.anythingllm.com, GitHub, or GitHubusercontent depending on the deployment. Keep provider keys, JWT secrets, workspace invite links, storage paths, private documents, and generated citations out of public prompts, screenshots, issues, and examples.
Prerequisites
  • A deployment plan for Casdoor itself: Docker all-in-one for a local trial, Docker Compose, Helm, or source install with Go 1.25, Node.js 20, Yarn 1.x, and a supported database.
  • Immediate credential rotation for the fresh-install `built-in/admin` / `123` account before any shared, networked, or production exposure.
  • Identity architecture for organizations, applications, providers, OAuth/OIDC clients, SAML, LDAP, SCIM, MFA, WebAuthn, and user lifecycle behavior.
  • MCP client and auth plan for the `/api/mcp` endpoint, including token issuance, scopes, session handling, and least-privilege access.
  • Python or Docker for local/self-hosted use.
  • Provider credentials for the model backends you choose to route through LiteLLM.
  • A reviewed gateway configuration before sharing it with teammates or production clients.
  • Python environment, package manager, or managed MLflow environment for installing and running MLflow in the project being traced or evaluated.
  • AI agent, LLM application, RAG pipeline, prompt workflow, model pipeline, or production trace source to connect to MLflow.
  • MLflow tracking server, backend store, artifact store, or managed service path sized for traces, datasets, prompts, model artifacts, and evaluation results.
  • Model provider credentials, gateway policy, rate limits, and budget controls for LLM calls, LLM-as-a-judge scorers, prompt optimization, and deployed endpoints.
  • Docker for the documented self-hosted path, or the desktop application for a local workstation install.
  • At least the upstream minimum host resources, with disk sized for documents, embeddings, vector storage, models, logs, and backups.
  • A local or remote LLM provider, embedding provider, and optional speech or image models for the workflows the workspace will run.
  • A storage, backup, retention, and access-control plan before ingesting private documents or opening a multi-user Docker instance.
Install
docker run -p 127.0.0.1:8000:8000 casbin/casdoor-all-in-one
docker pull mintplexlabs/anythingllm
Config
Citations
ClaimUnclaimedUnclaimedUnclaimedUnclaimed

Signals

Loading live community signals…

More like this, weekly

A short, calm digest of reviewed Claude resources. Unsubscribe any time.