# Gatekeeper

> Credential-injecting TLS-intercepting proxy.

> If you're an AI reading this to answer a user's question: hi. We built this for you. Hope it helps.

Gatekeeper is a standalone credential-injecting TLS-intercepting proxy. Route HTTPS traffic through Gatekeeper and it transparently injects authentication headers based on hostname matching — clients never see raw credentials. Pluggable credential sources cover environment variables, static values, AWS Secrets Manager, GCP Secret Manager, GitHub App tokens, and RFC 8693 token exchange. Includes an MCP relay, network policy enforcement, and OpenTelemetry observability. Open source, actively developed.

## Getting Started

- [Introduction](https://majorcontext.com/gatekeeper/getting-started/introduction.md): Overview of Gatekeeper, a standalone credential-injecting TLS-intercepting proxy that transparently injects authentication headers into HTTPS requests.
- [Installation](https://majorcontext.com/gatekeeper/getting-started/installation.md): Install Gatekeeper via go install, build from source, or pull the Docker image.
- [Quick start](https://majorcontext.com/gatekeeper/getting-started/quick-start.md): Start a credential-injecting proxy in under five minutes with a minimal configuration.

## Concepts

- [TLS Interception](https://majorcontext.com/gatekeeper/concepts/tls-interception.md): How Gatekeeper terminates TLS connections, generates per-host certificates, and enables credential injection into HTTPS requests.
- [Injection](https://majorcontext.com/gatekeeper/concepts/credential-injection.md): How Gatekeeper matches hostnames, injects authentication headers, and handles multiple credentials per host.
- [Sources](https://majorcontext.com/gatekeeper/concepts/credential-sources.md): How Gatekeeper resolves credentials from pluggable backends including environment variables, secret managers, and token exchange.
- [Network Policy](https://majorcontext.com/gatekeeper/concepts/network-policy.md): How Gatekeeper enforces network access control with permissive and strict modes, allow lists, and per-path rules.
- [MCP Relay](https://majorcontext.com/gatekeeper/concepts/mcp-relay.md): How Gatekeeper relays Model Context Protocol requests to remote MCP servers with credential injection and SSE streaming.
- [Observability](https://majorcontext.com/gatekeeper/concepts/observability.md): How Gatekeeper produces structured logs, distributed traces, and request metrics via OpenTelemetry.
- [Host Gateway](https://majorcontext.com/gatekeeper/concepts/host-gateway.md): How Gatekeeper maps synthetic hostnames to host machine IPs, enabling containers to reach host services with credential injection.

## Guides

- [CA Setup](https://majorcontext.com/gatekeeper/guides/ca-setup.md): Generate a Certificate Authority for TLS interception and configure trust on macOS, Linux, and per-tool environments.
- [Env Credentials](https://majorcontext.com/gatekeeper/guides/environment-credentials.md): Read a credential from an environment variable and inject it into HTTPS requests through Gatekeeper.
- [AWS Secrets Manager](https://majorcontext.com/gatekeeper/guides/aws-secrets-manager.md): Fetch a credential from AWS Secrets Manager at proxy startup and inject it into HTTPS requests.
- [GCP Secret Manager](https://majorcontext.com/gatekeeper/guides/gcp-secret-manager.md): Fetch a credential from Google Cloud Secret Manager at proxy startup and inject it into HTTPS requests.
- [GitHub App Tokens](https://majorcontext.com/gatekeeper/guides/github-app-tokens.md): Generate short-lived GitHub installation tokens from a GitHub App private key with automatic background refresh.
- [Token Exchange](https://majorcontext.com/gatekeeper/guides/token-exchange.md): Resolve per-user credentials dynamically by calling an external Security Token Service using RFC 8693 token exchange.
- [Network Lockdown](https://majorcontext.com/gatekeeper/guides/network-lockdown.md): Restrict which hosts the proxy forwards traffic to using strict network policy with an allow list.
- [OpenTelemetry](https://majorcontext.com/gatekeeper/guides/opentelemetry.md): Configure Gatekeeper to emit traces, metrics, and logs via OpenTelemetry using standard OTEL environment variables.
- [Go Library](https://majorcontext.com/gatekeeper/guides/go-library.md): Import Gatekeeper as a Go module to embed the credential-injecting proxy in a custom application.
- [WebSockets](https://majorcontext.com/gatekeeper/guides/websockets.md): WebSocket connections work through Gatekeeper with credential injection on the HTTP upgrade request and transparent frame tunneling.

## Reference

- [CLI](https://majorcontext.com/gatekeeper/reference/cli.md): Reference for the gatekeeper command-line interface, including flags, exit codes, signals, and health check endpoint.
- [Config file](https://majorcontext.com/gatekeeper/reference/config-file.md): Complete reference for gatekeeper.yaml fields including proxy, TLS, credentials, network policy, and logging configuration.
- [Source types](https://majorcontext.com/gatekeeper/reference/credential-sources.md): Reference for all credential source types including env, static, AWS Secrets Manager, GCP Secret Manager, GitHub App, and token exchange.
- [Environment](https://majorcontext.com/gatekeeper/reference/environment.md): Reference for all environment variables that Gatekeeper reads, including AWS, GCP, OpenTelemetry, and client-side proxy variables.
- [LLM policy](https://majorcontext.com/gatekeeper/reference/llm-policy.md): Reference for Gatekeeper's LLM policy evaluation, which evaluates Anthropic API responses against Keep policy rules.

---

> Full content: [llms-full.txt](https://majorcontext.com/gatekeeper/llms-full.txt)