The secure gateway connecting AI agents to the enterprise systems they need to do real work.
Agents discover what they're allowed to access. Warden brokers every connection. Operators get one control plane for identity, policy, and audit β across every MCP server, cloud, code-host, observability stack, database, and SaaS the agent reaches.
Agents are useful only when they reach real systems: cloud accounts, code repositories, observability stacks, databases, ITSM, secrets backends. Today, pointing an agent at production means handing it over-scoped, long-lived credentials, with no per-request policy and no identity-tied audit. Each new system is another credential in the agent's environment, governed by nothing in the request path.
The control gap, not the credential, is the headline. MCP servers make it acute β every server wraps one upstream API and holds one credential in process env, so an agent with a dozen tools has a dozen static secrets scattered across a dozen processes, none of them rotating, none of them governed.
Warden closes the gap by sitting in the path: the agent identifies itself, Warden decides what it can reach, and Warden brokers the connection.
ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ
β β 1. Discover β β β β
β β ββββββββββββββββββΆ β β β MCP servers β
β AI Agent β what can I do? β β β Cloud β
β MCP servers β β Warden β real credentials β LLMs β
β β 2. Connect β β βββββββββββββββββββΆ β Code hosts β
β β ββββββββββββββββββΆ β β β SaaS β
β β identity only β β β ... β
ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ
β’ Identity β
β’ Policy β
β’ Audit β
Discover. The agent presents its identity β a JWT, TLS client certificate, SPIFFE SVID, or Kubernetes service-account token β and runs three introspection calls against Warden:
warden role listβ which roles is this identity permitted to assume in this namespace?warden provider listβ which upstream systems are mounted here?warden skill read <type>β for the chosen system, fetch the agent-facing recipe (env vars, endpoint URL, role-selection idiom).
Each response is human-readable JSON or markdown. The agent matches the task to a role and provider by reading operator-set descriptions β no config files, no role names distributed out of band, no SDK to rebuild when a new provider is mounted.
Connect. The agent picks a role and points at Warden as if it were the upstream. Warden authenticates the identity, applies the role's policy at request time, and attaches the upstream credential before forwarding β or vends a scoped grant directly, such as a database auth token or a pre-signed URL. The credential belongs to Warden, never to the agent β and is ephemeral wherever the upstream supports it.
What an enterprise gets from putting Warden in the path:
- Per-call least privilege β the agent asks Warden what systems and roles are open to it, then switches roles mid-task, picking the narrowest fit for each operation by reading operator-set descriptions. A read-scoped role for reads, a write-scoped role only when a write is intended β the agent's posture changes step by step, not session by session.
- Hallucination containment β LLMs make routine mistakes, and a single mistake under a broad credential can cause real damage. Per-call role binding constrains what the agent can do at every step; a hallucinated request that exceeds the role's scope is denied upstream β observable in the audit log, with no state change. LLM errors become recoverable instead of catastrophic.
- Compromise containment β because Warden holds the upstream credentials and the agent never does, a prompt-injected, jailbroken, or otherwise compromised agent has nothing to exfiltrate. Any call it does issue is still bounded by Warden's policy at request time β regardless of what's in the agent's memory or chat history.
- Fine-grained access policy β per-action capabilities and parameter filters, evaluated at request time against caller IP, time of day, and day of week. For MCP traffic the same policy reaches inside each tool call β which tools an agent may invoke, and which arguments it may pass.
- Identity-bound access β a JWT, a TLS client certificate, or a first-class SPIFFE SVID (X.509 or JWT); the same identity reaches every upstream the policy permits β no per-system credential sprawl, no API keys handed to agents, nothing to rotate per integration.
- On-behalf-of access β beyond reaching an upstream as a shared service account, Warden can act on behalf of a specific user: the user grants access once through a standard browser consent, and every subsequent call runs under that user's delegated grant, refreshed automatically β so a delegated action is attributed to the real person, not a shared application credential.
- Audit β every request tied to the original identity, the role used, and the upstream called β plus the policy decision recorded on each MCP tool call, and non-secret metadata about the credential Warden minted, such as the identity it represents.
- Automatic credential rotation β Warden rotates the upstream credentials it holds on a schedule, staging the switch for systems that need time to propagate a new key, so the broker's own secrets stay fresh without operator coordination.
35 systems across MCP servers, LLMs, cloud, code-hosting, observability, ITSM, Kubernetes, secrets, and databases. Follow any link below to configure your first endpoint, or see docs/providers.md for the full list.
| Category | Providers | Warden does |
|---|---|---|
| MCP servers | Generic β GitHub, Google Cloud, Slack, Cloudflare, β¦; AWS (SigV4) | Proxies tool calls β injects credentials, enforces tool-level policy |
| LLM APIs | Anthropic, OpenAI, Mistral, Cohere | Injects API key |
| Cloud infrastructure | AWS, Azure, GCP, Alicloud, IBM Cloud, OVH, Scaleway, Cloudflare | Temporary credentials / Bearer tokens |
| Code hosting & CI/CD | GitHub, GitLab, Atlassian, Ansible Tower, Terraform Enterprise | Injects App token, PAT, or Bearer token |
| Observability | Datadog, Dynatrace, Elastic, Grafana, Honeycomb, New Relic, Prometheus, Sentry, Splunk | Injects API key / proxies metrics |
| Incident & ITSM | PagerDuty, ServiceNow, Slack | Injects Bearer token |
| Kubernetes | Kubernetes | Injects service account token |
| Secrets backend | HashiCorp Vault / OpenBao | Mints short-lived tokens |
| Databases | AWS RDS / Aurora, AWS Redshift | Issues IAM database auth token |
MCP servers β Warden works both sides of the protocol. Point your own MCP server at Warden instead of the upstream API, and one gateway covers every tool it exposes β replacing the per-tool-credential-in-env model with one identity and one policy surface. Or put Warden in front of a managed MCP server β GitHub, AWS, GCP β and an agent reaches it through Warden, which attaches the credential per request and enforces policy on each tool call, down to which tools run and which arguments they carry.
SRE agents β incident-response agents reaching Prometheus, Grafana, Kubernetes, and PagerDuty under one policy layer. Warden scopes each call to the agent's identity β query dashboards but not delete them, restart a pod but not modify IAM. Every action during an incident is tied to the agent's identity in the audit log.
Agentic coding β code agents that push to GitHub, deploy to AWS, and read from artifact stores all through one identity. Warden enforces which repos they push to, which buckets they read, and logs every action.
RAG pipelines β retrieval agents reaching production databases and object stores under per-request grants. Warden vends a database auth token or pre-signed URL scoped to the exact query or object the agent needs.
Multi-model orchestration β an agent reaching Anthropic for reasoning, OpenAI for embeddings, and Mistral for classification through one identity, one policy layer, and one audit log across all three.
Autonomous workflows β long-running agents that reach systems over hours or days with time-scoped access. Warden issues credentials per request, so no token outlives the work it was minted for.
Warden also secures non-agent workloads β CI/CD pipelines, microservices, developer machines β with the same identity-based model.
Warden supports multiple methods for verifying caller identity.
| Method | Identity Source | How the agent presents the credential to its SDK |
|---|---|---|
| JWT | Signed JWT token | The same JWT goes in whichever credential slot the upstream SDK natively expects (AWS_SECRET_ACCESS_KEY, OPENAI_API_KEY, X-Vault-Token, Authorization: Bearer, β¦). Warden detects it, validates the identity, and swaps in the real upstream credential. Existing SDK code keeps working β only the base URL changes. |
| TLS Certificate | X.509 client certificate | Identity is proven at the TLS handshake (or forwarded by a TLS-terminating proxy via X-SSL-Client-Cert). The SDK's credential slot is filled with any placeholder value β Warden ignores it once cert auth has proven the identity. Role selection follows the same per-provider conventions as JWT mode. |
| SPIFFE | SPIFFE X.509-SVID or JWT-SVID | First-class SPIFFE identity on a single mount: a workload presents an X.509-SVID at the TLS handshake (or forwarded by a TLS-terminating proxy) or a JWT-SVID as a bearer token, and Warden verifies it against the trust domain's bundle β with federation across trust domains and periodic refresh. It relies on short-lived SVIDs and bundle rotation rather than revocation lists, so it suits workloads already issued identities by a SPIFFE provider such as SPIRE. |
| Kubernetes | Kubernetes ServiceAccount token (projected SA JWT) | The pod's ServiceAccount token goes in the SDK's credential slot exactly as in JWT mode. Warden validates it by calling the issuing cluster's TokenReview API β no JWKS endpoint or public keys to distribute β and matches a role bound to the ServiceAccount's namespace and name. |
This is the design property that makes Warden a drop-in layer rather than a rewrite tax: a pre-existing boto3, openai-python, Vault CLI, or curl-against-GitHub script becomes Warden-mediated by setting the base URL to Warden and putting the JWT where the secret used to go. It also separates Warden from dedicated auth proxies (which typically require client libraries).
AWS access hygiene β per-call least privilege, mid-task. A
Goose agent audits IAM in a sandbox AWS account through four
read-only lenses (inventory, recent usage, external exposure,
effective access) and publishes findings to Security Hub and a
Slack canvas β switching Warden roles between every call so each
operation runs under exactly the role it needs and nothing more. A
hallucinated securityhub:BatchImportFindings attempted under the
read intent is denied at AWS by the assumed role's narrow IAM
policy β not by Warden β and surfaces in the audit log as the
declared intent on a mismatched action. See
the walk-through.
Vault policy hygiene β one identity, three systems, zero credentials. A Goose agent audits OpenBao ACL policies, reasons over them with an Anthropic-compatible LLM, and publishes the report to Slack β all under one Forgejo OIDC JWT, all through Warden. Sibling demo of the same discover-and-connect pattern, exercising the across-providers axis (one Vault role for the audit, one Slack role for delivery). See the walk-through.
In both tutorials the agent's recipe contains no URLs, no role names, no channel IDs, no account IDs. The runtime hands it three env vars and a JWT; the agent asks Warden what's wired up for its identity and picks the right combination by reading operator-set descriptions. Rename a role, swap the LLM, move to a different cluster β the recipe doesn't change.
For the system-side reference β the runtime contract, the discovery loop, error handling β see docs/agent-flow.md.
See docs/architecture.md for Warden's design decisions, high availability model, and deployment configuration.
A first-party Helm chart deploys Warden as a 3-replica HA cluster on any Kubernetes 1.27+ cluster β bring your own Postgres, your own TLS certificate, and either a Vault Transit endpoint for auto-unseal or a static seal key for development. The chart ships production-leaning defaults; a quickstart values file shrinks the install to a single replica for kind or minikube.
See docs/deployment/kubernetes.md for the full guide.
We welcome contributions! See the contributing guide for setup instructions, build commands, testing conventions, and submission guidelines.