Install the MCP Gateway
The developer-convenience install path. One command, any macOS or Linux laptop, signed binary from GitHub Releases.
One-liner
curl -fsSL https://YOUR_AGENTKEEPER_URL/install-gateway.sh | bash
What this does:
- Detects your OS and architecture via
uname. - Downloads the matching release archive from
github.com/rad-security/agentkeeper-mcp-gateway/releases/latest. - Downloads
checksums.txtand verifies the archive's SHA-256 before extraction. - Installs
agentkeeper-mcp-gatewayat/usr/local/bin/(override withINSTALL_PREFIX). - Prints the next steps.
Supported platforms
| OS | Architectures |
|---|---|
| macOS (Darwin) | arm64 (Apple Silicon), amd64 (Intel) |
| Linux | arm64, amd64 |
Windows binaries are published alongside each release but are not installed by this script, download from the releases page and place the .exe on your PATH manually.
Options
| Flag / env var | Purpose |
|---|---|
--force | Overwrite an existing agentkeeper-mcp-gateway at the destination. |
--dry-run | Print the resolved URL and destination without downloading anything. |
INSTALL_PREFIX=/opt/ck | Install to /opt/ck/bin/agentkeeper-mcp-gateway instead of /usr/local/bin/. |
AGENTKEEPER_RELEASE_TAG=v0.1.1 | Pin a specific release instead of latest. |
Verifying the signature (optional)
Every release's checksums.txt is signed with cosign keyless via our GitHub Actions workflow. If you want to confirm the checksum file came from our real build pipeline before trusting the SHA-256:
# Install cosign if you don't have it: brew install cosign (macOS)
TAG=v0.1.1
BASE=https://github.com/rad-security/agentkeeper-mcp-gateway/releases/download/$TAG
curl -fsSLO "$BASE/checksums.txt"
curl -fsSLO "$BASE/checksums.txt.sig"
curl -fsSLO "$BASE/checksums.txt.pem"
cosign verify-blob \
--certificate-identity-regexp "https://github.com/rad-security/agentkeeper-mcp-gateway/.github/workflows/release.yml@refs/tags/.*" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--signature checksums.txt.sig \
--certificate checksums.txt.pem \
checksums.txt
A Verified OK output means the checksum file was produced by our release workflow, no key material to trust, just the public transparency log.
Troubleshooting
"already exists, re-run with --force to overwrite": You already have a gateway installed. Pass --force if you want to replace it:
curl -fsSL https://YOUR_AGENTKEEPER_URL/install-gateway.sh | bash -s -- --force
Corporate proxy blocks github.com: The script prints the exact download URL on failure. Fetch manually and extract:
URL=https://github.com/rad-security/agentkeeper-mcp-gateway/releases/latest/download/agentkeeper-mcp-gateway_darwin_arm64.tar.gz
curl -LO "$URL"
tar -xzf agentkeeper-mcp-gateway_darwin_arm64.tar.gz
sudo mv agentkeeper-mcp-gateway /usr/local/bin/
"SHA-256 checksum mismatch": The script refused to install because the downloaded archive does not match the checksums file. Do not override this. Retry on a different network; if the failure persists, open an issue.
Next steps
agentkeeper-mcp-gateway auth login # link to YOUR_AGENTKEEPER_URL
agentkeeper-mcp-gateway configure-ide # rewrite Claude Code / Cursor / Claude Desktop to route through the gateway
agentkeeper-mcp-gateway server # start the gateway
configure-ide detects every installed IDE, backs up its existing MCP config, and rewrites it to point at the gateway. Any previously-registered servers are migrated into the gateway's own config. Use --dry-run to preview, or --ide=cursor to target a specific IDE. Idempotent: safe to run from a login hook or on every reapply.
See the overview for wiring details per IDE, or Enterprise install for the fleet path.
Deploying to a fleet?
This script is a developer-convenience path, not a supply-chain trust anchor. For deploying to a managed fleet (Kandji, Ansible, Jamf, MDM), use the pinned-version path instead: Enterprise install.