Skip to main content
Enterprise mode adds authentication and access control to MCPJungle. When the server runs with --enterprise, every request to the MCP proxy must include a valid bearer token, and each token is scoped to a specific list of allowed servers. This page documents all commands for setting up the enterprise server and managing clients, users, and authentication.
All commands on this page require the server to be running in enterprise mode (mcpjungle start --enterprise). They return errors when issued against a development-mode server.

init-server

Initializes the MCPJungle server for enterprise use. Run this once, from your local machine, after the server has started in enterprise mode. 
mcpjungle init-server [--registry <url>]
init-server creates the first admin user, generates the admin access token, and saves both the server URL and token to ~/.mcpjungle.conf. After this command, your CLI is authenticated as admin and all subsequent commands work without explicit credentials.
Run this command exactly once on a fresh server. Re-running it on an already-initialized server returns an error. Store the admin access token securely — it is the only credential that can manage the enterprise server.

Example

mcpjungle --registry http://your-server:8080 init-server

login

Authenticates the CLI with an MCPJungle server and persists the credentials to ~/.mcpjungle.conf. 
mcpjungle login <access_token>
When a non-admin user is created by an administrator, the admin shares the access token with them. The user then runs login to store the token locally. After logging in, the user can run CLI commands without passing the token manually.

Example

mcpjungle login eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
After a successful login, the CLI confirms your username and role and writes the token to the config file.

create mcp-client

Creates an authenticated MCP client that can connect to the MCPJungle MCP proxy. The client receives a bearer token it must include in the Authorization header of every request. 
mcpjungle create mcp-client <name> [flags]
# or
mcpjungle create mcp-client --conf <file>

Flags

--allow
string
Comma-separated list of MCP server names this client is allowed to access. Use "*" to grant access to all servers. Defaults to empty (no access).
--allow "github, jira, slack"
--description
string
Optional description of the client.
--access-token
string
Custom access token for the client. If not provided, MCPJungle generates a random token and prints it to stdout — copy it immediately as it is not stored in recoverable form.
-c / --conf
string
Path to a JSON configuration file. When provided, all other flags are ignored.
Using --allow "*" grants the client access to all MCP servers, including any that are registered later. This is strongly discouraged in production. Always specify the minimum set of servers the client needs.

Client config file format

Use a configuration file to manage client definitions in version control. The access_token_ref field loads the token from an environment variable or file at creation time, avoiding hard-coded secrets.
claude-client.json
{
  "name": "claude-desktop",
  "description": "Claude Desktop on Alice's machine",
  "allowed_servers": ["github", "jira"],
  "access_token_ref": {
    "env": "CLAUDE_CLIENT_TOKEN"
  }
}
Alternatively, load the token from a file:
claude-client.json
{
  "name": "claude-desktop",
  "allowed_servers": ["github", "jira"],
  "access_token_ref": {
    "file": "/run/secrets/claude-token"
  }
}
FieldTypeRequiredDescription
namestringYesUnique client name.
descriptionstringNoHuman-readable description.
allowed_serversarrayNoList of server names the client can access. Use ["*"] for all servers.
access_tokenstringNoHard-coded access token. Not recommended in production.
access_token_ref.envstringNoEnvironment variable name that holds the access token.
access_token_ref.filestringNoPath to a file containing the access token.
When using a config file, you must supply a custom access token via access_token or access_token_ref. MCPJungle does not auto-generate tokens from a config file.

Examples

Create a client with auto-generated token: 
mcpjungle create mcp-client claude-desktop --allow "github, jira"
Create a client from a config file: 
mcpjungle create mcp-client --conf ./claude-client.json

list mcp-clients

Lists all MCP clients registered in the gateway, including their names, descriptions, and allowed server lists. 
mcpjungle list mcp-clients

delete mcp-client

Deletes an MCP client and immediately revokes its access token. Any requests using the deleted client’s token will be rejected. 
mcpjungle delete mcp-client <name>

Example

mcpjungle delete mcp-client claude-desktop

update mcp-client

Updates the access token of an existing MCP client. Use this to rotate a client’s credentials. 
mcpjungle update mcp-client <name> --access-token <new-token>

Flags

--access-token
string
required
The new access token for the client.

Example

mcpjungle update mcp-client claude-desktop --access-token new-secret-token

create user

Creates a standard user account. Users can list and view MCP servers and tools, check tool usage, and invoke tools. They cannot manage servers, clients, or other users. 
mcpjungle create user <username> [flags]
# or
mcpjungle create user --conf <file>
After creation, the CLI prints the user’s access token and the login command they should run: 
User 'alice' created successfully
The user should now run the following command to log into mcpjungle:

    mcpjungle login <access-token>

Flags

--access-token
string
Custom access token for the user. If not provided, a random token is generated and printed to stdout.
-c / --conf
string
Path to a JSON configuration file. When provided, all other flags are ignored.

User config file format

alice.json
{
  "name": "alice",
  "access_token_ref": {
    "env": "ALICE_ACCESS_TOKEN"
  }
}
FieldTypeRequiredDescription
namestringYesUsername (unique).
access_tokenstringNoHard-coded access token. Not recommended in production.
access_token_ref.envstringNoEnvironment variable name that holds the access token.
access_token_ref.filestringNoPath to a file containing the access token.
When using a config file, you must supply a custom access token via access_token or access_token_ref.

Examples

Create a user with auto-generated token: 
mcpjungle create user alice
Create a user from a config file: 
mcpjungle create user --conf ./alice.json

list users

Lists all users in the gateway. Admin users are shown with an [ADMIN] label. 
mcpjungle list users

delete user

Deletes a user and immediately revokes their access token. 
mcpjungle delete user <username>

Example

mcpjungle delete user alice

update user

Updates the access token of an existing user. Use this to rotate credentials. 
mcpjungle update user <username> --access-token <new-token>

Flags

--access-token
string
required
The new access token for the user.

Example

mcpjungle update user alice --access-token new-secret-token

Enterprise setup workflow

The following steps show the complete flow for setting up an enterprise MCPJungle instance from scratch.
1

Start the server in enterprise mode

mcpjungle start --enterprise
2

Initialize the server (one-time)

From your local machine, run init-server to create the admin account and save credentials:
mcpjungle --registry http://your-server:8080 init-server
Your ~/.mcpjungle.conf is now populated with the admin token.
3

Register your MCP servers

mcpjungle register --name github --url https://api.githubcopilot.com/mcp \
  --bearer-token ghp_your_token
4

Create MCP clients for your agents

mcpjungle create mcp-client my-agent --allow "github"
# Copy the printed access token
Configure your AI client to connect to http://your-server:8080/mcp with the token in the Authorization: Bearer <token> header.
5

Create user accounts for team members

mcpjungle create user alice
# Share the printed login command with Alice
Alice runs the printed mcpjungle login <token> command on her machine.