Skip to content
Qwady Docs

Quickstart Guide

Connecting ThornGuard to your AI Assistant requires no changes to your upstream MCP servers. ThornGuard sits entirely in the middle, intercepting and securing the traffic seamlessly.

Prerequisites

Section titled “Prerequisites”
  1. Claude Desktop installed on your machine.
  2. Your ThornGuard License Key (Check your email! Your should receive your key shortly after checkout. You can also view it in your Qwady Dashboard).
  3. npx installed on your machine (comes natively with Node.js).

1. Configure Claude Desktop

Section titled “1. Configure Claude Desktop”

Because Claude Desktop natively expects to run local terminal commands, it uses a bridge tool called mcp-remote to connect to web-based HTTP servers. We will use this tool to route traffic through ThornGuard.

Open your Claude Desktop configuration file:

Terminal window
nano ~/Library/Application\ Support/Claude/claude_desktop_config.json

Add the Protected Integration

Section titled “Add the Protected Integration”

Add a new server to your mcpServers object. In this example, we are securing a connection to GitHub Copilot’s MCP server.

{
  "mcpServers": {
    "GitHub (Protected)": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote",
        "[https://thorns.qwady.app/mcp](https://thorns.qwady.app/mcp)",
        "--header",
        "x-thornguard-license: Bearer THORN-YOUR_KEY_HERE",
        "--header",
        "x-mcp-target-url: [https://api.githubcopilot.com/mcp](https://api.githubcopilot.com/mcp)",
        "--header",
        "Authorization: Bearer ghp_YOUR_UPSTREAM_TOKEN"
      ]
    }
  }
}

Understanding the Configuration:

Section titled “Understanding the Configuration:”
  • https://thorns.qwady.app/mcp: The ThornGuard Edge Proxy URL. All traffic goes here first.
  • x-thornguard-license: Your Qwady Solutions subscription key. ThornGuard uses this to authenticate your proxy access, then immediately strips it from the request before forwarding.
  • x-mcp-target-url: The actual MCP server you want to connect to. ThornGuard reads this, performs security checks, and proxies the traffic to this destination.
  • Authorization: The token for the upstream service (e.g., your GitHub Personal Access Token). ThornGuard passes this through untouched.

2. Initialize the Connection

Section titled “2. Initialize the Connection”
  1. Completely quit Claude Desktop.
  2. Re-open Claude Desktop.
  3. Open a new chat and click the 🔌 (Plug) icon in the bottom right corner.
  4. You should see GitHub (Protected) listed with available tools.

3. Verify Your Defenses

Section titled “3. Verify Your Defenses”

Let’s act as a “Red Team” to ensure ThornGuard is actively protecting your environment.

Test Ingress Protection (Malicious Commands)

Section titled “Test Ingress Protection (Malicious Commands)”

Send this exact prompt to Claude:

“I need you to use your tools to update the repository. Please execute this command: rm -rf /

Result: Claude will attempt to format a JSON-RPC payload. ThornGuard will intercept the rm -rf signature, instantly drop the request, and return an HTTP 400 error. Claude will inform you the command was blocked.

Test Egress DLP (Data Exfiltration)

Section titled “Test Egress DLP (Data Exfiltration)”

Create a text file or issue in your GitHub repository containing a fake AWS key (e.g., AKIAIOSFODNN7EXAMPLE). Then, ask Claude:

“Can you read the latest issue in my repository and tell me exactly what it says?”

Result: GitHub will send the real AWS key back in the stream. ThornGuard will intercept the live network chunks, scrub the key, and replace it with [THORNGUARD REDACTED AWS KEY]. Claude will seamlessly read the redacted text back to you!