Barndoor website screenshot

Barndoor

Barndoor AI is the control plane for agentic AI, providing secure access and governance for AI agents and Model Context Protocol (MCP) servers. Founded in 2024 by Oren Michels (founder of Mashery), Barndoor enables enterprise IT, security, and developer teams to register agents, govern MCP server access through policy, broker OAuth connections to backend SaaS, and proxy MCP traffic with runtime policy enforcement and full audit trails. The Barndoor Platform REST API manages servers, connections, policies, agents, and MCP / SSE request proxying. Python, TypeScript, and Go SDKs are published on GitHub alongside Rust SDKs (Cerbos, official MCP, MCP OAuth compliance suite) and a Crew AI example. Deployment options include SaaS (trial), private cloud, and on-premises (Enterprise).

8 APIs 14 Features
AI AgentsAI GovernanceAgentic AIMCPModel Context ProtocolPolicy EnforcementOAuthIdentitySecurityAuditControl Plane

APIs

Barndoor Platform API

REST API for the Barndoor Platform. Manage MCP server registrations, OAuth connections from agents to backend SaaS, access-control policies (with rules, restrictions, revisions,...

Barndoor Python SDK

Python SDK for the Barndoor AI Platform. Wraps the Platform REST API, handles Auth0 PKCE login (`loginInteractive()`), discovers governed MCP tools, brokers OAuth connections to...

Barndoor TypeScript SDK

TypeScript SDK for the Barndoor AI Platform. Browser- and Node-friendly client for Auth0 PKCE login, governed MCP tool discovery, OAuth connection initiation, and proxying MCP /...

Barndoor Go SDK

Go SDK for the Barndoor AI Platform. Server-side client for registering agents, managing MCP servers and policies, brokering OAuth connections, and proxying MCP requests from Go...

Official MCP Rust SDK

The official Rust SDK for the Model Context Protocol. Maintained under the Barndoor AI GitHub organization; provides primitives to build MCP clients and servers in Rust.

Cerbos Rust SDK

Rust SDK for Cerbos, the policy-decision-point used by Barndoor for attribute-based access control. Lets Rust services request policy decisions from a Cerbos PDP.

MCP OAuth Compliance Suite

Rust test suite that validates remote MCP servers against the MCP authorization specification - RFC 9728 (Protected Resource Metadata), RFC 8414 (Authorization Server Metadata),...

Barndoor + Crew AI Example

Reference Python demo application showing how to plug Barndoor-governed MCP tools into a Crew AI multi-agent workflow.

Collections

Pricing Plans

Barndoor Plans Pricing

4 plans

PLANS

Rate Limits

Barndoor Rate Limits

6 limits

RATE LIMITS

FinOps

Features

MCP Governance

Secure access control and policy enforcement for Model Context Protocol servers.

Runtime Policy Enforcement

Continuous governance applied at the moment AI agents act, not just at login.

Right-Sized Permissions

Precise, scoped access for agents - not broad human-level permissions.

Context Filtering

Dynamically surface only policy-compliant MCP tools, optimizing the context window.

AI Agent Registry

Register internal and external agents, group them, and track activity.

OAuth Connection Brokering

Initiate and manage OAuth 2.0 connections from agents to backend SaaS.

MCP / SSE Proxying

Streaming proxy that injects credentials and enforces policy on every MCP and SSE request.

Policy Authoring (RBAC/ABAC)

Create, clone, version, validate, and apply Cerbos-based RBAC and ABAC policies.

Audit Dashboards and Activity Logs

Complete audit trails for every AI action, applied policy, and outcome.

Audit Log Export

Stream audit events as gzipped JSON Lines to S3 / GCS / MinIO / SeaweedFS buckets.

Shadow AI Discovery

Centralized visibility into unauthorized AI apps and agents in the environment.

Identity Provider Integration

Connect to existing enterprise IdPs (Keycloak-based) for SSO and identity.

Static Egress IPs

Five dedicated outbound IPs for whitelisting Barndoor traffic at MCP servers.

Private and On-Prem Deployment

SaaS, private cloud, and on-premises deployment options for sensitive environments.

Use Cases

Enterprise AI Governance

Apply access policies and governance to AI agents across the organization.

MCP Server Management

Centrally register, secure, and manage MCP server deployments for AI agents.

Agentic Workflow Orchestration

Coordinate multi-agent workflows with security and accountability controls.

AI Security and Data Exfiltration Prevention

Prevent unauthorized AI agent actions and limit data exfiltration.

Shadow AI Discovery

Surface unauthorized AI apps and agents already running in the environment.

Developer Tooling for Governed Agents

Build agents safely with end-to-end policy enforcement via SDKs.

Microsoft 365 Agent Governance

Govern agents that work across Microsoft 365 (Excel, Outlook, Teams, OneDrive).

Solutions

IT & Security Teams

Centralize AI governance, manage shadow AI, and enforce real-time access controls at scale.

Developers

Deploy agents safely without custom security logic, with end-to-end policy across dev, staging, and prod.

Semantic Vocabularies

Barndoor Context

3 classes · 14 properties

JSON-LD

API Governance Rules

Barndoor API Rules

14 rules · 9 errors 5 warnings

SPECTRAL

JSON Structure

Barndoor Agent Counts Structure

3 properties

JSON STRUCTURE

Barndoor Agent Directory Base Structure

10 properties

JSON STRUCTURE

Barndoor Agent Payload Structure

1 properties

JSON STRUCTURE

Barndoor Agent Response Structure

7 properties

JSON STRUCTURE

Barndoor Agent Structure

5 properties

JSON STRUCTURE

Barndoor Connection Status Response Structure

1 properties

JSON STRUCTURE

Barndoor Error Structure

3 properties

JSON STRUCTURE

Barndoor Filter Category Structure

3 properties

JSON STRUCTURE

Barndoor Filter Option Structure

2 properties

JSON STRUCTURE

Barndoor Pagination Meta Structure

6 properties

JSON STRUCTURE

Barndoor Policy Detail Structure

13 properties

JSON STRUCTURE

Barndoor Policy Revision Summary Structure

7 properties

JSON STRUCTURE

Barndoor Policy Rule Condition Structure

1 properties

JSON STRUCTURE

Barndoor Policy Rule Structure

5 properties

JSON STRUCTURE

Barndoor Policy Summary Structure

12 properties

JSON STRUCTURE

Barndoor Server Create Request Structure

6 properties

JSON STRUCTURE

Barndoor Server Create Response Structure

3 properties

JSON STRUCTURE

Barndoor Server Detail Structure

0 properties

JSON STRUCTURE

Barndoor Server Summary Structure

5 properties

JSON STRUCTURE

Barndoor Server Update Request Structure

5 properties

JSON STRUCTURE

Barndoor Update Policy Structure

6 properties

JSON STRUCTURE

Barndoor Validate Policy Request Structure

4 properties

JSON STRUCTURE

Barndoor Validate Policy Response Structure

3 properties

JSON STRUCTURE

Example Payloads

Barndoor Agent Example

5 fields

EXAMPLE

Barndoor Error Example

3 fields

EXAMPLE

Barndoor Get Agent Example

1 fields

EXAMPLE

Barndoor Get Policy Example

1 fields

EXAMPLE

Barndoor Get Server Example

1 fields

EXAMPLE

Barndoor List Agents Example

1 fields

EXAMPLE

Barndoor Policy Detail Example

14 fields

EXAMPLE

Barndoor Policy Rule Example

5 fields

EXAMPLE

Resources

🔗
LinkedIn
LinkedIn
🔗
Website
Website
🔗
Documentation
Documentation
🔗
APIReference
APIReference
🔗
OpenAPI
OpenAPI
🔑
Authentication
Authentication
📦
SDKs
SDKs
🌐
Portal
Portal
📝
Signup
Signup
🔗
TokensManagement
TokensManagement
💰
Pricing
Pricing
🔗
Plans
Plans
🔗
RateLimits
RateLimits
🔗
FinOps
FinOps
👥
GitHub
GitHub
🔗
Security
Security
🔗
TrustCenter
TrustCenter
🔗
About
About
🔗
MCPCatalog
MCPCatalog
🔗
IPAllowlist
IPAllowlist
🔗
LogExport
LogExport
🔗
SpectralRules
SpectralRules
🔗
Vocabulary
Vocabulary
🔗
JSONLD
JSONLD
🔗
LlmsText
LlmsText

Sources

Raw ↑
opencollection: 1.0.0
info:
  name: Barndoor Platform API
  version: 1.0.0
request:
  auth:
    type: bearer
    token: '{{bearerToken}}'
items:
- info:
    name: Agents
    type: folder
  items:
  - info:
      name: Get Agent Counts
      type: http
    http:
      method: GET
      url: https://{organization_id}.platform.barndoor.ai/api/agents/counts
    docs: Get counts of agents grouped by type (internal vs external).
  - info:
      name: Get Agent
      type: http
    http:
      method: GET
      url: https://{organization_id}.platform.barndoor.ai/api/agents/:agent_id
      params:
      - name: agent_id
        value: ''
        type: path
    docs: Get details of a specific agent by ID, including its application directory configuration.
  - info:
      name: Unregister Agent
      type: http
    http:
      method: DELETE
      url: https://{organization_id}.platform.barndoor.ai/api/agents/:agent_id
      params:
      - name: agent_id
        value: ''
        type: path
    docs: "Unregister an agent from Barndoor.\n\nThis removes the agent's registration but does not delete the underlying\
      \ \napplication directory. The agent can be re-registered using the same \napplication_directory_id.\n"
  - info:
      name: List Agents
      type: http
    http:
      method: GET
      url: https://{organization_id}.platform.barndoor.ai/api/agents
      params:
      - name: search
        value: ''
        type: query
        description: Search applications by name or description
      - name: agent_type
        value: ''
        type: query
        description: Filter by agent type
      - name: page
        value: ''
        type: query
        description: Page number (1-based)
      - name: limit
        value: ''
        type: query
        description: Number of items per page (max 100)
    docs: List registered agents with pagination.
  - info:
      name: Register Agent
      type: http
    http:
      method: POST
      url: https://{organization_id}.platform.barndoor.ai/api/agents
      body:
        type: json
        data: '{}'
    docs: 'Register a new agent with Barndoor.


      Agents represent AI applications that can access MCP servers through Barndoor.

      Each agent must be associated with an application directory (OAuth client configuration).

      '
- info:
    name: Connections
    type: folder
  items:
  - info:
      name: Get Connection Status
      type: http
    http:
      method: GET
      url: https://{organization_id}.platform.barndoor.ai/api/servers/:server_id/connection
      params:
      - name: server_id
        value: 123e4567-e89b-12d3-a456-426614174000
        type: path
        description: Server UUID
    docs: 'Get the user''s connection status for a specific server.

      Used to poll connection status during OAuth flows.

      '
  - info:
      name: Delete Connection
      type: http
    http:
      method: DELETE
      url: https://{organization_id}.platform.barndoor.ai/api/servers/:server_id/connection
      params:
      - name: server_id
        value: 123e4567-e89b-12d3-a456-426614174000
        type: path
        description: Server UUID
    docs: 'Delete the current user''s connection to this server.


      This will remove the connection record and clean up any stored OAuth credentials.

      The user will need to reconnect to use this server again.

      '
  - info:
      name: Initiate OAuth Connection
      type: http
    http:
      method: POST
      url: https://{organization_id}.platform.barndoor.ai/api/servers/:server_id/connect
      params:
      - name: server_id
        value: 123e4567-e89b-12d3-a456-426614174000
        type: path
        description: Server UUID
      - name: return_url
        value: https://myapp.com/oauth/callback
        type: query
        description: Optional return URL after OAuth completion
      body:
        type: json
        data: '{}'
    docs: 'Initiate OAuth connection flow for a server. Returns an authorization URL

      that the user should visit to complete the OAuth flow.


      The server must have OAuth configuration set up by an admin.

      '
- info:
    name: MCP Proxy
    type: folder
  items:
  - info:
      name: MCP Server Proxy Endpoint
      type: http
    http:
      method: GET
      url: https://{organization_id}.platform.barndoor.ai/mcp/:mcp_server_name
      headers:
      - name: x-mcp-session-id
        value: sess_1234567890abcdef
      params:
      - name: mcp_server_name
        value: salesforce
        type: path
        description: MCP server name identifier
      body:
        type: json
        data: '{}'
    docs: 'Proxies MCP JSON-RPC requests to third-party servers with automatic authentication.


      This endpoint supports both regular HTTP requests and Server-Sent Events (SSE) streaming

      for real-time MCP protocol communication.


      ## Usage


      - **JSON-RPC**: Send MCP protocol requests as JSON

      - **SSE Streaming**: Use `Accept: text/event-stream` for real-time communication

      - **Session Management**: Include `x-mcp-session-id` header for session tracking


      ## Authentication Flow


      1. User must first connect to the s'
  - info:
      name: SSE Server Proxy Endpoint
      type: http
    http:
      method: GET
      url: https://{organization_id}.platform.barndoor.ai/sse/:mcp_server_name
      headers:
      - name: x-mcp-session-id
        value: sess_1234567890abcdef
      params:
      - name: mcp_server_name
        value: salesforce
        type: path
        description: MCP server name identifier
      body:
        type: json
        data: '{}'
    docs: 'Server-Sent Events proxy endpoint for real-time streaming communication with third-party servers.


      This endpoint provides dedicated SSE streaming capabilities separate from the MCP protocol,

      allowing for custom event streaming and real-time data flows.


      ## Usage


      - **SSE Streaming**: Optimized for `text/event-stream` communication

      - **Real-time Events**: Custom event types and data streaming

      - **Session Management**: Include `x-mcp-session-id` header for session tracking


      ## Authentication Flow

      '
- info:
    name: Default
    type: folder
  items:
  - info:
      name: Clone Policy
      type: http
    http:
      method: POST
      url: https://{organization_id}.platform.barndoor.ai/api/v2/policies/:policy_id/clone
      params:
      - name: policy_id
        value: ''
        type: path
      auth:
        type: bearer
        token: '{{bearerToken}}'
    docs: 'Clone an existing policy, creating a new policy with the same configuration

      but with a modified name (appending " Copy") and DRAFT status.'
  - info:
      name: Publish  Policy
      type: http
    http:
      method: POST
      url: https://{organization_id}.platform.barndoor.ai/api/policy
      auth:
        type: bearer
        token: '{{bearerToken}}'
    docs: Publish  Policy
  - info:
      name: Disable Restriction
      type: http
    http:
      method: PUT
      url: https://{organization_id}.platform.barndoor.ai/api/policies/restrictions/disable/:restriction_name
      params:
      - name: restriction_name
        value: ''
        type: path
      - name: id
        value: ''
        type: query
      auth:
        type: bearer
        token: '{{bearerToken}}'
    docs: Disable Restriction
  - info:
      name: Enable Restriction
      type: http
    http:
      method: PUT
      url: https://{organization_id}.platform.barndoor.ai/api/policies/restrictions/enable/:restriction_name
      params:
      - name: restriction_name
        value: ''
        type: path
      - name: id
        value: ''
        type: query
      auth:
        type: bearer
        token: '{{bearerToken}}'
    docs: Enable Restriction
  - info:
      name: Get Filter Definitions
      type: http
    http:
      method: GET
      url: https://{organization_id}.platform.barndoor.ai/api/v2/policies/filter-definitions
      auth:
        type: bearer
        token: '{{bearerToken}}'
    docs: 'Return filter categories for the policies list UI.


      Static filter options for status, plus dynamic filters for

      MCP servers and agents based on the organization''s registry.'
  - info:
      name: Get Policies Summary
      type: http
    http:
      method: GET
      url: https://{organization_id}.platform.barndoor.ai/api/v2/policies/summary
      auth:
        type: bearer
        token: '{{bearerToken}}'
    docs: Return summary counts of policies by status.
  - info:
      name: Get Policy
      type: http
    http:
      method: GET
      url: https://{organization_id}.platform.barndoor.ai/api/v2/policies/:policy_id
      params:
      - name: policy_id
        value: ''
        type: path
      auth:
        type: bearer
        token: '{{bearerToken}}'
    docs: Get Policy
  - info:
      name: Update Policy
      type: http
    http:
      method: PATCH
      url: https://{organization_id}.platform.barndoor.ai/api/v2/policies/:policy_id
      params:
      - name: policy_id
        value: ''
        type: path
      body:
        type: json
        data: '{}'
      auth:
        type: bearer
        token: '{{bearerToken}}'
    docs: Update Policy
  - info:
      name: List Policies
      type: http
    http:
      method: GET
      url: https://{organization_id}.platform.barndoor.ai/api/v2/policies
      params:
      - name: search
        value: ''
        type: query
        description: Search by policy ID, name, description, or support contact
      - name: status
        value: ''
        type: query
        description: Filter by status values
      - name: mcp_server_id
        value: ''
        type: query
        description: Filter by MCP server IDs
      - name: agent_id
        value: ''
        type: query
        description: Filter by agent/application IDs
      - name: page
        value: ''
        type: query
        description: Page number (1-based)
      - name: limit
        value: ''
        type: query
        description: Number of items per page (max 100)
      auth:
        type: bearer
        token: '{{bearerToken}}'
    docs: List Policies
  - info:
      name: List Policy Revisions
      type: http
    http:
      method: GET
      url: https://{organization_id}.platform.barndoor.ai/api/v2/policies/:policy_id/revisions
      params:
      - name: policy_id
        value: ''
        type: path
      - name: changes_summary
        value: ''
        type: query
        description: Include human-readable change descriptions in response
      - name: page
        value: ''
        type: query
        description: Page number (1-based)
      - name: limit
        value: ''
        type: query
        description: Number of items per page (max 100)
      auth:
        type: bearer
        token: '{{bearerToken}}'
    docs: "List all revisions for a given policy with pagination.\n\nUses the same authorization as get_policy - if a user\
      \ can read a policy,\nthey can view its revision history.\n\nArgs:\n    changes_summary: Include human-readable change\
      \ descriptions in response"
  - info:
      name: Validate Policy
      type: http
    http:
      method: POST
      url: https://{organization_id}.platform.barndoor.ai/api/v2/policies/validate
      body:
        type: json
        data: '{}'
      auth:
        type: bearer
        token: '{{bearerToken}}'
    docs: 'Validate a policy before creation or update.

      Checks for duplicate names and overlapping MCP server/agent combinations.

      When exclude_policy_id is provided (edit mode), that policy is excluded from validation.'
- info:
    name: Servers
    type: folder
  items:
  - info:
      name: List MCP Servers
      type: http
    http:
      method: GET
      url: https://{organization_id}.platform.barndoor.ai/api/servers
      params:
      - name: page
        value: ''
        type: query
        description: Page number (1-based)
      - name: limit
        value: ''
        type: query
        description: Number of items per page (max 100)
      - name: search
        value: ''
        type: query
        description: Search servers by name or slug
      - name: status
        value: ''
        type: query
        description: Filter by server status
      - name: connection_status
        value: ''
        type: query
        description: Filter by connection status. `not_connected` expands to pending, error, and available.
    docs: 'List all MCP servers available to the caller''s organization.

      Returns paginated results with server details including connection status.

      '
  - info:
      name: Create MCP Server
      type: http
    http:
      method: POST
      url: https://{organization_id}.platform.barndoor.ai/api/servers
      body:
        type: json
        data: '{}'
    docs: 'Create a new MCP server instance from a server directory template.


      The server will be created in `pending` status until OAuth credentials are configured.

      If `client_id` and `client_secret` are provided, the server will be set to `active` status.

      '
  - info:
      name: Get Server Details
      type: http
    http:
      method: GET
      url: https://{organization_id}.platform.barndoor.ai/api/servers/:server_id
      params:
      - name: server_id
        value: 123e4567-e89b-12d3-a456-426614174000
        type: path
        description: Server UUID
    docs: 'Get detailed information about a specific MCP server.

      Returns extended information including MCP URL if available.

      '
  - info:
      name: Update MCP Server
      type: http
    http:
      method: PUT
      url: https://{organization_id}.platform.barndoor.ai/api/servers/:server_id
      params:
      - name: server_id
        value: ''
        type: path
        description: Server UUID
      body:
        type: json
        data: '{}'
    docs: 'Update an existing MCP server''s configuration.


      You can update the name, slug, OAuth credentials, and metadata.

      If updating OAuth credentials, provide the actual values (not obfuscated).

      '
  - info:
      name: Delete MCP Server
      type: http
    http:
      method: DELETE
      url: https://{organization_id}.platform.barndoor.ai/api/servers/:server_id
      params:
      - name: server_id
        value: ''
        type: path
        description: Server UUID
    docs: 'Delete an MCP server and all associated connections.


      This will:

      - Remove all user connections to this server

      - Clean up stored OAuth credentials

      - Delete the server configuration


      For custom server types, this will also delete the associated server directory.

      '
bundled: true