Thinkwatch

v1.0.0Monitoring & Observabilitystable

Enterprise AI bastion host for secure AI API and MCP access, with unified proxying, RBAC, audit logs, rate limiting, and cost tracking across OpenAI, Anthropic, Gemini, and self-hosted LLMs.

aiai-gatewayai-securityai-toolsmcp
Share:
967
Stars
0
Downloads
0
Weekly
0/5

What is Thinkwatch?

Thinkwatch is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to enterprise ai bastion host for secure ai api and mcp access, with unified proxying, rbac, audit logs, rate limiting, and cost tracking across openai, anthropic, gemini, and self-hosted llms.

Enterprise AI bastion host for secure AI API and MCP access, with unified proxying, RBAC, audit logs, rate limiting, and cost tracking across OpenAI, Anthropic, Gemini, and self-hosted LLMs.

This server falls under the Monitoring & Observability category on MCPgee, the world's largest MCP server directory with 33,000+ servers.

Features

  • Enterprise AI bastion host for secure AI API and MCP access,

Use Cases

Enterprise AI API gateway with RBAC
Cost tracking and rate limiting for LLM access
LicenseNOASSERTION
Languagerust
Versionv1.0.0
UpdatedMay 22, 2026
Statushealthy
Maintenanceactive

Works with

ClaudeOpenAIwindowsmacoslinux

Installation

Manual Installation

npx thinkwatch

Configuration

Configuration Details

Config File

claude_desktop_config.json

Performance

Response Metrics

Response Time< 200ms
ThroughputMedium

Resource Usage

Memory UsageLow
CPU UsageLow

How to Set Up and Use Thinkwatch

ThinkWatch is an enterprise AI bastion host that acts as a unified gateway for all AI API and MCP traffic, providing RBAC, audit logs, rate limiting, cost tracking, and PII redaction in a single self-hosted service. It proxies requests to OpenAI, Anthropic, Gemini, and self-hosted LLMs through an OpenAI-compatible endpoint while enforcing per-user and per-key policies configured through a web console. Organizations deploy it to gain full visibility and governance over how teams consume AI services, prevent runaway costs, and satisfy compliance requirements for AI usage.

Prerequisites

  • Docker and Docker Compose for infrastructure services (PostgreSQL, Redis, ClickHouse)
  • Node.js and pnpm 10+ for building the frontend
  • make utility for running the provided Makefile commands
  • An MCP client such as Claude Desktop or Cursor
  • API keys for the AI providers you want to proxy (OpenAI, Anthropic, etc.)
1

Start infrastructure services

Spin up the required PostgreSQL, Redis, and ClickHouse containers using the provided Makefile target.

make infra
2

Generate environment secrets

Create the .env file from the template. This sets JWT_SECRET (minimum 32 chars), database credentials, and provider API keys.

make dev-secrets
3

Launch the backend gateway and console

Start the AI gateway on port 3000 and the management console API on port 3001.

make dev-backend
4

Start the frontend dev server

Install frontend dependencies and start the web UI for managing users, API keys, rate limits, and audit logs.

cd web && pnpm install && pnpm dev
5

Complete initial setup wizard

Open the setup wizard in your browser to configure your first admin account, provider connections, and initial RBAC policies.

open http://localhost:5173/setup
6

Generate a virtual API key and configure your MCP client

In Admin > API Keys, create a virtual key scoped to the surfaces you need (AI, MCP). Use this key in your MCP client configuration instead of provider keys directly.

Thinkwatch Examples

Client configuration for ThinkWatch MCP gateway

Configure Claude Desktop to route MCP traffic through ThinkWatch's unified gateway using a virtual API key.

{
  "mcpServers": {
    "thinkwatch-gateway": {
      "command": "npx",
      "args": ["thinkwatch"],
      "env": {
        "THINKWATCH_GATEWAY_URL": "http://localhost:3000",
        "THINKWATCH_API_KEY": "tw-your-virtual-key-here"
      }
    }
  }
}

Prompts to try

Example administrative and usage prompts for ThinkWatch.

- "Show me the total token usage and cost breakdown by user for this month"
- "Create a rate limiting rule: developers get 60 requests/minute and 1M tokens/day"
- "List all audit log entries where PII redaction was triggered in the last 24 hours"
- "Which AI provider has the lowest latency for chat completions in our setup?"
- "Show me all API keys that have exceeded 80% of their monthly budget cap"

Troubleshooting Thinkwatch

JWT_SECRET validation fails at startup

ThinkWatch requires JWT_SECRET to be at least 32 characters with sufficient entropy. Generate one with: openssl rand -base64 32

Rate limiting is not applied and all requests pass through

Check that Redis is running and reachable. ThinkWatch defaults to fail-open when Redis is unavailable. Set security.rate_limit_fail_closed=true in settings to reject traffic instead.

MCP tool authorization shows 'requires authorization' for all tools

Each MCP surface requires the virtual API key to have MCP listed in its 'surfaces' allowlist. Update the key in Admin > API Keys and re-authenticate upstream connections via /connections.

Frequently Asked Questions about Thinkwatch

What is Thinkwatch?

Thinkwatch is a Model Context Protocol (MCP) server that enterprise ai bastion host for secure ai api and mcp access, with unified proxying, rbac, audit logs, rate limiting, and cost tracking across openai, anthropic, gemini, and self-hosted llms. It connects AI assistants to external tools and data sources through a standardized interface.

How do I install Thinkwatch?

Follow the installation instructions on the Thinkwatch GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.

Which AI clients work with Thinkwatch?

Thinkwatch works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.

Is Thinkwatch free to use?

Yes, Thinkwatch is open source and available under the NOASSERTION license. You can use it freely in both personal and commercial projects.

Browse More Monitoring & Observability MCP Servers

Explore all monitoring & observability servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.

Quick Config Preview

{ "mcpServers": { "thinkwatch": { "command": "npx", "args": ["-y", "thinkwatch"] } } }

Add this to your claude_desktop_config.json or .cursor/mcp.json

Read the full setup guide →

Ready to use Thinkwatch?

Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.

33,000+ ServersFree & Open SourceStep-by-Step Guides