Thinkwatch
Enterprise AI bastion host for secure AI API and MCP access, with unified proxying, RBAC, audit logs, rate limiting, and cost tracking across OpenAI, Anthropic, Gemini, and self-hosted LLMs.
What is Thinkwatch?
Thinkwatch is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to enterprise ai bastion host for secure ai api and mcp access, with unified proxying, rbac, audit logs, rate limiting, and cost tracking across openai, anthropic, gemini, and self-hosted llms.
Enterprise AI bastion host for secure AI API and MCP access, with unified proxying, RBAC, audit logs, rate limiting, and cost tracking across OpenAI, Anthropic, Gemini, and self-hosted LLMs.
This server falls under the Monitoring & Observability category on MCPgee, the world's largest MCP server directory with 33,000+ servers.
Features
- Enterprise AI bastion host for secure AI API and MCP access,
Use Cases
Maintainer
Works with
Installation
Manual Installation
npx thinkwatchConfiguration
Configuration Details
claude_desktop_config.json
Performance
Response Metrics
Resource Usage
How to Set Up and Use Thinkwatch
ThinkWatch is an enterprise AI bastion host that acts as a unified gateway for all AI API and MCP traffic, providing RBAC, audit logs, rate limiting, cost tracking, and PII redaction in a single self-hosted service. It proxies requests to OpenAI, Anthropic, Gemini, and self-hosted LLMs through an OpenAI-compatible endpoint while enforcing per-user and per-key policies configured through a web console. Organizations deploy it to gain full visibility and governance over how teams consume AI services, prevent runaway costs, and satisfy compliance requirements for AI usage.
Prerequisites
- Docker and Docker Compose for infrastructure services (PostgreSQL, Redis, ClickHouse)
- Node.js and pnpm 10+ for building the frontend
- make utility for running the provided Makefile commands
- An MCP client such as Claude Desktop or Cursor
- API keys for the AI providers you want to proxy (OpenAI, Anthropic, etc.)
Start infrastructure services
Spin up the required PostgreSQL, Redis, and ClickHouse containers using the provided Makefile target.
make infraGenerate environment secrets
Create the .env file from the template. This sets JWT_SECRET (minimum 32 chars), database credentials, and provider API keys.
make dev-secretsLaunch the backend gateway and console
Start the AI gateway on port 3000 and the management console API on port 3001.
make dev-backendStart the frontend dev server
Install frontend dependencies and start the web UI for managing users, API keys, rate limits, and audit logs.
cd web && pnpm install && pnpm devComplete initial setup wizard
Open the setup wizard in your browser to configure your first admin account, provider connections, and initial RBAC policies.
open http://localhost:5173/setupGenerate a virtual API key and configure your MCP client
In Admin > API Keys, create a virtual key scoped to the surfaces you need (AI, MCP). Use this key in your MCP client configuration instead of provider keys directly.
Thinkwatch Examples
Client configuration for ThinkWatch MCP gateway
Configure Claude Desktop to route MCP traffic through ThinkWatch's unified gateway using a virtual API key.
{
"mcpServers": {
"thinkwatch-gateway": {
"command": "npx",
"args": ["thinkwatch"],
"env": {
"THINKWATCH_GATEWAY_URL": "http://localhost:3000",
"THINKWATCH_API_KEY": "tw-your-virtual-key-here"
}
}
}
}Prompts to try
Example administrative and usage prompts for ThinkWatch.
- "Show me the total token usage and cost breakdown by user for this month"
- "Create a rate limiting rule: developers get 60 requests/minute and 1M tokens/day"
- "List all audit log entries where PII redaction was triggered in the last 24 hours"
- "Which AI provider has the lowest latency for chat completions in our setup?"
- "Show me all API keys that have exceeded 80% of their monthly budget cap"Troubleshooting Thinkwatch
JWT_SECRET validation fails at startup
ThinkWatch requires JWT_SECRET to be at least 32 characters with sufficient entropy. Generate one with: openssl rand -base64 32
Rate limiting is not applied and all requests pass through
Check that Redis is running and reachable. ThinkWatch defaults to fail-open when Redis is unavailable. Set security.rate_limit_fail_closed=true in settings to reject traffic instead.
MCP tool authorization shows 'requires authorization' for all tools
Each MCP surface requires the virtual API key to have MCP listed in its 'surfaces' allowlist. Update the key in Admin > API Keys and re-authenticate upstream connections via /connections.
Frequently Asked Questions about Thinkwatch
What is Thinkwatch?
Thinkwatch is a Model Context Protocol (MCP) server that enterprise ai bastion host for secure ai api and mcp access, with unified proxying, rbac, audit logs, rate limiting, and cost tracking across openai, anthropic, gemini, and self-hosted llms. It connects AI assistants to external tools and data sources through a standardized interface.
How do I install Thinkwatch?
Follow the installation instructions on the Thinkwatch GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.
Which AI clients work with Thinkwatch?
Thinkwatch works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.
Is Thinkwatch free to use?
Yes, Thinkwatch is open source and available under the NOASSERTION license. You can use it freely in both personal and commercial projects.
Thinkwatch Alternatives — Similar Monitoring & Observability Servers
Looking for alternatives to Thinkwatch? Here are other popular monitoring & observability servers you can use with Claude, Cursor, and VS Code.
Netdata
★ 78.9kReal-time infrastructure monitoring with metrics, logs, alerts, and ML-based anomaly detection.
Kubeshark
★ 11.9keBPF-powered network observability for Kubernetes. Indexes L4/L7 traffic with full K8s context, decrypts TLS without keys. Queryable by AI agents via MCP and humans via dashboard.
Mission Control
★ 4.9kSelf-hosted AI agent orchestration platform: dispatch tasks, run multi-agent workflows, monitor spend, and govern operations from one mission control dashboard.
Grafana
★ 3.0kThis MCP server enables natural-language querying of Grafana logs by automatically detecting log sources and service labels. It provides read-only access to log data with intelligent caching for efficient repeat queries.
Sentrux
★ 2.4kReal-time architectural sensor that helps AI agents close the feedback loop, enabling recursive self-improvement of code quality. Pure Rust.
OpenInference
★ 986OpenTelemetry Instrumentation for AI Observability
Browse More Monitoring & Observability MCP Servers
Explore all monitoring & observability servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.
Set Up Thinkwatch in Your Editor
Choose your AI client for step-by-step setup instructions.
Quick Config Preview
Add this to your claude_desktop_config.json or .cursor/mcp.json
Ready to use Thinkwatch?
Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.