https://thorns.qwady.app.
Hosts
https://thorns.qwady.app/mcp— public MCP proxy endpointhttps://thorns.qwady.app/api/*— management and telemetry APIhttps://thorns.qwady.io— live dashboard
Default Authentication
The default auth path remains:- License keys:
THORN-... - Enterprise team tokens:
THORN-TEAM-...
x-thornguard-license: Bearer THORN-...
Authorization: Bearer THORN-...
OAuth / JWT Interoperability
ThornGuard also supports additive OAuth-style bearer authentication for HTTP clients when that deployment enables it. Protected Resource Metadata is served from:/.well-known/oauth-protected-resource/.well-known/oauth-protected-resource/mcp
License keys and team tokens remain the default documented path. OAuth/JWT is
additive and deployment-configured.
Correlation Headers
ThornGuard returns these headers on successful proxied responses and ThornGuard-generated error responses:x-thornguard-log-idx-thornguard-trace-id
Management API Surface
Core routes:GET /api/logsGET /api/logs/exportGET /api/statsGET /api/settingsPUT /api/settingsGET /api/teamPOST /api/teamPATCH /api/team/:idDELETE /api/team/:id
GET /api/policiesPOST /api/policiesPATCH /api/policies/:idDELETE /api/policies/:idGET /api/integrationsPOST /api/integrationsPATCH /api/integrations/:idDELETE /api/integrations/:idPOST /api/integrations/:id/testGET /api/integrations/:id/deliveriesGET /api/toolsGET /api/approval-profilesPOST /api/approval-profilesPATCH /api/approval-profiles/:idDELETE /api/approval-profiles/:idGET /api/approval-requestsPOST /api/approval-requests/:id/approvePOST /api/approval-requests/:id/denyGET /api/redaction-rulesPOST /api/redaction-rulesPATCH /api/redaction-rules/:idDELETE /api/redaction-rules/:id
Upstream Credentials
If your upstream MCP server needs its own bearer token, pass it separately:x-upstream-auth: Bearer ...
Authorization header and does not forward your ThornGuard credential upstream.