Skip to main content

Documentation Index

Fetch the complete documentation index at: https://qwady.wiki/llms.txt

Use this file to discover all available pages before exploring further.

The live ThornGuard dashboard is hosted at thorns.qwady.io. The public landing page remains on thorns.qwady.app, while legacy dashboard paths on .app should hand off to .io.

Authentication

Log in with your ThornGuard license key. On first use, ThornGuard creates or reuses a browser activation for that same Polar key and stores the activation locally in the browser.

Current UI Surface

Today, the dashboard exposes four main areas:
  • Dashboard: telemetry, signal breakdown, and audit logs
  • License: core license-wide settings and audit export/purge controls
  • Platform: saved protected connection inventory, webhook integrations, policies, tool inventory, approval controls, and custom redaction rules
  • Activations: live activation inventory, current browser status, and deactivation controls
Platform sections are feature-flagged and permission-gated. The Activations page is available to all license tiers because both Individual and Enterprise plans use the same Polar-backed activation model. License-key logins are owner-scoped; narrower roles only appear in deployments that layer SSO or JWT-based auth on top.

Dashboard Page

The main dashboard page shows live audit activity and operator signal for your MCP traffic. The summary cards, chart, top-target list, and recent-event card all follow the selected chart range.

Stat Cards

Five summary cards at the top of the dashboard:
  • Audit Events — total number of audit log events in the selected range
  • Risk Signals — blocked, audited, redacted, tool-integrity, anomaly, and upstream-error events in the selected range
  • Proxy Success — successful proxied request events (PROXY_SUCCESS) in the selected range
  • SSE Streams — number of SSE stream connections established in the selected range
  • Avg Response Time — average proxy response time in milliseconds for events that recorded timing data

Activity Volume Chart

An area chart showing audit-event volume over time with configurable ranges: 1 Day, 7 Days, 30 Days, or 90 Days.

Signal Breakdown

A categorized breakdown of high-signal operator events, including blocks, policy matches, redaction events, tool-integrity findings, anomalies, and upstream errors:
  • Malicious Commands
  • Transport & SSRF
  • Rate Limited
  • Auth Failures
  • Policies & Approvals
  • Redaction & Custom Rules

Top MCP Targets

Lists the most-requested upstream MCP server URLs within the selected range.

Recent High-Signal Event

Shows the most recent high-signal event in the selected range with action type, target, method, and timestamp.

Log Table

A filterable, paginated table of all audit log entries with:
  • Filters: Action type, date range (1h / 24h / 7d / 30d), and free-text search
  • Columns: Time (UTC), Target MCP, RPC Method, Action, Details
  • Detail Panel: Click any row to expand a detail panel showing the full event payload returned by the API
  • Pagination: 50 results per page with page navigation

Real-Time Updates

The dashboard polls for new data every 10 seconds automatically. Polling pauses when a log detail panel is open to prevent UI disruption.

License Page

The License page currently exposes the account controls available in the live UI:
  • IP Whitelist (Enterprise) — restrict access to specific client IPs. See IP Whitelisting.
  • Custom Domain Blocklist (Enterprise) — block specific upstream domains. See Custom Blocklists.
  • Custom Command Patterns (Enterprise) — block specific command patterns.
  • Data Retention — configure how long audit logs are kept.
  • Export — download your audit trail as CSV or JSON.
  • Danger Zone — permanently delete all audit logs (GDPR compliance).

Platform Page

The Platform page is the control surface for newer ThornGuard backend features:
  • Protected Connections — view the saved MCP connections ThornGuard knows about for advisory management. These records are separate from activation seats and store non-secret metadata such as target URL, transport, vendor, and advisory-refresh status.
  • Structured Policies — create, edit, disable, and delete customer rules over methods, domains, JSON selectors, content patterns, and tool-risk context.
  • Outbound Integrations — create and manage webhook, Slack, Teams, Datadog, Splunk HEC, and S3 endpoints from the dashboard. Queue test deliveries and inspect recent delivery status. Events are formatted using OCSF v1.3.0.
  • Tool Inventory — view observed upstream tools, metadata hints, risk scores, and last-seen timestamps.
  • Approval Profiles — define when risky or policy-matched tools/call requests require explicit approval.
  • Approval Queue — inspect pending approval requests and approve or deny them directly from the UI.
  • Custom Redaction Rules — add enterprise regex rules in audit or redact mode on top of ThornGuard’s built-in PII detection.

Activations Page

The Activations page shows the live activation inventory for the current license:
  • current seat usage derived from the active activation inventory and the Polar limit
  • the current browser activation
  • active browser / CLI / device instances
  • deactivation controls for stale instances
The Platform page is separate: it tracks saved protected connections and advisory metadata, not licensed client seats.

API response schemas

For engineers aligning the dashboard client with the Worker, JSON Schemas for common GET /api/* responses are generated in the ThornGuard repository (packages/proxy/contracts/dashboard-api/, built from dashboard-contracts.ts). Regenerate after server shape changes with npm run export:contracts --workspace=packages/proxy.