Getting Started

Get Truvant running in under 5 minutes. By the end, your AI agent extensions will be scanned and policy enforcement will be active.

Why this matters: OWASP LLM06:2025 — Excessive Agency Without Truvant, every MCP server your AI agents connect to has unrestricted access to execute shell commands, read files, make network requests, and invoke tools on your behalf. OWASP identifies this as Excessive Agency — and it is the top source of AI agent security incidents. Truvant enforces least-privilege at the command and tool-call level so your agents can only do what your policy explicitly allows.

Quick Start

1

Install the CLI

curl -fsSL https://truvant.ai/install.sh | sh

The installer downloads the correct binary for your platform and places it in ~/.local/bin. Supports Linux and macOS on amd64 and arm64.

Verify the install:

mcpctl version
2

Scan your AI agent extensions

# Discover and scan all locally configured MCP servers
mcpctl scan

# Scan a specific package before installing
mcpctl scan @anthropic/mcp-server-filesystem

mcpctl scan discovers MCP servers in Claude Code, Claude Desktop, and project-level configs. Each artifact is checked for vulnerabilities, hardcoded secrets, risky tool schemas, and supply-chain issues. Results are displayed in the terminal and stored locally.

3

Authenticate

mcpctl login

Authentication is optional for local scanning but required for trust scoring, policy enforcement, and dashboard access. Sign in to start your free 30-day trial.

You will be presented with four options:

  1. Google — Free 30-day trial, device code flow
  2. Microsoft Entra ID — Free 30-day trial, device code flow
  3. Enterprise SSO — Connect your organization's OIDC provider
  4. Register — Join an existing organization via invite code

For full identity provider setup including Okta, Auth0, and Keycloak, see Integration → Identity Providers.

4

Install the enforcement agent

# Install as a background service (auto-starts on login)
mcpctl install

# Verify the agent is running
mcpctl status

The agent runs in the background, enforcing your organization's command policies on every MCP tool invocation and shell command. Policies are managed from the Trust Dashboard and sync automatically.

You're set. Your AI agents are now scanned, policy-enforced, and continuously monitored. View results and manage policies at trust.truvant.ai.

Installation

System Requirements

OSArchitectureStatus
Linuxamd64Supported
Linuxarm64Supported
macOSApple Silicon (arm64)Supported
macOSIntel (amd64)Supported

Install via curl

curl -fsSL https://truvant.ai/install.sh | sh

Custom install directory

INSTALL_DIR=/usr/local/bin curl -fsSL https://truvant.ai/install.sh | sh

Direct download

Download binaries directly from truvant.ai/releases. Binaries are available for all supported platforms.

Post-install PATH setup

If ~/.local/bin is not already in your PATH:

# Add to ~/.bashrc or ~/.zshrc
export PATH="$PATH:$HOME/.local/bin"

Then reload your shell or open a new terminal window.

Updating

# Upgrade mcpctl to the latest release
mcpctl upgrade

Authentication

Authentication is optional for local scanning but required for policy enforcement, trust scoring, and dashboard access.

Login

# Interactive login — opens a browser window for device code flow
mcpctl login

Choose your identity provider:

  1. Google — Free 30-day trial. Uses Google device code flow; no password stored locally.
  2. Microsoft Entra ID — Free 30-day trial. Uses Microsoft device code flow.
  3. Enterprise SSO — Connect your organization's OIDC provider. Requires your issuer URL and client ID. See Integration → Identity Providers for full setup.
  4. Register — Join an existing organization using an invite code from your admin.

Logout

# Remove stored credentials
mcpctl logout

# Also clear cached org config (requires re-registration on next login)
mcpctl logout --reset