Skip to main content
Middle Layer Architecture
Welcome to Barndoor free trial! Lets make AI workflows actually run safely with context-aware tool routing, action-level policies, and observability. In the free trial, you will:

Centralize AI + MCP Connections

Connect and manage AI apps- including VSCode, Claude, ChatGPT, and others—along with MCP servers as they interact with real systems.

Control AI Actions at Runtime

Define exactly which tools AI can use across create, read, update, or delete — enforced in real workflows.

Improve Execution with Context-Aware Tool Routing

Limit available MCP tools per action to reduce failures and improve debuggability.

See AI Activities End-to-End

Watch AI actions run across systems and review outcomes, decisions, and logs in one place.
Estimated Time: 15-20 minutes

Prerequisites

Before you begin, ensure you have:
  • Admin Access to your Barndoor Trial account. Click here if you have not signed up yet.
  • Admin credentials for the MCP server you want to connect
  • An AI client application or API key ready for testing

Labs

Summary

To realize full productivity potential, AI needs to take actions in real systems like Salesforce, Jira, GitHub, etc. Barndoor is the control plane for access control between AI and these systems. Once set up, Barndoor enforces fine grained access controls to the MCP servers of your connected systems.
Add MCP Server

What You’ll Learn

In this lab, you’ll discover how register and connect the Barndoor Gateway to an MCP server. Once connnected that server becomes available to your agents.

Let’s Get Started

To evaluate how Barndoor works, first add and connect an MCP server. Choose your path:

Add an MCP Server

Configure MCP server now in the Barndoor Dashboard
OR

Register MCP Server Docs

Learn how to add servers with our comprehensive guide
You can connect multiple MCP servers. Start with one to understand the process, then add more as needed.

Summary

The Access Control Center is where you define policies for how AI agents and users can interact with connected systems.
  • Create policies that apply to specific agents, user roles and groups, or across your environment.
  • Choose which MCP tools are available or add sophisticated fine-grained access controls.
  • Deeper role, group, or user attribute based policies are available once you’ve integrated Barndoor with your identity provider system.
Configure Policy

What You’ll Learn

In this lab, you’ll create your first access policy that controls what AI agents can (and cannot) do with your MCP servers. You’ll learn how to set up guardrails that keep AI secure while maintaining productivity.
⚠️ Important: You must first connect to an MCP server before you can set up policies. If you haven’t completed Step 1, go back and add a server first.

Let’s Get Started

Follow these steps to create your first access control policy:
1

Open Access Control Center

Click Access Control Center to begin configuring policies.
2

Select Agent and Server

  1. Under the ‘AI Agents’ column, choose ‘Any Agent’
  2. Under the ‘Connected Servers’ middle column, select Notion or your preferred server to configure agent permissions
3

Enable MCP Tools

Notice all your MCP tools are loaded under the ‘Actions’ tab.Turn on only the MCP tools you want Barndoor to allow through. This controls which tools are available for the agent to use.
4

Add Access Restrictions

Now that we’ve enabled certain tools, let’s add RBAC/ABAC access control policies.Click the ‘Restrictions’ tab to configure a policy.
5

Create A Policy

We have a bunch of pre-built policies in our MCP Server marketplace you can reuse.For now, click ‘Add Restriction’ and set up a basic user policy:
  1. Name the restriction: Give it a descriptive name like “disallow_email”
  2. Choose Action: Select ‘All Actions’ (synonymous with all MCP tools)
  3. Set Match: Choose ‘Any’
  4. Add Condition: Select a User restriction type that checks if the Email is not equal to yours
Optional: If you’ve set up a Notion MCP server, check out this policy that disallows page updates and comments to a specific Notion page. Please note: deeper role, group, or user attribute based policies are available once you’ve integrated Barndoor with your identity provider system.
6

Review JSON Configuration

Here’s how the JSON should look:
    {
   "name":"disallow_other_emails",
   "effect":"EFFECT_DENY",
   "actions":[
      "*"
   ],
   "roles":[
      "*"
   ],
   "condition":{
      "match":{
         "all":{
            "of":[
               {
                  "expr":"P.attr.email != \"[email protected]\""
               }
              ]
            }
          }
      }
    }
💡 What this does: Denies all actions (*) for users whose email doesn’t match yours—a basic example of user-level access control. Be sure to change the sample to match your email used during the Barndoor authorization process in step 3.
Extra Credit: Check out our Policies API and deeper details on how our policies are constructed.

Summary

When you connect an account, Barndoor uses OAuth 2.0 to perform a secure handshake on behalf of the user with the provider. After you log in, the provider (e.g., Salesforce) sends Barndoor an access token. Barndoor securely stores this JWT token and uses it whenever an MCP server tool call needs to act on your behalf — for example, retrieving Salesforce data or updating records. The JWT token will live for 60 minutes and can always be refreshed. Tokens can be revoked at any time through your provider’s account settings or through our API/SDK.

What You’ll Learn

In this lab, you’ll learn how to create and configure user accounts that will interact with your MCP servers through Barndoor’s access control policies.

Let’s Get Started

Choose your own destiny:
  • Follow the buttons below to access the Barndoor account management interface
  • Check out our extensive documentation on account configuration

Connect an account

Connect Barndoor on behalf of a user
OR:

Connecting Account Docs

Connect user accounts to Barndoor

Summary

Connect your preferred AI chat client (Claude, ChatGPT, Cursor, VS Code) to Barndoor so AI agents can interact with your MCP servers through governed access controls. For a comprehensive walkthrough, see here
Authorize Barndoor

What You’ll Learn

In this lab, you’ll configure an AI client to connect to Barndoor’s MCP gateway. Once connected, the AI will be able to use your MCP tools while respecting the policies you’ve configured.

Let’s Get Started

Choose your AI client below and follow the connection steps. Most clients can be connected in under 5 minutes.
What you need:
  • Active Claude account (Pro or Team plan)
  • Your Barndoor MCP URL: https://{{your-org}}.mcp.barndoor.ai/mcp/{{servername}}. To locate this, simply view the details for any of your configured servers here
Quick Steps:
  1. Open Claude → SettingsConnectors tab
  2. Click “Add custom connector”
  3. Enter your Barndoor MCP URL
  4. Click Connect to authorize
📚 Detailed Claude guide
Connection Issues? Verify your Barndoor URL is correct and that you’ve completed Steps 1-3 (MCP server connected, policies configured, account created).

Summary

Use the Audit Center to monitor overall behavior and spot unusual patterns, or dive into Audit History for detailed, event-by-event records. Track who accessed what, when it happened, and whether policies allowed or blocked the action.
Audit History Center

What You’ll Learn

In this lab, you’ll learn how to access Barndoor’s audit logs to review AI interactions with your MCP servers. You’ll see:
  • Who & what: User, agent, or service activity
  • When & where: Time and affected system
  • Outcome: Policy decision result and full activity trace log

Let’s Get Started

1

Navigate to Audit History Center

Click here to begin
2

Open Filters Panel

Click the Filters button (or filter icon) in the Audit History interface.
3

Navigate to Server Filter

In the filters modal, click on Server to expand the server source options.
4

Select Your Server(s)

Choose one or more servers from the list (i.e., Notion)You can use Select all or None to quickly manage selections.
5

Apply Filters

Click the Apply button at the bottom to filter the audit logs.The interface will show “X filters selected” and display only events related to your chosen server(s).
6

Review Filtered Results

Now you’ll see only the audit events for your selected server(s), making it easy to:
  • View audit logs for specific servers, agents, etc.
  • Investigate issues with a particular MCP server by clicking into the traceId to see a full stacktrace
  • Monitor your inbound MCP calls across all users/agents/servers

Additional Filter Options

Beyond Server, you can also filter by:
  • Agent type: Which AI agent made the request
  • Event Type: Type of action attempted
  • Resource: Specific data or endpoint accessed
  • Status: Allowed, denied, or blocked actions
  • User: Individual user or service account
Combine multiple filters to drill down into exactly the activity you need to review!
Pro tip: Use the search bar within filters to quickly find specific servers or resources. Clear all filters with the Clear button to start fresh.

Summary

Collaborate with your team by inviting members to your Barndoor tenant. Team members can help manage MCP servers, configure policies, and monitor AI activity across your organization. Non-admin users will be able to login to the Barndoor dashboard and manage their connected accounts.
Users

What You’ll Learn

In this lab, you’ll learn how to invite colleagues to your Barndoor workspace. Once invited, they’ll receive an email to join your tenant and can be assigned specific roles and permissions.

Let’s Get Started

1

Navigate to Users Page

Go to the Users section in your Barndoor dashboard. You’ll see:
  • Total number of active users in your tenant
  • Monitored actions over the last 30 days
  • A list of current team members
2

Click Invite Team Members

In the top right corner, click the Invite Team Members button.A modal will appear titled “Invite Team Members” with a form for adding invitees.
3

Fill Out Invitee Information

For each team member you want to invite, enter:
  • First name: Their first name
  • Last name: Their last name
  • Email: Their work email (e.g., [email protected])
💡 Tip: The form has placeholder text showing the expected format.
4

Add Multiple Team Members (Optional)

Need to invite more people? Click + Add another team member to add additional rows to the form.You can invite multiple colleagues in one batch—just keep adding rows as needed.
5

Remove Invitees (Optional)

Made a mistake? Click the trash icon (🗑️) next to any row to remove that invitee from the list.
6

Send Invitations

Once you’ve filled out all the information, click the Send Invites button at the bottom right of the modal.Success! Your team members will receive email invitations to join your Barndoor tenant.
7

Monitor Invitation Status

After sending invites, you’ll return to the Users page where you can:
  • See pending invitations
  • Track which team members have accepted
  • Resend invitations if needed
  • Manage user roles once they’ve joined
  • Promote a team member to Admin
What happens next? Invited team members will receive an email with a link to create their account and join your Barndoor workspace.
Security best practice: Only promote trusted team members who need access to manage AI governance. AI Client consumers should be invited as users.

Next Steps

Congratulations! You’ve successfully completed the Barndoor Trial setup. Here’s what you can explore next:

Our SDKs

Whether you’re building AI-driven applications with OpenAI or performing direct API calls, the SDK simplifies authentication, tool discovery, and data operations with a robust TypeScript and Python interface.

API Reference

Barndoor provides a robust API that allows developers to securely access their dashboard environment’s data and programmatically update settings relevant to their Barndoor Org.

Building a custom Crew AI Agent

This guide walks you through how to run a CrewAI task using the Barndoor SDK to connect to an MCP server (like Notion), fetch connection parameters, and use the MCP tools within a CrewAI agent.

MCP Server Catalogue

Check out our MCP server catalogue including example policies, available tools and setup instructions

Troubleshooting

Common causes:
  • Incorrect server URL or credentials
  • Firewall blocking Barndoor’s IP addresses
  • OAuth token expired
Solution: Verify your credentials and check network connectivity. Contact your MCP server administrator if issues persist.
Common causes:
  • Policy not assigned to the account
  • Policy priority conflicts with another policy
  • Cache delay (policies can take 30-60 seconds to propagate)
Solution: Verify policy assignment and wait a minute before testing. Check for conflicting policies.
What this means: The authentication to this service wasn’t completed successfully.Common causes:
  • Authentication process was interrupted or not completed
  • Invalid or expired credentials were provided
  • Service connection permissions weren’t granted
Solution: Return to the server setup and complete the authentication process. Ensure you grant all necessary permissions when prompted.
Common causes:
  • Invalid or expired API key
  • Incorrect API endpoint
  • Missing authentication headers
Solution: Navigate to your Barndoor account settings >> disconnect >> and reauthorize Barndoor on behalf of your user account.
Common causes:
  • Time zone mismatch in date filter
  • Requests not reaching Barndoor (direct server access)
  • Log retention period expired
Solution: Adjust date filters and ensure all requests go through Barndoor’s proxy.

Need Help?

Documentation

Browse our complete documentation

Support

Contact our support team