Policy control for MCP servers in Claude Code with Stacklok

Enterprises are facing a common challenge when it comes to MCP server management. Developers are excited to use MCP servers to unlock powerful automation—enabling AI agents to interact with real systems, perform actions, and dramatically speed up workflows. For example, developers can inspect real-time production errors, debug code, and submit a PR fix directly in Claude Code with the help of MCP servers.

For enterprise security teams, however, MCP introduces a familiar and uncomfortable problem: there is no standardized way to manage or monitor which MCP servers are being used.

The MCP governance problem

Today, organizations are forced to choose between two options for deploying MCP servers.

1. Block MCP usage: Enterprises can prevent security issues by prohibiting all MCP server usage, which will severely limit developer productivity.
2. Allow unmanaged MCPs: Developers are allowed to copy-paste servers from Slack or GitHub, reuse personal access tokens, and wire up enterprise secrets with little visibility or control at the risk of violating company security practices.

In the second case, security teams are left asking critical questions they can’t easily answer:

• What MCP servers are running?
• What data is flowing through them?
• Are they secure?

This is the exact gap Stacklok addresses with our Enterprise MCP Platform that brings security and governance to MCP server deployments.With Claude Code Hooks, Stacklok extends governance directly into Claude Code, preventing it from calling any MCP server not hosted by Stacklok.

Claude Code Hooks: Enforcing MCP policies at execution time

Claude Code hooks provide a framework to intervene when Claude Code is executing. While Claude Code has numerous hook events, the Stacklok Claude Code hook is used with the `PreToolUse` event with a matching regex on `mcp__.*`. The `PreToolUse` event fires when an agent tries to make any tool call, both internal Claude tools like Bash or external MCP servers. The regex matcher filters the events to only be tool calls going to external MCP servers. The hook then calls a script that approves or denies MCP servers from being executed.

Specifically, when Claude Code tries to make a call to an MCP server, the Stacklok hook script runs and receives the MCP server name, tool name, and tool args. The script returns `allow` if the MCP server is hosted by Stacklok and `deny` if it is not. When a request is denied, the hook returns a human- and agent-friendly explanation so the user understands why the MCP server is not allowed.

Security or platform teams can install the Stacklok Claude Code hook for the entire organization using their existing endpoint management solutions, ensuring consistent configurations and enforcement for all developers using Claude Code.

End-to-end governance and observability

By securely integrating Stacklok-managed MCP servers into Claude Code, enterprises gain full governance and observability capabilities automatically. 

Unlike other MCP hosting gateways that deny or block MCP calls at the tool level, Stacklok takes a different approach. Admins can pre-filter at run-time which tools from an MCP server are enabled before developers even install that MCP server. What this means is Claude Code doesn’t even see the blocked tools in its context. The context is not polluted with disallowed tools and there is no fear of the model calling that tool as it simply doesn’t exist. And with the Stacklok Claude Code hook, admins have complete control of which servers and tools can be used across their company.

Lastly, everything that happens in Stacklok is logged using OpenTelemetry (OTel). Admins can see server downloads, tool usage, and error rates for all MCP servers across their company. With OTel, metrics and logs can be hooked into any enterprise observability stack like Grafana or Splunk. Security teams get the insight they need to ensure security policies are being met.

Why Stacklok is different

Stacklok isn’t just a gateway—and it’s not just a SaaS wrapper. Stacklok is a complete MCP governance stack. You can deploy it in your own infrastructure, audit the code, and maintain full control over your environment without sacrificing developer experience.

And Stacklok is differentiated by our desire to build in the open, with the community. If you’re interested in what Stacklok can do, you can get started today via our open source project, ToolHive. ToolHive offers all the critical platform components described above; we encourage you to explore the project on GitHub and engage with us via our Discord channel. With Claude Code Hooks, we’ve extended governance all the way into Claude Code. Developers move fast. Security teams stay in control. MCP becomes safe to adopt at scale. The Stacklok Claude Code Hook is currently available for macOS and Linux systems. Check it out on GitHub.