Cordon adds audit logging and policies to n8n MCP tool calls
Marco Arras built Cordon, an open-source MCP gateway that sits between n8n's MCP Client Tool node and any upstream MCP server to log every tool call and enforce block or approval policies.
Score breakdown
Cordon fills the observability gap in n8n's MCP tool execution by providing a full audit trail and human-in-the-loop approval controls that n8n's native execution log does not offer.
- 01["n8n's execution log shows only "MCP Client Tool: success" with no record of tool arguments or responses.", "Cordon is an open-source, MIT-licensed MCP gateway that proxies calls between n8n and upstream MCP servers.", "It emits structured audit JSON per tool call, including tool name, arguments, call ID, timestamp, and `durationMs`.", "Integration requires only changing the URL in n8n's MCP Client Tool node to point at Cordon's `http://127.0.0.1:7777/mcp` endpoint.", "Per-tool policies support `allow`, `block`, and `approve` actions; `approve` pauses the call for human confirmation via Slack or terminal.", "Audit output can be directed to stdout or a hosted browser dashboard that is sortable and exportable.", "Installed via `npm install -g @getcordon/cli` and configured through a `cordon.config.ts` file."]
Marco Arras describes a visibility gap in n8n workflows that use MCP tools: the execution log records only that the MCP Client Tool node succeeded, with no detail about what arguments the agent passed or what the tool returned. If an agent loops, calls an unexpected tool, or sends unapproved arguments, there is no record. Cordon is his open-source (MIT) MCP gateway designed to close that gap. It spawns the upstream MCP server as a child process, listens on `http://127.0.0.1:7777/mcp` via HTTP Streamable transport, and emits a line of audit JSON to stderr for every tool call — capturing the tool name, arguments, call ID, timestamp, and `durationMs`. Because n8n's MCP Client Tool node accepts a URL and a bearer token, and Cordon's HTTP transport exposes exactly that interface, the integration is a one-field change: point the node at Cordon, set authentication to Bearer, and paste in the `CORDON_GATEWAY_TOKEN`.
The gateway section sets the transport, port, and auth token; the audit section can direct output to `stdout` or to a hosted dashboard (accessible via `cordon login`) that provides a sortable, exportable browser table.
Configuration is handled through a `cordon.config.ts` file. The gateway section sets the transport, port, and auth token; the audit section can direct output to `stdout` or to a hosted dashboard (accessible via `cordon login`) that provides a sortable, exportable browser table. Cordon also supports per-tool policies: a tool can be set to `allow`, `block` (with a stated reason), or `approve`, where `approve` pauses execution and waits for a human confirmation via Slack or terminal before the call fires. The article notes a Docker networking consideration — if n8n runs in Docker and Cordon runs outside it, `127.0.0.1` must be replaced with the host IP or Cordon must be placed in the same Docker network. Installation is via `npm install -g @getcordon/cli`.
Key facts
- 01["n8n's execution log shows only "MCP Client Tool: success" with no record of tool arguments or responses.", "Cordon is an open-source, MIT-licensed MCP gateway that proxies calls between n8n and upstream MCP servers.", "It emits structured audit JSON per tool call, including tool name, arguments, call ID, timestamp, and `durationMs`.", "Integration requires only changing the URL in n8n's MCP Client Tool node to point at Cordon's `http://127.0.0.1:7777/mcp` endpoint.", "Per-tool policies support `allow`, `block`, and `approve` actions; `approve` pauses the call for human confirmation via Slack or terminal.", "Audit output can be directed to stdout or a hosted browser dashboard that is sortable and exportable.", "Installed via `npm install -g @getcordon/cli` and configured through a `cordon.config.ts` file."]
Topics
Summary and scoring are generated automatically from the original article. We always link back to the publisher and never republish images or paywalled content. Last processed Jun 9, 2026 · 17:05 UTC. How this works →