Skip to content

FAQ

What does OpenMaskit actually do?

It's a proxy. AI agents talk to OpenMaskit instead of directly to your MCP servers. OpenMaskit forwards the request upstream, intercepts the response, replaces sensitive values with stable aliases, and forwards the masked response to the agent. When the agent later passes an alias back in a tool call, OpenMaskit swaps in the real value before forwarding upstream.

Is OpenMaskit a hosted service?

No. OpenMaskit is a CLI tool that runs on your own machine. The Python proxy is not deployed anywhere; everything binds to 127.0.0.1 by default.

There is a hosted backend at api.maskitmcp.com that serves the marketplace catalog — but it never sees your tool traffic, your alias map, or your masked / unmasked data. The proxy works without it. See Security model → What OpenMaskit sends for the exact list.

Is OpenMaskit open source? What about the backend?

OpenMaskit (this proxy) is Apache-2.0. Source at github.com/MaskitMCP/openmaskit.

The marketplace backend is closed source. It serves the catalog; it does not touch the masking engine, your aliases, or your tool data. You can run OpenMaskit fully without it by adding servers as custom HTTP / stdio configs from the dashboard or via openmaskit.yaml.

Can I self-host the marketplace backend?

Not today. The marketplace catalog is a hosted service. You can disable it entirely with OPENMASKIT_DISABLE_MARKETPLACE=1 and configure servers via the dashboard's Add Server form or openmaskit.yaml — those paths don't touch any backend.

Does OpenMaskit work offline / air-gapped?

Yes, with one caveat: the marketplace tab will be empty (the catalog is hosted). Custom servers added via the dashboard or openmaskit.yaml, including stdio and HTTP transports, work without any outbound traffic to *.maskitmcp.com. Set OPENMASKIT_DISABLE_MARKETPLACE=1 to suppress the catalog requests entirely.

What AI hosts work with OpenMaskit?

Any MCP host that supports HTTP transport. Confirmed-working: Claude Code, Cursor, Codex CLI. Others should work too — point the host at http://127.0.0.1:9474/{server_name}/mcp.

Why don't aliases look more random?

Aliases are deliberately stable and predictable (host_1, email_2, …) so the model can reason about them consistently across tool calls. A random opaque token like _xK9LqJ7m would also work as a substitution, but it would also confuse the model into thinking each occurrence is a different value.

What happens if the same value appears in two different fields?

Same value, same alias. Aliases are a function of the underlying value (and the rule prefix), not the field path.

What happens if two different servers return the same value?

Different alias per server. Aliases are namespaced per server (the mappings table primary key is (target_name, alias) as of 0.6.0). postgres:host_1 and staging-db:host_1 are independent mappings.

Will OpenMaskit slow down my tool calls?

Marginal latency. The masking engine is synchronous and operates on in-memory dictionaries; persistence to SQLite is batched (a background flush every second). The dominant latency in any tool call is going to be the upstream MCP server itself, not the proxy.

What if the agent invents an alias I never minted?

It gets sent upstream verbatim. OpenMaskit only rewrites aliases it has in the mapping table. An invented alias (host_999) the agent hallucinated will pass through unchanged and the upstream will likely return an error.

Can I run multiple instances of OpenMaskit?

Yes, with separate ~/.openmaskit/ directories. Set OPENMASKIT_STORE_PATH, OPENMASKIT_TRAFFIC_DB_PATH, and unique --web-port / --mcp-port / --oauth-port for each instance.

How do I upgrade between versions?

uvx --refresh openmaskit              # uv handles the cache
# or
pipx upgrade openmaskit                # pipx

The CHANGELOG calls out any migrations. As of 0.6.0, store.db migrates the mappings table primary key on first open of an existing DB. As of 0.2.0, mcp_servers.config migrates from plaintext JSON to a Fernet-encrypted blob. Both migrations are one-way; back up store.db before upgrading if you want a rollback path.

How do I report a bug?

Open an issue: github.com/MaskitMCP/openmaskit/issues.

For security-relevant bugs, follow the disclosure process in SECURITY.md instead of filing a public issue.

Where's the roadmap?

There isn't a public roadmap document. The CHANGELOG is the authoritative record of what's shipped; the GitHub issues tab is where in-flight work and discussion lives.