Integrations Overview
Behavry sits inline between your AI surfaces and the tools / models they call. Existing clients connect by updating an MCP server URL, an API base URL, or installing the browser extension — no SDK changes required.
Supported clients
MCP clients (IDEs, editors, CLIs)
These connect by adding Behavry as an MCP server (or HTTP MCP URL) in their config.
| Client | Type | Setup |
|---|---|---|
| Claude Code | CLI | Guide |
| Claude Desktop | Desktop app | Guide |
| Cursor | IDE | Guide |
| Zed | Editor | Guide |
| Windsurf | IDE | Guide |
| Google Antigravity | IDE | Guide |
| OpenAI Codex CLI | CLI | Guide |
| Amazon Kiro | IDE | Guide |
| Open Interpreter | CLI | Guide |
LLM API proxies
These point your API base URL at Behavry, which then forwards to the upstream provider while inspecting the request and the response.
| Provider | Setup |
|---|---|
| Anthropic API (Claude) | Guide |
| OpenAI API (GPT) | Guide |
| Google Gemini API | Guide |
| Ollama API (local) | Guide |
| NVIDIA NemoClaw | Guide |
| NVIDIA OpenShell | Guide |
Browser surfaces
One Chrome extension covers every major AI web app.
| Surface | Covered via |
|---|---|
| ChatGPT, Claude, Gemini, Copilot, Perplexity, Poe, Mistral, Meta AI, HuggingChat, DeepSeek, Grok, Phind | Browser Extension |
At the time of writing the extension covers 12 AI services, but the fingerprint database is updated regularly — see the extension guide for the current list.
How the inline proxy works
Your agent / IDE / API client
│
▼
Behavry
┌──────────────────────────────┐
│ identity → policy → DLP │
│ context gate → inbound rules │
│ audit + siem + metrics │
└──────────────────────────────┘
│
▼
Target MCP server / LLM API
Every in-flight call is authenticated, evaluated against OPA policy, scanned for sensitive content, rolled into behavioral baselines, and logged. For MCP clients, tools/list responses also pass through Context Window Governance.
Automated setup (local)
make setup # provisions an agent and writes all supported client configs
make tokens # refresh expired tokens
make setup detects which of the supported clients are installed on your machine and rewrites their MCP config to point at Behavry. Run make setup --client=claude-code to target only one.
Manual setup (any client)
- Register an agent in the dashboard (Agents → New agent) and copy the token
- Set the MCP server URL — for MCP clients, point at
http://localhost:8000/mcp/v1; for LLM proxies, point the provider base URL athttp://localhost:8000/{provider}/v1 - Add an
Authorization: Bearer <token>header to the client config
Tool calls from that client are now governed.
Provisioning at scale
The Agents → Provisioning page supports:
- Single provision — one click, pick client type, get a token + pre-filled config
- Bulk provision — enroll multiple agents from a form
- CSV upload — pre-fill from a CSV (name, type, role, tags) for large rollouts
- Test connection — live SSE stream of the first handshake to confirm the client is reachable
See the Provisioning tab under Agents in the dashboard, or POST /api/v1/agents/provision.
Related
- Agent Identity — the identity layer
- Context Window Governance — tool filtering for MCP clients
- Browser Extension �— coverage for the 12 browser AI surfaces
- Human AI Governance — extends governance to humans using AI in a browser