# Executor

By **rhyssullivan** · MCP Servers

MCP gateway that gives AI agents like Claude Code, Cursor, and Codex one endpoint and one tool shape for every integration, with sandboxed execution and credential isolation by design.

- Source: https://executor.sh
- Repository: https://github.com/RhysSullivan/executor
- Install: `npm install -g executor executor install executor web # MCP server executor mcp`
- Tags: mcp, open-source, cli, agent, self-hosted, typescript, gateway, integration
- Pricing: freemium
- Upvotes: 1

## Features

- Unified MCP gateway: one endpoint for OpenAPI, GraphQL, MCP, and Google Discovery tools
- Lazy schema loading: only the called tool's schema enters the prompt, not the full catalog
- Isolated JavaScript sandbox: secrets injected host-side, never visible to agent or model
- Semantic safety gates: auto-runs safe methods, pauses for destructive ones pending user approval
- Per-user and shared credentials with team-wide policy enforcement
- Web UI for adding sources, CLI for headless and server environments
- Trace view (coming soon): full run and tool-call history for post-hoc audit
- MIT-licensed desktop app and CLI; cloud tier with org-wide auth and SSO

---

## Why it matters

Running multiple AI agents against a company's tools means wiring each agent to each tool separately. Every new agent duplicates the setup, and every credential lives in a different config. Executor collapses that into one catalog and one connection.

## The big picture

Executor is an MCP gateway. Any MCP-compatible agent, including Claude Code, Cursor, and Codex, points at one Executor endpoint and reaches every tool you have connected. Sources can be OpenAPI specs, GraphQL schemas, existing MCP servers, or Google Discovery documents. If it can be represented with a JSON schema, it can be an integration, per the README.

## How it works

An agent sees exactly one tool called `execute`. When the agent calls it, Executor runs a search against your tool catalog, loads only the matching tool's schema, and runs the code in an isolated JavaScript sandbox. Credentials are resolved host-side and attached to the outbound request only. They never enter the sandbox heap or the model context at all. That is not a policy assertion. It is a structural constraint of the architecture.

## By the numbers

The context efficiency argument is concrete and sourced from executor.sh directly. Connecting GitHub (720 tools), Stripe (510), Jira (240), Sentry (170), Linear (130), Gmail (95), Notion (80), and Slack (70) without Executor gives the model 1,640 tools consuming roughly 278,800 tokens. With Executor, the model sees 1 tool consuming roughly 1,044 tokens. That is a 99.6% reduction in tool-related prompt overhead.

## Zoom in

Safety semantics travel with each tool. Executor preserves the verb meaning it imported: GET vs DELETE for OpenAPI, `destructiveHint` for MCP, mutations for GraphQL. Agents auto-run the safe operations and pause for human approval before the destructive ones. The guardrails apply uniformly regardless of which surface calls the tool.

## At a glance

The repo had 2,349 stars and 30 contributors as of June 2026, with 93 releases and the latest at v1.5.19 (June 24, 2026). The project is MIT licensed and primarily TypeScript (96.7%). Three deployment modes are available: cloud (free tier included), native desktop for Mac, Windows, and Linux, and a headless CLI via `npm i -g executor`.

## Yes, but

The cloud free tier caps at 3 members and 10,000 executions per month, with overage at $0.20 per 1,000 additional executions. The Team plan runs $150 per org per month for unlimited members and 250,000 included executions. Call tracing and audit logs are listed as coming soon on the free and team tiers, with audit logs available on Enterprise. Anyone who needs a full audit trail today should plan on the Enterprise tier or self-hosting with their own logging layer.

## The bottom line

Executor solves a real, underappreciated problem: every new agent surface reinvents the integration wiring. One gateway with one tool shape, lazy schema loading, and host-side credential isolation makes the multi-agent setup actually manageable without sacrificing safety.

## FAQ

### What is Executor?

Executor is an MCP gateway that gives AI agents a single endpoint and a single tool shape for every integration they need. Any MCP-compatible agent, including Claude Code, Cursor, and Codex, points at one Executor endpoint and can reach tools sourced from OpenAPI specs, GraphQL schemas, existing MCP servers, and Google Discovery documents. The project is MIT licensed, available as a cloud service, a native desktop app, and an npm CLI.

### How do I install and connect Executor to my agent?

Install the CLI with `npm install -g executor`, then run `executor install` to set up the local background service and `executor web` to open the web UI where you add sources. To use it as an MCP server, run `executor mcp` and add an entry to your agent's `mcp.json` pointing the command at `executor` with the arg `mcp`. The README includes a ready-to-paste config block for Claude Code and Cursor.

### Is Executor free or open source?

The desktop app and CLI are MIT licensed with source available on GitHub. The cloud service has a free tier supporting up to 3 members and 10,000 executions per month. The Team plan is $150 per org per month for unlimited members and 250,000 included executions, with overage at $0.20 per 1,000 additional executions. Enterprise pricing is custom and includes self-hosted or dedicated cloud deployment support and SSO.

### What is Executor best for?

Executor is best for teams running multiple AI agents against a large shared catalog of company tools, where context bloat and per-client credential wiring are real problems. The executor.sh site documents the core case directly: connecting eight common services (GitHub, Stripe, Jira, Sentry, Linear, Gmail, Notion, Slack) gives an agent 1,640 tools at roughly 278,800 tokens without Executor, versus 1 tool at roughly 1,044 tokens with it. It is also a strong fit for orgs that need consistent safety gates across all agent surfaces without rebuilding policies per client.

### How does Executor handle credentials and secrets?

Executor resolves credentials host-side at call time and injects them only into the outbound HTTP request. They never enter the sandboxed JavaScript runtime where agent-written code runs, and they are never present in anything the model can read. The MCP documentation describes this as a structural constraint of the architecture, not a configurable policy. On the desktop and CLI deployments, integrations and sessions stay entirely on-device.

### What are Executor's current limitations?

Call tracing (a single view of every run and tool call for post-hoc audit) is listed as coming soon and is not yet generally available. Audit logs are only available on the Enterprise tier. The cloud free tier caps at 3 members and 10,000 executions per month, which may be tight for larger teams before committing to the $150/month Team plan. Pi, the AI agent, does not have a native MCP client and requires a separate community-maintained bridge package to work with Executor.

---
[View on Analog](https://analoghq.ai/rhyssullivan/mcp-servers/executor)