Quickstart: first MCP tool call in 10 minutes
Get from zero to a live GitHub tool call proxied through Wicket in under 10 minutes.
How Wicket fits
Wicket sits between your MCP clients and the services they call. Clients hold one credential — a member key — and Wicket evaluates a policy on every tool call before anything reaches the upstream service:
You + teammates (dashboard) manage agents · policies · members · audit │ ▼┌──────────────┐ Bearer ┌─────────────────────────┐ member's own ┌──────────────┐│ MCP client │ member key │ Wicket │ OAuth token │ Upstream MCP ││ Claude, IDE, ├────────────►│ 1 authenticate ├────────────────►│ GitHub, Slack││ Copilot, … │◄────────────┤ 2 evaluate policies │◄────────────────┤ Linear, +13 │└──────────────┘ result / │ 3 audit every call │ response └──────────────┘ deny └─────────────────────────┘Three things to keep straight:
- Agent — an AI identity you create in the dashboard. Holds enabled connectors, policies, and members.
- Member — a person on an agent. Each member connects their own OAuth accounts and holds their own member key; denied or allowed, every call is attributed to a member.
- Member key — the single Bearer credential an MCP client needs. It unlocks that member’s encrypted OAuth tokens at request time; Wicket never stores the key.
Trusted vs untrusted
When you create an agent you pick its trust mode — the one decision worth understanding before step 2:
| Trusted | Untrusted | |
|---|---|---|
| Policies | One agent-wide set — every member governed identically | Per member — each member gets their own policy set |
| If no policies match a member | Default deny applies per call | Fail closed — member with no policies can do nothing |
| Pick it for | Your own team sharing one assistant config | Contractors, external contributors, graduated rollouts |
This tutorial uses a trusted agent — you’re the only member, so one policy set is exactly right. The full reasoning lives in Trust model.
Prerequisites
- A GitHub account (for the connector OAuth)
- Claude Desktop installed
-
Create your account
Go to app.wicket.sh and enter your email. Wicket sends a 6-character code — paste it in to sign in. No password required.
-
Create an agent
Click New agent and give it a name (e.g.
my-first-agent). Choose Trusted as the agent type — you’re the only member, so one agent-wide policy set is right (see Trusted vs untrusted above).Under Connectors, toggle GitHub on, then click Save.
-
Connect GitHub
Open the agent’s Members tab and find your own entry. Click Connect services, then Connect GitHub. A popup opens the GitHub OAuth flow — authorize it and close the popup.
-
Generate your member key
Still on the Members tab, click Generate key.
The member key is the only credential your MCP client needs — it identifies you, your agent, and your connected services in one token.
-
Configure Claude Desktop
Open (or create) the Claude Desktop config file:
- macOS:
~/Library/Application Support/Claude/claude_desktop_config.json - Windows:
%APPDATA%\Claude\claude_desktop_config.json
Add a
mcpServersentry:{"mcpServers": {"wicket": {"url": "https://mcp.wicket.sh/mcp","headers": {"Authorization": "Bearer <your-member-key>"}}}}Replace
<your-member-key>with the key from the previous step. Save and restart Claude Desktop. - macOS:
-
Make your first tool call
In Claude Desktop, start a new conversation and ask:
List my GitHub repositories.
Claude calls the proxied GitHub MCP tool and returns your repo list.
-
Verify in the audit log
In Wicket, open the agent’s Audit tab. You will see a row for the call with the principal (your key suffix), decision
ALLOW, and duration.
Next steps
- Author your first policy — restrict which GitHub tools Claude can call
- Connect Claude Code — use Wicket from the terminal
- Connectors catalog — add Slack, Linear, Notion, and 12 more