Skip to main content

Introduction

Stacklok Enterprise

Stacklok Desktop is a component of Stacklok Enterprise. For a full comparison of ToolHive Community and Stacklok Enterprise capabilities, see Stacklok Enterprise.

Stacklok Desktop is a hardened edition of the ToolHive desktop app that adds centralized management and security controls for organizations. Everything in the open source app works the same. On top of that, it adds policy enforcement, resilience when the Enterprise Manager is unreachable, managed updates, and deep link integration with the Enterprise Cloud UI. It also bundles the Stacklok CLI, so installing the app puts thv on your PATH and shares a single sign-in session between the two.

Policy enforcement

The Enterprise Manager pushes policy directives that control which features are visible and whether you can change them. For example, your admin can hide the Playground tab, lock the registry URL, or block custom MCP servers. See Policy enforcement for the full list of controls.

Degraded mode

When Stacklok Desktop cannot reach the Enterprise Manager, it enters degraded mode. A warning banner appears below the navigation bar:

  • Grace period (yellow) - the Enterprise Manager is unreachable but the cached configuration is still valid. The app continues to work normally.
  • Degraded (red) - the grace period has elapsed. Some enterprise features may stop working depending on the degraded mode policy configured by your admin.

Stacklok Desktop polls the Enterprise Manager every 5 seconds while in degraded mode and recovers automatically when the connection is restored.

Managed updates

Auto-update is disabled in Stacklok Desktop. Updates are distributed through your organization's release cycle, not through the app's built-in update mechanism. This gives your platform team control over which version is deployed across the organization.

Stacklok Desktop can receive install requests from the Enterprise Cloud UI. When you click Install on a server in the Cloud UI, Stacklok Desktop opens with the server pre-selected. See Deep links for details.

The enterprise deep link protocol (stacklok-enterprise-gui://) is separate from the open source protocol (toolhive-gui://), so both editions can coexist on the same machine.

First launch and sign-in

On first launch, the app connects to the Enterprise Manager to retrieve your organization's policy configuration and OIDC settings. You see a sign-in screen that initiates an OIDC/OAuth flow with your identity provider (Okta, Entra ID, or any OIDC-compatible provider). After signing in, the app applies your organization's policies and shows the main interface.

You can sign out at any time from Settings.

Next steps