Registry policy
Without a registry policy, developers can point ToolHive to any MCP registry, including unapproved ones. This guide shows you how to lock all clients to your internal registry so developers always pull from your vetted server catalog. The registry can be a self-hosted Registry Server, the upstream MCP registry, or any MCP-compatible registry.
You'll need your registry's URL (for example, https://registry.acme.com) and
the Enterprise Manager already deployed and reachable by
clients.
Configure the registry directive
Add the registry directive to your enterprise configuration. Replace the
example URL with your registry's address and pick an
enforcement level.
enterpriseConfig:
registry:
value:
# The registry API URL all clients connect to
api_url: 'https://registry.acme.com'
# "enforced" blocks local overrides; "default" lets users override locally
enforcement: 'enforced'
Use enforced in regulated environments or when you need to guarantee that only
vetted servers are accessible. Use default when you want to recommend a
registry URL across your organization but allow teams or developers to switch
for testing or local development.
After updating your configuration, apply the change.
Variations
Advisory registry
Suggest the registry URL as an org-wide default while allowing local overrides:
enterpriseConfig:
registry:
value:
api_url: 'https://registry.acme.com'
enforcement: 'default'
Registry on a private IP
If your registry responds with private IP addresses (for example, a registry
that runs inside your VPC), set allow_private_ip: true so clients accept those
responses:
enterpriseConfig:
registry:
value:
api_url: 'https://registry.internal.acme.com'
allow_private_ip: true
enforcement: 'enforced'
Next steps
- Non-registry servers policy to control whether clients can run servers outside the registry
- Telemetry policy to enforce OpenTelemetry settings
- Stacklok Desktop policies to control Stacklok Desktop visibility
- Degraded mode to define client behavior when the Enterprise Manager is unreachable