The Web UI Configuration page (/ui/settings) presents mcpproxy's config as
friendly, prioritized form sections instead of raw JSON:
- Security & Access — API key (masked, show/regenerate), require MCP auth, quarantine, global Docker isolation, code execution, read-only mode, sensitive-data detection, reveal secret headers, listen address.
- General — routing mode, tool limits, response limit, call timeout, log level, telemetry, prompts.
- Advanced — collapsible accordions per subsystem (code execution, Docker isolation, sensitive-data detection, output validation, output sanitisation, activity retention, logging, TLS, …).
- Raw JSON — the full Monaco editor, kept as an escape hatch.
- Server edition — multi-user settings (server build only).
Each section saves only the fields you changed via PATCH /api/v1/config, a
partial deep-merge that routes through the normal validate → persist → hot-reload
pipeline. Because the merge starts from the live config and overlays just your
changes, unrelated values and masked secrets (API key, secret headers) are never
overwritten.
Fields that need a restart (listen, data_dir, api_key, tls.*) show a
restart badge; sensitive changes (reveal secret headers, disabling
quarantine/management, binding to a non-loopback address) require an explicit
confirmation before they apply.
# Equivalent API call — change one field, everything else preserved
curl -X PATCH -H "X-API-Key: $KEY" -H 'Content-Type: application/json' \
-d '{"quarantine_enabled": false}' http://127.0.0.1:8080/api/v1/configComplex lists/maps (Docker image map, custom detection patterns, environment
vars) and mcpServers / registries are managed on their own pages or the Raw
JSON tab. See the configuration reference for the full option list.