What's the difference between Arcade and ThumbGate?

Both address the 'accountability gap' in AI agents, but they focus on different parts of the stack. Arcade is a cloud-hosted auth proxy built to delegate user identities (via OAuth) to downstream SaaS APIs for production enterprise agents. ThumbGate is a local-first pre-action check firewall built to prevent coding agents (Claude Code, Cursor, Cline) from making filesystem mistakes or breaking builds. Arcade targets enterprise SaaS integration; ThumbGate targets the developer's inner loop.

Does Arcade support MCP?

Yes. Arcade authored the Model Context Protocol (MCP) authorization spec to delegate OAuth tokens to APIs. ThumbGate operates as a local MCP server that enforces rule boundaries directly at the developer's tool-call execution level.

Do I need to rewrite code to integrate ThumbGate or Arcade?

ThumbGate requires zero code changes — it auto-configures PreToolUse hooks via a CLI command (npx thumbgate init) to run out-of-process. Arcade requires routing agent API calls through their auth proxy or utilizing their SDK in your agent application backend.

ThumbGate vs Arcade.dev

5 min read · For teams evaluating AI agent security, auth, and guardrail layers

TL;DR: Arcade is a cloud-hosted auth proxy built to delegate user identities (OAuth) to SaaS APIs for production-facing enterprise agents. ThumbGate is a local-first, feedback-driven pre-action check firewall built to prevent coding agents (Claude Code, Cursor, Cline) from making filesystem mistakes or breaking builds. Arcade secures API identity delegation; ThumbGate secures local tool-call execution.

Different Layers, Different Goals

Arcade recently announced a $60M Series A (led by SYN Ventures with Morgan Stanley and Wipro) to address the authorization accountability gap in production AI agents. While both products focus on the AI agent security space, they are designed for completely separate loops.

If you're building a production agent that needs to draft emails, update Salesforce records, or post to Slack on behalf of real users, Arcade's token delegation is the industry standard. If you are a developer using Claude Code or Cursor and want to make sure the agent doesn't delete your files, leak API keys, or run unsafe commands, ThumbGate's local PreToolUse firewall is built for you.

Side-by-Side Comparison

Dimension	Arcade.dev	ThumbGate
Primary Value Prop	Secure identity/token delegation and auth propagation for production agents.	Local pre-action checks preventing coding-agent mistakes and directory destruction.
Integration layer	Cloud auth proxy between agent application and downstream SaaS APIs.	Out-of-process PreToolUse hook intercepting tool calls at the agent runtime boundary (Claude Code / Cursor / Codex / Gemini / Amp / Cline / OpenCode).
Deployment mode	Cloud-hosted service or self-hosted gateway.	Local-first, runs on the developer's machine with SQLite/JSON persistence.
Identity & Auth Model	OAuth 2.0 user identity propagation.	Policy-based rules derived from human feedback (thumbs-down rules) and Thompson Sampling.
Primary target tools	SaaS APIs (Slack, Salesforce, GitHub, Gmail, Jira).	Local system tools (filesystem write, terminal execute, git push, package install).
MCP Integration	Authored the MCP authorization specification for API token delegation.	Operates as a local MCP server controlling local tool execution permissions.
Setup Friction	Requires configuring OAuth providers, redirect URIs, and deploying API proxy.	Installs in 30 seconds via `npx thumbgate init` with zero infrastructure.

Complementary, Not Conflicting

Because they operate at different layers, ThumbGate and Arcade are complementary:

Use Arcade to securely hook your company's production customer support agent into Gmail and Salesforce.
Use ThumbGate to keep your software engineers' local AI coding assistants from introducing security bugs, breaking builds, or deleting files.

Get Started with Local Guardrails

Install ThumbGate locally in one command:

npx thumbgate init

Then give thumbs-up/down feedback to let the firewall learn your boundaries. Core CLI + local hooks are MIT licensed.

View on npm View on GitHub