// GLOSSARY -- MCP & TOOL INFRASTRUCTURE

What is an MCP Gateway?

2 min read Updated

An MCP gateway is a service that sits between MCP clients and multiple upstream MCP servers, providing a single point for authentication, policy enforcement, audit logging and tool filtering across all of them. Unlike a proxy in front of one server, a gateway manages an organisation's whole MCP estate through one ingress.

WHY IT MATTERS

Each MCP server an organisation adopts brings its own credentials, its own tool surface and its own risk profile. Connecting AI clients directly to each server means N separate trust decisions, N credential stores and no shared record of what agents actually did. A gateway collapses that into one controlled path: clients connect to the gateway, and the gateway holds the upstream connections.

Centralising the connection point makes several controls practical that are otherwise scattered or absent:

  • Authentication — one identity layer for people and agents, rather than per-server API keys pasted into client configs.
  • Policy — every tool call can be evaluated by a policy engine before it reaches the upstream server.
  • Audit — a complete, uniform record of requests and decisions across all servers.
  • Tool filtering — exposing only an approved subset of upstream tools to each client or person.

The distinction from an MCP proxy is scope: a proxy fronts a single connection or server, while a gateway is fleet-wide infrastructure — the MCP analogue of an API gateway. Gateways often also act as aggregators, multiplexing many upstreams into one endpoint.

See mcp gateway working in your own stack — route your MCP servers through PolicyLayer and every tool call is checked against policy before it runs.

GOVERN YOUR MCP SERVERS →

Enforced before the call runs. Nothing to install.

HOW POLICYLAYER USES THIS

PolicyLayer is a hosted MCP gateway and control plane. Teams register their upstream MCP servers, define deterministic policies, issue per-person scoped tokens, and point clients such as Claude Code, Cursor and Codex at the PolicyLayer gateway. Every tools/call is evaluated against policy — allow, deny, or log — before it executes, and every decision lands in the audit trail.

Read the quick-start guide →

FREQUENTLY ASKED QUESTIONS

How is an MCP gateway different from an MCP proxy?
A proxy is a transparent intermediary for one or a few connections; a gateway is the managed ingress for many upstream servers, adding shared authentication, policy, audit and tool filtering across the whole fleet.
Does an MCP gateway change how clients connect?
Clients connect to the gateway's endpoint instead of each server individually, typically over Streamable HTTP. The gateway then holds and manages the upstream connections on their behalf.
Why not just configure policies in each MCP server?
Most MCP servers have no policy layer at all, and third-party servers cannot be modified. A gateway enforces policy uniformly without requiring any change to upstream servers.

FURTHER READING

Let agents act without letting them run wild.

Route your MCP servers through PolicyLayer and every tool call is checked against your policy before it runs — allow, deny, or require approval. Per-identity grants. Full audit log. Live in minutes.

GOVERN YOUR MCP SERVERS →

Free to start. No card required.

43,000+ MCP servers and 220,000+ tools scanned and risk-classified.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.