MCP Gateway Reference

MCP Gateway

By PolicyLayer Research

An MCP gateway sits in front of every MCP server your agents call and decides each tool call before it runs. The Model Context Protocol moves tool calls between clients and servers; it never shipped a way to say who may call what. The gateway is that missing decision — one control point every call crosses, where the verdict is fixed before anything reaches the server.

This page is the reference for what an MCP gateway is, what a production-grade one has to do, and how to tell a real gateway from a logging proxy with a marketing page. It pairs with the broader MCP security and AI agent security references, and with MCP authentication, which covers the narrower question of how callers prove who they are.

What an MCP gateway is

An MCP gateway is a proxy that sits between your AI clients and the MCP servers they call. Every tools/call leaves the client, reaches the gateway first, and is evaluated against policy before it is forwarded upstream. The gateway allows the call, denies it, or hides the tool from the agent entirely, and can attach argument-level conditions and quota limits to whatever it does forward.

It is the same architectural idea as an API gateway, applied to agent tool calls: a single control point in front of many backends. The difference is what it inspects and who is calling. Not REST routes, but MCP method calls and their arguments, made by a non-deterministic caller that can be steered by the content it reads. The protocol is the transport. The gateway is the control plane the transport never shipped with.

Why MCP needs a gateway

MCP has no permission model. Connect an agent to a server and it gets every tool that server exposes, with no scoping, no limits, and no per-person identity. Three gaps follow directly.

  • Unrestricted tool access. A server publishes its full toolset to any connected client. There is no native way to expose get_issue while hiding delete_repository. It is all or nothing.
  • Scattered, shared credentials. Each server authenticates on its own terms, and those secrets end up copied into client configs on every machine. Nobody can say which person made which call, and revoking access means rotating a key everyone shares.
  • Instructions are not a control. Telling the agent what not to do in a system prompt is not enforcement. A model can be talked out of a prompt through injection, or simply ignore it. The thing you are trying to constrain is the thing doing the reasoning.

You cannot enforce policy inside servers you do not control. You enforce it at the boundary every call has to cross.

What a production-grade gateway must do

Plenty of things will route MCP traffic and call themselves a gateway. The bar for one you can actually rely on is higher. A production-grade MCP gateway has to:

  • Filter tools at the tool level, not the server level. Expose a subset of a server's tools and hide the rest. The unit of control is a single tool, with the ability to block one destructive action while leaving the rest of the server available.
  • Evaluate every call before it runs. Enforcement is real-time and pre-execution, on the path. A gateway that logs what happened after the fact is better than nothing, but it is a recorder, not a control.
  • Decide deterministically. An identical call yields an identical verdict, every time, with no model in the decision path. A control the model can reason about is a control the model can reason around. This is the property that makes the decision provable to an auditor and immune to being talked out of.
  • Read the arguments, not just the tool name. The question is not "can this agent reach Stripe" but "can this call refund this amount". Conditions apply to any argument on the call.
  • Issue per-person scoped tokens. Each person and each agent connects with its own revocable grant, never a shared key. Access is scoped per identity and offboarding is a single revocation that leaves everyone else untouched.
  • Broker upstream credentials. The real API keys and OAuth tokens live in the gateway, encrypted at rest, injected only on an authorised call. They never land in a client config on a laptop.
  • Make every decision provable, not just logged. Full attribution on every call — person, agent, tool, server, arguments, verdict, and the rule that fired — recorded so a decision can be verified independently, not taken on trust. Exporting a log you have to believe is a weaker claim than a decision you can check.
  • Hold across every client and every server. One enforcement layer and one policy across Claude Code, Cursor, Codex, and the third-party servers you did not write and cannot modify. The same user gets the same rules whichever client they opened this morning.
  • Detect upstream changes. When a hosted server adds or alters a tool, the gateway flags it and holds the new or changed tool denied by default until it is reviewed. Your last assessment should not silently expire the moment a vendor ships a release.

How to tell a real gateway from a logging proxy

Most of the difference shows up in a few direct questions. Run them in a demo, against the actual product, not a description of it:

  • Default-deny or default-allow? With no policy written, does a tool call get blocked or waved through? The answer reveals the security philosophy.
  • Before the call, or after it? Does enforcement happen on the path, before the call reaches the server — or is it a log written once the action already ran?
  • Deterministic, or does a model decide? A probabilistic router that "intelligently selects" tools is making a judgement call. Enterprise enforcement needs an identical verdict for an identical request.
  • One tool, or the whole server? Can you block a single action and one argument, or only toggle an entire server on and off?
  • Provable, or just stored? Can you verify a past decision independently, or only read a log and trust it?
  • One policy, or one per client? Does the same rule hold across every AI client, or does each app keep its own settings and its own gaps?

Because evaluation happens before the call is forwarded, a real gateway's decision is fixed. The model can reason around a prompt. It cannot reason around an action that physically never reaches the server. That is the whole point of the boundary, and it is the same architecture AWS validated with Cedar and the NSA described from the defensive side.

When you need one

A gateway earns its place the moment any of these is true:

  • You run agents against more than one MCP server.
  • More than one person uses those agents and you need to know who did what.
  • Agents touch anything that costs money, deletes data, or sends messages.
  • You answer to a compliance regime that expects an audit trail.

A single developer poking at one read-only server does not need a gateway. A team running production agents against Stripe, GitHub, Postgres, and a stack of third-party servers does, and the need is not optional. It is the difference between hoping the agent behaves and knowing what it is allowed to do. PolicyLayer is a hosted MCP gateway: you point your client at a URL, attach a per-person token, and every tool call is evaluated against policy before it runs.

Frequently asked questions

What is an MCP gateway?

An MCP gateway is a proxy that sits between AI clients and the MCP servers they call. Every tools/call leaves the client, reaches the gateway first, and is evaluated against policy before it is forwarded upstream. The gateway allows the call, denies it, or hides the tool entirely, and can attach argument-level conditions and quota limits. The Model Context Protocol defines how tools are discovered and invoked; it does not define who may invoke what. The gateway is the layer that adds that missing decision.

Why do AI agents need an MCP gateway?

MCP has no permission model. When you connect an agent to a server, it gets every tool that server exposes, with no scoping, no per-person identity, and no limits. A connected agent can call a destructive tool as readily as a read-only one, and a prompt injection can steer it into doing so. A gateway adds the missing controls: it scopes which tools and arguments are allowed and enforces that on every call, regardless of what the agent was prompted to do.

What should an MCP gateway do?

A production-grade MCP gateway should filter tools per identity at the tool level (not just toggle whole servers), evaluate every call before it runs rather than logging it after, decide deterministically so an identical call always yields an identical verdict, read tool arguments and not just tool names, issue per-person scoped tokens instead of a shared key, broker upstream credentials so they never reach the client, make every decision provable and attributable, and hold one consistent policy across every AI client and every server. Anything that only records what already happened is a recorder, not a control.

How is an MCP gateway different from an API gateway?

It is the same architectural idea — a single control point in front of many backends — applied to agent tool calls instead of REST routes. The difference is what it inspects and who the caller is. An MCP gateway inspects MCP method calls and their arguments, made by a non-deterministic agent that can be steered by the untrusted content it reads. That is why the decision has to be deterministic and sit outside the model, not inside the caller.

Is an MCP gateway the same as MCP authentication?

No. Authentication proves who is calling. A gateway also handles authorisation — what that caller may do on each tool, with which arguments — brokers the upstream credentials so they never reach the client, and records every call and decision. Authentication is one capability a gateway provides, not the whole of it. See the MCP authentication reference for the narrower identity question.

How do you evaluate an MCP gateway?

Test the posture, not the slide deck. Set up the gateway with no policies and attempt a tool call: a default-deny gateway blocks it, a default-allow one waves it through. Then check whether enforcement happens before the call or only logs it after, whether the decision is deterministic or made by a model, whether you can scope a single tool and argument or only toggle a whole server, and whether you can prove a past decision independently or only read a log you have to trust. Those answers separate a real gateway from a logging proxy.

Take your agents live. Without losing control.

Route your MCP traffic through PolicyLayer. Every tool call is checked against your policy before it runs: allow, deny, or require approval. Per-identity grants. Full audit log. Live in minutes.

TAKE YOUR AGENTS LIVE →

Free to start. No card required.

43,000+ MCP servers and 220,000+ tools scanned and risk-classified.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.