DocumentationLicense
Model Context Protocol Gateway

One MCP URL in. Every backend out. Governed in between.

MCPG sits between the agents that call tools and the systems those tools reach. Consumers connect to a single endpoint; every call flows through the same identity, policy, and observability pipeline before it ever touches an upstream.

Install How it works

Questions about your use case? Contact us — or book a demo and we'll walk through it live.

Companies that trust us
The architecture

Any backend, wrapped as an MCP tool.

HTTP, GraphQL, SQL, Kafka, gRPC, subprocesses, LLMs — even other MCP servers and OpenAPI specs — all become governed MCP tools behind one endpoint.

Self-host, or skip the ops with mcpg.cloud — fully managed.

Cloud Native
Consumers
connect via one URL
AI AgentsClaude & autonomous agents
MCP ClientsDesktop & app clients
IDEs / Dev ToolsEditors, CLIs
LLM AppsCustom assistants
one URL
HTTP + SSE · Stdio
MCPG
The governed MCP endpoint
Credentials & Secrets5
1Identity5Who is calling?
+2
2Policy4Are they allowed?
+1
3Rate & Reliability4Keep it fair & healthy.
+1
4Tool Gate6Final checks: pay, scan, approve.
+4
5Transform2Reshape args & results.
6Dispatch8Call the upstream.
+5
Governance — one control surface5
Observability — taps every call5
Controller — driven by policy & config4
status
MCP Federation4
toolsresources+1
OpenAPI 3.1+4
toolsresources+1
Management
control, provision & operate the fleet
Control Plane4
Extensibility
run code, load plugins, extend the protocol
Serverless — lambda & sandbox5
Plugins4
fileremote
MCP Extensions2
MCP Federation
Backends
HTTP / RESTOpenAPI-driven dispatch
SQLPostgres · MySQL · SQLite
KafkaRequest / reply topics
NATSCore + JetStream
gRPCProto-less JSON / HTTP/2
GraphQLQueries & mutations
Subprocessstdio commands
LLM ProvidersAnthropic · OpenAI · Gemini
OpenAPI 3.1+
Clustered State · HA

Hover a block to preview it; click to keep it open while you read. Press Esc or click away to dismiss.

Install

Running in minutes, wherever you run.

Pick your path — the published image, the Helm chart, a signed binary, or straight from source. The config is the same everywhere.

Also available: the Kubernetes operator, HA via Helm, air-gapped installs, and Terraform / Pulumi modules — see all installation options.

bash
# Pull the published gateway image
docker pull ghcr.io/mcpg-dev/source-code/gateway:latest

# Run with your config mounted (see Quickstart to generate one)
docker run --rm -p 8787:8787 \
  -v "$(pwd)/config.yaml:/etc/mcpg/config.yaml:ro" \
  ghcr.io/mcpg-dev/source-code/gateway:latest

# Health check
curl http://127.0.0.1:8787/health
Plugins & extensibility

A thin core. Every seam is a plugin you can replace.

Identity, policy, gates, transforms, backends, audit sinks, secrets, caching, cluster coordination — all of it is a plugin interface. 37 first-party plugins across 13 categories ship signed; when one doesn't fit, write your own.

identity_providerpolicy_enginetool_gatetransformbackendwatch_strategyaudit_sinktelemetry_sinkmetrics_sinkcredential_issuersecret_providercache_providerstoreclustertransporthttp_routecataloglog_sink
  • Native Rust (cdylib) for hot paths, WASM Component Model for sandboxed transforms
  • Every artifact Ed25519-signed + cosign-attested with SLSA provenance, distributed via OCI
  • Operator-controlled trust: pinned keys, revocation lists, air-gapped mirrors
  • Hot dev loop — scaffold, build, and path-load into a running gateway
Browse the catalog Write your own →
bash
# Scaffold a gate plugin from the SDK template
mcpg plugin new --kind tool_gate --name my-gate
cd mcpg-plugin-tool-gate-my-gate && cargo build --release

# Hot-load it into a running dev gateway
mcpg dev --plugin target/release/libmcpg_plugin_tool_gate_my_gate.so

# Sign + publish to any OCI registry
mcpg plugin pack -d plugin.yaml -a target/release/*.so -o my-gate.zip
mcpg plugin push my-gate.zip ghcr.io/acme/plugins/my-gate:0.1.0
The pipeline

What happens between the agent and your systems.

Every tool call walks the same chain — no exceptions, no side doors. Each step is a plugin slot you can configure, extend, or replace.

01

Who's calling?

Identity resolved per request — OIDC, mTLS, SPIFFE workload identity, API keys. Every call is attributed to a person or workload.

02

Are they allowed?

Policy as code — OPA, Cedar, or Casbin — plus per-identity tool access. Deny by default, hot-reloaded.

03

Should it run right now?

Rate limits, usage budgets, circuit breakers, IP allowlists — and human approval from Slack for the dangerous ones.

04

Redact & shape

JSONata transforms rewrite arguments and results; the masking plugin strips PII before it ever reaches a model.

05

Execute

Dispatch to the bound backend — HTTP, SQL, Kafka, gRPC, a subprocess, an LLM, or a federated MCP server.

06

Prove it happened

A tamper-evident, Ed25519-chained audit entry — who, what, when, decision, and optionally the encrypted payload.

Connect anything

Point YAML at it. It's a governed tool.

No SDK to embed, no wrapper service to babysit. Declare a binding, and the gateway derives the tool — schema, dispatch, and governance included.

An OpenAPI spec

kind: openapi
spec: ./billing-api.yaml

Every operation becomes a governed tool — input and output schemas included.

A SQL database

kind: sql
query: SELECT * FROM orders WHERE id = :id

Postgres, MySQL, SQLite. Parameterized, transactional, read-only if you say so.

A message broker

kind: kafka
topic: payments.events

Kafka and NATS — publish, request/reply, and resource watches on topics.

A gRPC or GraphQL service

kind: grpc
service: billing.v1.Invoices

Reflection and introspection drive the schemas; no IDL copying.

A script on the box

kind: command
argv: ["./run-report.sh"]

Subprocess dispatch with sandboxing — the duct tape, governed.

An LLM provider

kind: anthropic.chat
model: claude-sonnet-4-6

OpenAI, Anthropic, Gemini, Stability, or any compatible endpoint — models as governed, audited tools.

Already running MCP servers?

Federate them. The gateway connects as an MCP client, imports their tools under your prefix, and serves everything from one endpoint — with your identity, policy, and audit layered on top.

Federation guide
One gateway, three jobs

Build. Run. Govern.

The same deployment serves the engineer shipping tools, the team operating it, and the people accountable for what agents touch.

For AI engineers

Build

  • Tools from OpenAPI specs, databases, and queues in minutes — not sprint-long wrapper projects
  • One URL works in Claude, ChatGPT, Cursor, and Copilot — stop maintaining per-client setups
  • Local dev loop: path-load plugins, hot-reload config, stdio mode for desktop clients
Start building
For platform & DevOps

Run

  • One static binary to HA fleet — Docker, Helm, or the Kubernetes operator with 8 CRDs
  • Prometheus metrics and OpenTelemetry traces from the first request; dashboards included
  • Terraform, Pulumi, and OpenTofu modules; multi-tenant quotas; air-gapped installs
See operations
For security & leadership

Govern

  • Every tool call attributed to a person or workload — no anonymous agent traffic
  • Human approval gates for destructive actions, recorded with the approver
  • Tamper-evident audit your auditor can verify; credentials never reach the agent
Read the security model
Cost & blast radius

Agents don't get a blank check.

Limits live in the gateway and apply to every client — not in per-app code you hope someone remembered to write.

Rate limits

Per identity, per tool, per window. A runaway loop hits a wall, not your database.

Budgets & metering

Usage caps and metered quotas per person or team — with x402 payment gates if you charge for access.

Circuit breakers

A flaky upstream trips open instead of cascading. Agents get a clean error, your systems get a break.

Response caching

Agents repeat themselves constantly. Cached responses make the second ask free.

Trust & audit

When the auditor asks, you have answers.

Governance that survives scrutiny — attribution, approval, integrity, and supply chain, all inspectable.

Who can call which tools?

Per-identity tool access plus policy-as-code (OPA, Cedar, Casbin). The answer is a config file in git, not tribal knowledge.

Who approved that action?

Approval gates route dangerous calls to Slack; the approver, timestamp, and decision land in the audit trail.

Can you prove the log is intact?

Audit entries are Ed25519-signed and hash-chained — any edit breaks the chain. Verifiable offline.

What code runs inside the gateway?

Only plugins that pass signature, cosign, and SLSA provenance checks against your pinned trust roots. Revocable by hash.

Do agents hold our credentials?

Never. Secrets resolve server-side at dispatch via cred:// — models and clients see placeholders, not keys.

Can it run with no internet?

Yes — air-gapped installs with in-cluster plugin mirrors and offline trust roots. No phone-home, ever.

Run it anywhere

The same gateway from quickstart to multi-tenant fleet.

No migration cliff: the config you wrote on a laptop is the config the operator reconciles in production.

01

Try

mcpg ctl quickstart

One binary: control plane, dashboard, and a gateway on your laptop. No database, no cluster.

02

Ship

docker run … gateway:latest

The published image with your config mounted — or the Helm chart for a single-team install.

03

Scale

kubectl apply -f gateway.yaml

The operator reconciles gateways, plugin sets, and tenants from 8 CRDs. HA via shared cluster state.

04

Govern the fleet

mcpg ctl gateway --enrollment-url …

Gateways enroll into the control plane: org-wide config, rotation, observability, and audit.

Terraform providerPulumiOpenTofuAir-gapped installsSBOM + signed releasesAll install paths →
37+
signed plugins
21
extension points
9
backend families
100%
MCP MUST coverage
1
static binary
Apache-2.0
open-source core

Give every agent one URL. Keep every decision yours.

From the first local gateway to a governed fleet — same binary, same config, your infrastructure.

Start free Talk fleet governance

Free for solo builders and small teams — see pricing.