BetaMCPG is in public beta. Join the waitlist for managed cloud + early-access features.
MCPG
beta
MCP Gateway · Public beta

The governed MCP endpoint.

One URL for every Model Context Protocol server your team uses, with per-person permissions, full audit trail, and zero inbound ports.

Quickstart Join the beta
37
Plugins shipping
13
Plugin categories
2025-11-25
MCP spec compliance
Why MCPG

MCP traffic deserves a real gateway.

API gateways don't understand MCP. Sidecars don't compose. Hand-rolled wrappers don't audit. MCPG is purpose-built for the protocol — sessions, tools, prompts, resources, completions — with the security and observability surface real production calls require.

Per-person permissions

Identity is first-class. Resolve callers via OIDC, SPIFFE, mTLS, or API keys, then enforce per-tool policy with Cedar, OPA, or Casbin.

Full audit trail

Every tool call, every prompt, every resource read. Tamper-evident audit ledger with Ed25519 signatures and BLAKE3 chain hashing.

Zero inbound ports

The gateway speaks MCP outbound to your tools and inbound only to your callers. No exposed admin APIs, no surprise debug endpoints.

Built for fleets

One control plane, many gateways. Multi-tenant orgs, workspaces, environments. Bind config sets, push updates, watch them roll out.

Plugin-first

38 plugins shipping today across 12 categories. Native Rust + WASM Component Model. Author yours; sign it; ship it via OCI.

Observable by default

Prometheus + OpenTelemetry native. Per-call samples streamed to the CP. Hourly + daily rollups. Drill down by plugin, tool, or operator.

Quickstart · 60 seconds

Run the gateway, the control plane, and the dashboard with one command.

mcpg-ctl quickstart spins up MCPG, the control plane API, and an embedded React dashboard on a single port. No external database, no Kubernetes, no Helm — just one binary.

All install paths
bash
# Install
cargo install mcpg-ctl

# Run gateway + control plane + dashboard
mcpg-ctl quickstart

# Open the dashboard
open http://127.0.0.1:7843

Or: docker pull ghcr.io/mcpg-dev/mcpg · helm install mcpg ./helm/charts/mcpg

The product

Four surfaces. One coherent system.

MCPG is the gateway, the control plane, the operator, and the plugin ecosystem. Adopt the gateway alone, or run the whole stack with one Helm install.

Gateway

The MCP runtime — owns sessions, identity resolution, dispatch, plugin chains, and observability. Speaks MCP/2 over Streamable HTTP + SSE.

  • MCP 2025-11-25 spec compliance
  • 8 binding types
  • Hot-reloadable plugin chains
  • mTLS + SPIFFE

Control Plane

Multi-tenant management for fleets. Enrollment, license issuance, plugin set bindings, instance health, and audit ingest.

  • Org / workspace / environment hierarchy
  • SQLite or Postgres backend
  • Live instance dashboards
  • Audit ledger + Prometheus export

Kubernetes

Native CRDs for MCPGGateway, MCPGPlugin, MCPGPluginSet, MCPGRevocationList. Helm chart for HA deployments with NATS or Redis.

  • Operator + 4 CRDs
  • Helm chart with HPA + PDB
  • GitOps-friendly
  • Multi-backend cluster state

Plugins

Identity, policy, security, reliability, observability, transforms, payments, bindings, backends. The gateway is a thin shell — power lives here.

  • 38 plugins, 12 categories
  • Native Rust + WASM
  • Ed25519-signed artifacts
  • OCI registry distribution
Plugin ecosystem

37 plugins. 13 categories. All Apache-2.0.

The gateway is a thin shell — power lives in plugins. Native Rust for performance-critical paths, WASM Component Model for sandboxed transforms, all signed and distributed via OCI.

policy.cedar
Sub-millisecond authz with hot-reload
identity.workload
SPIFFE X.509 + JWT-SVID via SPIRE
reliability.rate-limit
Per-identity / per-tool throttling
bindings.sql
Postgres + MySQL + SQLite via sqlx
observability.audit
Tamper-evident audit ledger
security.guardrails
Webhook callouts with CEL triggers
Browse the catalog
What MCPG is not

Honest about the scope.

We do
  • Govern MCP traffic — sessions, tools, prompts, resources, completions
  • Compose policy across identity, authorization, rate limits, audit
  • Run as a single binary, in Docker, on Kubernetes, or in your own cloud
  • Operate as multi-tenant fleets with one control plane
  • Stream per-call telemetry to Prometheus + OpenTelemetry
  • Ship 38 production plugins; let you author your own
We don't
  • Host LLM compute — bring your own models
  • Build a model — we are protocol-engineering, not training
  • Replace your API gateway for non-MCP traffic
  • Lock you to Anthropic, OpenAI, or any vendor
  • Phone home for offline / sovereign deployments
  • Ship a closed-source binary
Pricing

Free for solo + small teams. Pay for fleet, identity, and audit at scale.

Community
TBD

Self-hosted, single workspace. Everything you need to run MCPG against a small team or a personal project.

Get started
Pro
TBD

Single-team production. SSO, longer audit history, payments plugins.

Start trial
Team
TBD

Multi-team operations with workspace RBAC, SAML, and the full policy.* family.

Start trial
Enterprise
TBD

Air-gap / sovereign / BYOC, SCIM, environment RBAC, payload capture, long-term audit.

Contact sales
Full pricing comparison →

Stop hand-rolling MCP wrappers.

Run one MCPG in 60 seconds. Govern every tool call your agents make.

QuickstartJoin the beta