MCPG
Get started
Get started

What is MCPG?

A 60-second overview of the Model Context Protocol Gateway — the runtime that sits between your AI clients and your tools, adding identity, policy, audit, and extensibility.

MCPG is a gateway for the Model Context Protocol (MCP). It sits between your AI clients (Claude, Cursor, Continue, your own agents) and the tools, APIs, and data those agents reach for — and it makes that traffic governable.

Point an agent at one MCPG endpoint and it sees a curated catalog of MCP tools, prompts, and resources. Behind the gateway, each of those is backed by something real: an HTTP API, a SQL database, a Kafka topic, an LLM, a shell command, or an OpenAPI spec turned into tools automatically. Every call passes through identity resolution, policy authorization, and a tamper-evident audit trail before it touches anything.

If you've ever wanted to give agents access to internal systems but couldn't answer "who called this, were they allowed to, and can you prove it" — that's the gap MCPG closes.

The five pieces

MCPG is one product with five parts. You can run just the first one.

  • Gateway — the runtime. A single statically-linked binary (mcpg) that speaks MCP over HTTP and stdio. It resolves identity, authorizes each call, routes to backends, and writes the audit ledger. One YAML config file drives it; the gateway rejects unknown keys at boot so a typo fails loudly instead of silently misconfiguring you.

  • Plugins — how the gateway gets new capabilities. Identity backends, policy engines, transforms, backends, and observability sinks all ship as plugins. They load as native Rust cdylibs (maximum performance) or sandboxed WASM Components (language-agnostic). Plugins are Ed25519-signed and distributed as OCI artifacts, so you can pin and verify exactly what runs.

  • Kubernetes operator — declarative fleet management. Eight CRDs (MCPGGateway, MCPGPlugin, MCPGPluginSet, MCPGRevocationList, MCPGCluster, MCPGRoute, MCPGTenant, MCPGPluginMirror) let you express gateways, plugin sets, multi-tenancy, and air-gapped mirrors as Kubernetes objects. The operator reconciles them into Deployments, Services, ConfigMaps, and RBAC.

  • Control plane — multi-instance management. A management API and dashboard for running a fleet: instance enrollment, config distribution, and per-instance visibility into tool activity. Optional for a single gateway; the backbone for many.

  • Infrastructure as Code — Terraform, Pulumi, and OpenTofu modules to install and manage the operator and MCPG resources from your existing IaC pipeline.

How a request flows

markdown
AI client ──MCP──▶ Gateway ──▶ Identity ──▶ Policy ──▶ Backend ──▶ Tool/API/DB
                      │                                    │
                      └──────────── Audit ledger ◀─────────┘
  1. An MCP client connects and lists tools. It sees only what it's authorized to see.
  2. It calls a tool. The gateway resolves identity (OIDC, mTLS, SPIFFE, API key, or anonymous on loopback).
  3. It checks policy (Cedar, OPA, or Casbin) — can this caller do this thing?
  4. It routes to the backend that fulfills the tool, transforming the request and response as configured.
  5. Every decision lands in a tamper-evident audit ledger with Ed25519 chain signatures.

What's under the hood

  • 27 backend kindshttp, command, nats, grpc, graphql, kafka, mock, pipeline, openapi, sql, plus 17 LLM backends (OpenAI, Anthropic, and the rest). A pipeline backend chains 18 composable step kinds so one MCP tool can fan out across several systems.
  • Identity, policy, transform, and audit are all pluggable, so you can chain engines (mTLS first, fall back to API key; Cedar plus OPA for defense-in-depth).
  • MCP protocol coverage spans the 2025-11-25 release plus the DRAFT-2026-v1 draft, so you stay current as the spec moves.

When you'd reach for MCPG

  • You're giving agents access to internal systems and need authentication, authorization, and an audit trail you can hand to a security review.
  • You want to expose existing APIs or databases as MCP tools without writing a bespoke MCP server for each one.
  • You run many teams or customers and need tenant isolation, per-tenant quotas, and group-gated tools.
  • You operate in a regulated or air-gapped environment and need signed, mirrored, revocable plugins with zero outbound calls.

Next steps

  • Install — Docker image, Helm chart, or build from source.
  • Quickstart — boot a gateway with a validated dev config in under five minutes.
  • Configuration reference — every config key, generated from the live schema.