MCPG
Reference
Reference

Plugin catalogue

Every plugin that ships with MCPG — backends, identity providers, policy engines, tool-gates, transforms, observability sinks, payment rails, and infrastructure adapters — with its id, class, and what it does.

Almost everything the gateway does at the edges is a plugin: every backend that a tool dispatches to, every identity provider, every policy engine, every transform, and every telemetry sink loads as a signed plugin. The gateway core owns sessions, governance orchestration, and dispatch; the plugins own the integrations.

This page is the catalogue of the plugins that ship with MCPG — first-party, built and signed by the project, published as OCI artifacts under ghcr.io/mcpg-dev/source-code/plugins/. You load one by listing it under plugins[] with a source, and reference it from a binding's backend.kind (for backends) or by its governance role.

How plugins are identified

Every plugin declares a reverse-DNS id and a class. The id convention is dev.mcpg.<category>.<name>; a handful of older plugins use a bare dev.mcpg.<name> (noted in the tables). The class is a fixed taxonomy the gateway uses to decide where in the request lifecycle the plugin runs:

ClassRole in the request lifecycle
BackendFulfils a tool/prompt/resource call (the backend.kind target).
IdentityProviderResolves caller identity from a credential (JWT, mTLS, API key…).
PolicyEngineAuthorizes a resolved caller against a tool (Cedar / OPA / Casbin).
ToolGateRuns in the pre-dispatch gate chain — rate limit, approval, payment, IP allow-list, audit emit.
TransformRewrites tool arguments or results in the pipeline.
CredentialIssuerMints upstream credentials for cred:// references.
SecretProviderResolves secrets from an external store (Vault).
AuditSink / TelemetrySink / MetricsSink / LogSinkDurable audit + observability fan-out targets.
Cluster / WatchStrategyCross-instance coordination + config/resource change watching.
ContentStore / Store / CachePersistence for generated content, state, and response caches.
CatalogProviderEnriches/filters the advertised tool catalogue.

A plugin's signature.policy (disabled / warn / enforce) controls trust on load — use enforce in production. See Plugin security for the signing and trust model.

yaml
plugins:
  - id: dev.mcpg.policy.cedar
    source:
      oci: "ghcr.io/mcpg-dev/source-code/plugins/policy-cedar:1.0.0"
    signature:
      policy: enforce

Backends

A binding selects a backend with backend.kind. The non-LLM backends:

backend.kindPlugin idPurpose
httpdev.mcpg.backend.httpOutbound HTTP/1.1+2 requests (reqwest), per-call CEL resolution, per-credential client caching.
grpcdev.mcpg.backend.grpcgRPC calls as JSON, sharing the HTTP backend machinery.
graphqldev.mcpg.backend.graphqlGraphQL queries/mutations against a configured endpoint.
sqldev.mcpg.backend.sqlParameterised SQL against Postgres, MySQL/MariaDB, or SQLite.
kafkadev.mcpg.backend.kafkaRequest/reply over Kafka topics with per-caller credential resolution.
natsdev.mcpg.backend.natsCorrelated request/reply over NATS subjects.
commanddev.mcpg.backend.commandRuns a subprocess with JSON over stdin/stdout.
openapidev.mcpg.backend.openapiMaps one OpenAPI operation per tool from a named spec source.
mockdev.mcpg.backend.mockReturns a fixed response — for dev and tests.
pipeline(built-in)Composes multiple backend calls into one tool result (not a separate cdylib).

The kafka and nats backend crates also register a watch plugin (dev.mcpg.watch.kafka_topic, dev.mcpg.watch.nats_topic, class WatchStrategy) so resource bindings can stream topic updates.

LLM backends

The LLM backends expose one backend.kind per modality. All kinds use underscores (openai_chat, never openai.chat):

backend.kindPlugin idModality
openai_chatdev.mcpg.backend.openai.chatChat completions (OpenAI), tool use + vision.
openai_embeddingdev.mcpg.backend.openai.embeddingText embeddings.
openai_imagedev.mcpg.backend.openai.imageImage generation.
openai_ttsdev.mcpg.backend.openai.ttsText-to-speech.
openai_sttdev.mcpg.backend.openai.sttSpeech-to-text (Whisper).
azure_openai_chatdev.mcpg.backend.azure_openai.chatChat via Azure OpenAI deployments.
azure_openai_embeddingdev.mcpg.backend.azure_openai.embeddingEmbeddings via Azure OpenAI.
azure_openai_imagedev.mcpg.backend.azure_openai.imageImage generation via Azure OpenAI.
azure_openai_ttsdev.mcpg.backend.azure_openai.ttsText-to-speech via Azure OpenAI.
azure_openai_sttdev.mcpg.backend.azure_openai.sttSpeech-to-text via Azure OpenAI.
anthropic_chatdev.mcpg.backend.anthropic.chatChat completions via Anthropic Messages API.
gemini_chatdev.mcpg.backend.gemini.chatChat completions via Google Gemini.
gemini_embeddingdev.mcpg.backend.gemini.embeddingEmbeddings via Google Gemini.
gemini_imagedev.mcpg.backend.gemini.imageImage generation via Google Imagen.
compat_chatdev.mcpg.backend.compat.chatChat via any OpenAI-compatible endpoint (vLLM, LocalAI, Groq, Together…).
compat_embeddingdev.mcpg.backend.compat.embeddingEmbeddings via OpenAI-compatible endpoints.
stability_imagedev.mcpg.backend.stability.imageImage generation via Stability AI.

That's 27 backend kinds total (10 non-LLM incl. the built-in pipeline, plus 17 LLM kinds). Every kind and its config keys are in the configuration reference.

Identity providers

Resolve the caller. Built-in OIDC JWT verification lives in governance.access; these plugins add the other credential types under plugins[] (class IdentityProvider).

Plugin idPurpose
dev.mcpg.identity.oidcOIDC / OAuth2 JWT validation and claim extraction.
dev.mcpg.identity.mtlsIdentity from a mutual-TLS client-certificate subject DN.
dev.mcpg.identity.workloadWorkload identity — Kubernetes ServiceAccount / SPIFFE.
dev.mcpg.identity.api-keyIdentity from API keys (static or issuer-sourced).
dev.mcpg.identity.basicIdentity from HTTP Basic credentials.

Policy engines

Authorize a resolved caller against a tool (class PolicyEngine). Declare one under governance.policy.engine[] and load it under plugins[].

Plugin idPurpose
dev.mcpg.policy.cedarAWS Cedar policy language.
dev.mcpg.policy.opaOpen Policy Agent (Rego).
dev.mcpg.policy.casbinCasbin models (RBAC/ABAC).

Tool-gates

Run in the pre-dispatch gate chain (class ToolGate) — each can allow, deny, or challenge a call before it reaches a backend.

Plugin idPurpose
dev.mcpg.rate-limitPer-caller/per-tool sliding-window rate limiting.
dev.mcpg.circuit-breakerFail fast when an upstream crosses an error threshold.
dev.mcpg.response-cacheCache tool results keyed on caller + tool + arguments.
dev.mcpg.ip-allowlistRestrict callers to allow-listed CIDR blocks.
dev.mcpg.guardrailsPrompt-injection / jailbreak screening on LLM inputs.
dev.mcpg.tool-gate-slack-approvalHold a sensitive call for manual Slack approval.
dev.mcpg.auditEmit an audit event for the call (pairs with an audit sink).
dev.mcpg.call-loggerLog every call with arguments, result, and latency.
dev.mcpg.webhookNotify an external webhook on call events.

Payment

Meter and charge tool usage (class ToolGate). One per billing protocol:

Plugin idProtocol
dev.mcpg.payment.x402HTTP 402 Payment Required.
dev.mcpg.payment.acpAccess Control Protocol.
dev.mcpg.payment.mppMetered Payment Protocol.
dev.mcpg.payment.ucpUnified Charging Protocol.

Transforms

Rewrite arguments or results in the pipeline (class Transform).

Plugin idPurpose
dev.mcpg.transform.jsonataApply a JSONata expression to arguments and/or results.
dev.mcpg.transform.maskingMask sensitive fields (SSN, password, card numbers) in arguments/results.

Credentials & secrets

Mint upstream credentials for cred:// references (CredentialIssuer) and resolve secrets from external stores (SecretProvider).

Plugin idClassPurpose
dev.mcpg.credential.staticCredentialIssuerStatic credential values.
dev.mcpg.credential.oauth-client-credentialsCredentialIssuerOAuth2 client-credentials token grant.
dev.mcpg.credential.oauth-token-exchangeCredentialIssuerOAuth2 token exchange (RFC 8693), on-behalf-of.
dev.mcpg.credential.vault-dynamic-dbCredentialIssuerShort-lived DB creds from Vault's dynamic DB engine.
dev.mcpg.secret.vaultSecretProviderResolve secrets from HashiCorp Vault, with rotation.

Observability

Audit, metrics, traces, and logs fan out to sinks. stderr / stdout / file log sinks and the local-file audit sink are built into the gateway; these plugins add the external destinations.

Plugin idClassPurpose
dev.mcpg.observability.prometheusMetricsSinkExpose call latencies + counts as Prometheus metrics.
dev.mcpg.observability.otlpTelemetrySinkExport traces + logs to an OTEL collector over OTLP.

Audit is a governance concern, not an observability sink — see Audit trail. The built-in dev.mcpg.builtin.audit.local-file sink writes the hash-chained ledger; off-node audit sinks load as their own plugins.

Infrastructure

Cross-instance coordination, response caching, and content stores.

Plugin idClassPurpose
dev.mcpg.cluster.redisClusterCoordinate instances + watch config via Redis.
dev.mcpg.cluster.natsClusterCoordinate instances via NATS JetStream.
dev.mcpg.cluster.consulClusterCoordinate instances via HashiCorp Consul.
dev.mcpg.cluster.etcdClusterCoordinate instances via etcd.
dev.mcpg.cache.redisCacheShared response cache across Redis (TTL + invalidation).
dev.mcpg.storage.in_processContentStoreIn-memory LRU for generated content (single-node).
dev.mcpg.storage.file_systemContentStoreFilesystem persistence for generated content.
dev.mcpg.storage.s3ContentStoreS3-compatible storage (AWS S3, MinIO, R2, B2).
dev.mcpg.catalog.builtinCatalogProviderConfig-driven tool-catalogue enrichment + trust-level filtering.

Single-node clustering is built in; set cluster.kind to one of the above for HA — see Clustering.

A note on id conventions

Most ids follow dev.mcpg.<category>.<name>, but several predate the convention and use a bare dev.mcpg.<name>: dev.mcpg.rate-limit, dev.mcpg.circuit-breaker, dev.mcpg.response-cache, dev.mcpg.audit, dev.mcpg.call-logger, dev.mcpg.guardrails, dev.mcpg.ip-allowlist, dev.mcpg.webhook, and dev.mcpg.tool-gate-slack-approval. Use the exact id shown above — the gateway matches on it verbatim.