AI & MCP

What is an MCP gateway and do I need one?

Nolan Sullivan

February 10, 2026 - 15 min read

AI & MCP

AI agents connecting to multiple tools create an N × M integration problem. Scaling to five MCP servers and three agents means managing 15 OAuth implementations, 15 credential stores, and 15 audit trails.

MCP gateways solve this by centralizing agent-tool connections. But the term MCP gateway describes fundamentally different products:

Infrastructure-only: Some vendors provide routing infrastructure and expect you to build authentication and compliance controls.
Governance: Others deliver governance platforms with role-based access control (RBAC), audit trails, and threat detection.
Hybrid: A third category of vendor combines governance with managed integration catalogs.

This article explains these three architectural patterns and helps you decide which type fits your needs. For hands-on evaluations of specific products, see Choosing an MCP gateway.

What is a gateway?

Gateways connect networks using different protocols. They centralize functionality that multiple systems need – whether protocol translation, security enforcement, request distribution, monitoring, or compliance logging – so backend services don’t have to reimplement infrastructure concerns.

Gateways operate at different infrastructure layers:

Your home router handles network address translation and firewall rules.
Cloudflare manages DDoS protection and SSL termination at the network edge.
Ngrok tunnels localhost to public URLs with request logging.

Each solves different problems, but all centralize shared infrastructure work.

API gateways vs MCP gateways

API gateways and MCP gateways both centralize infrastructure, but they serve different architectures and solve different problems.

An API gateway sits between clients (such as web applications, mobile apps, and third-party services) and backend services, and handles authentication, rate limiting, logging, caching, CORS, and circuit breaking.

Here is how an API gateway works:

Diagram showing how an API gateway routes client requests to backend services, handling authentication, rate limiting, and other cross-cutting concerns

An MCP gateway centralizes infrastructure for AI agents accessing tools through the Model Context Protocol . It connects AI agents to MCP servers that expose databases, APIs, and services, while handling the challenges of orchestrating multiple tool calls.

Diagram illustrating an MCP gateway managing stateful workflows between AI agents and MCP servers, coordinating multiple tool calls in sequence

API gateways route stateless HTTP requests, whereas MCP gateways manage stateful workflows, where an agent calls multiple tools in sequence, maintaining context across each interaction.

Governance differences

MCP gateways and API gateways enforce different types of policies:

API gateways enforce policies at the endpoint level, for example, ensuring a client can access /api/orders.
MCP gateways enforce policies at the function and parameter level, for example, ensuring an agent can call delete_repository on the production repo.

MCP gateways introduce three governance capabilities that API gateways don’t handle.

Semantic policies enforce rules based on AI-specific metrics (like accuracy thresholds, token budgets, and risk scores), not just rate limits.
Human-in-the-loop workflows pause agent execution mid-task, wait for human approval, then resume.
Identity mediation maps agent credentials to different OAuth tokens and scopes for each tool, rather than validating one token for the entire backend.

LLM gateways vs MCP gateways

MCP gateways determine the tools that an AI agent can access, whereas LLM gateways determine the LLMs that an AI agent can use.

An LLM gateway sits between your application and multiple AI model providers (such as OpenAI, Anthropic, Google, and local models). It routes requests based on several factors:

Query complexity: It uses cheaper models for simple syntax fixes and premium models for complex architectural guidance.
Context requirements: It routes small snippets differently than entire codebases.
Token usage: It tracks costs across model tiers to optimize spending.
Availability: It implements automatic failovers when models are slow or unavailable.
Tool calling patterns: It routes to models optimized for function calling or general chat.

LLM gateways route requests to the most appropriate model for each task. The Cursor Auto option demonstrates this by selecting cheaper models for simple edits and premium models for complex reasoning, reducing costs by 35-85% compared to using Claude Sonnet for every request.

Screenshot of Cursor AI's auto mode feature showing intelligent model selection based on query complexity and context requirements

Business value of MCP gateways

MCP gateways consolidate authentication, observability, and access control into a centralized infrastructure that allows users to:

Ship tool features faster: Adding MCP servers without a gateway means reimplementing OAuth flows, managing token refresh, and handling credential storage for each server. MCP gateways handle authentication once and reuse it across all servers, allowing development teams to build AI features instead of reimplementing auth plumbing.
Measure AI investment returns: Without a gateway, usage data is scattered across MCP servers, with no unified view. MCP gateways provide centralized observability, showing which agents deliver value, which tools create bottlenecks, and where AI budgets are allocated.
Accelerate enterprise sales: Enterprise customers may require compliance certifications, such as SOC 2 or HIPAA, before purchasing. These certifications need audit trails showing who accessed what data, when, and why. Building compliance controls separately for each tool and agent costs months of engineering time. MCP gateways enforce compliance centrally and maintain audit-ready logs by default.
Control partner access: Partner integrations need access to specific tools while keeping internal systems private. Without a gateway, this requires building custom APIs per partner. MCP gateways create partner-facing virtual servers that expose exactly the tools that partners can access.

The MCP gateway market: Separating routing from governance

The MCP gateway market doesn’t segment cleanly. Vendors use “MCP gateway” to describe governance platforms, integration marketplaces, server catalogs, and routing infrastructure, which makes evaluating products confusing.

Although we’ve categorized MCP gateways into three architecture groups, no vendor fits perfectly into one group. Some vendors prioritize routing and deployment with basic governance features, others prioritize enterprise governance and assume routing is in place, and a third group combines governance with managed integrations or deployment services.

Nevertheless, the framework helps you evaluate each product’s strengths and determine what you need to build yourself:

Infrastructure-first gateways prioritize routing and deployment, include basic governance features (such as authentication and RBAC), and expect you to build advanced compliance controls
Governance-first gateways prioritize enterprise controls (such as audit trails, advanced RBAC, and threat detection) and assume you have existing routing infrastructure.
Hybrid gateways combine governance with managed integrations (where vendors build MCP servers for you) or deployment platforms (where vendors host your MCP servers).

Infrastructure MCP gateways

Infrastructure-first gateways prioritize routing, deployment, and developer experience. They include basic governance features such as authentication and RBAC, but expect organizations to build additional compliance tooling to meet enterprise requirements.

These gateways solve the fundamental routing problem of connecting AI agents to multiple MCP servers without having to manage separate connections for each. They provide four core capabilities:

Protocol translation: They handle JSON-RPC, SSE, and Streamable HTTP, so agents can communicate with any MCP server regardless of transport.
Session management: They pin multi-step workflows to the same server instance, preventing context loss in sequential tool calls.
Server lifecycle management: They start servers on demand and automatically restart failures.
Connection pooling and load distribution: They prevent performance bottlenecks during traffic spikes.

Diagram showing an infrastructure MCP gateway handling protocol translation, request routing, session management, and server lifecycle while MCP servers handle their own governance

Organizations build their own audit trails, access control, compliance reporting, and logging. The two most popular infrastructure-first gateways on the market are Microsoft MCP Gateway and Docker MCP Gateway .

Microsoft

Microsoft’s MCP Gateway solution focuses on Kubernetes-native (K8s-native) routing with a dual-plane architecture. The dataplane handles runtime request routing with session affinity. The control plane manages the MCP server lifecycle through RESTful APIs. The platform targets Azure environments running Azure Kubernetes Service (AKS).

Choose Microsoft MCP Gateway for:

Specific Azure deployments
Running AKS with production-grade session management requirements
Fine-grained Azure Entra ID integration needs
Kubernetes clusters requiring cloud-accessible HTTP endpoints via the MCP proxy server

The tool is free and open source. Azure deployments incur infrastructure costs, for example, for using AKS, Azure Container Registry (ACR), and Azure Cosmos DB.

Docker

The Docker MCP Gateway treats MCP servers as containerized workloads. Each MCP server runs in its own Docker container with resource limits and restricted privileges, using container isolation as the security model.

Choose Docker MCP Gateway for container-native workflows:

When teams already work with containers, or container isolation is the preferred security model
With supply-chain verification requirements (such as signed images and SBOM checks via Docker Scout)
Where local-first development has a clear path to production deployment

The Docker MCP Gateway is free and open source. Docker Desktop requires a Docker Business payment plan for container management.

Governance MCP gateways

Governance-first gateways prioritize enterprise controls over routing infrastructure. They assume routing is in place and focus on access control, compliance, and observability.

Infrastructure-first gateways like Microsoft and Docker provide reliable routing but lack enterprise governance features. Organizations must build governance capabilities themselves, including:

Audit logs showing which agent called which tool
RBAC defining who can access which MCP servers
Credential vaults storing API keys securely
Compliance reporting for enterprise security reviews
Token budget enforcement and cost tracking
Human-in-the-loop approval workflows

Diagram showing a governance MCP gateway providing RBAC enforcement, audit trail generation, rate limiting, policy enforcement, threat detection, and compliance reporting

Two governance-first gateways serve the market: TrueFoundry and Lunar.dev MCPX .

TrueFoundry

TrueFoundry’s MCP Gateway manages LLMs, MCP servers, and AI agents through a single control plane. The platform handles authentication, rate limiting, and in-memory load balancing, delivering sub-3ms latency at 350 requests per second (RPS) with minimal infrastructure (1 vCPU and 1 GB RAM). This reduces hosting costs while maintaining performance.

The platform centralizes tool management. Organizations route all connections through a single gateway instead of maintaining point-to-point connections between each agent and every tool. MCP server groups provide logical isolation, allowing teams to experiment with different MCP servers without creating security holes or configuration conflicts.

Choose TrueFoundry for performance-critical deployments that have:

Ultra-low latency requirements (less than 5ms overhead)
Unified infrastructure for LLM management and MCP tool governance
Air-gapped or regulated environments requiring on-premise deployment
MCP server groups for team isolation
Existing AI infrastructure that needs to be extended without fragmentation

Pricing includes a free Developer tier (50,000 requests per month and up to three users), a Pro tier ($499 per month for 1,000,000 requests), and an Enterprise tier (custom pricing). Self-hosted deployments cost between $600 and $1,000 a month in hosting. TrueFoundry is SOC 2-certified across all tiers, with HIPAA/GDPR compliance available on the Enterprise plan.

Lunar.dev

Lunar.dev’s MCPX implements granular access control through a four-tier access control list (ACL) hierarchy:

Global policies
Consumer-level overrides
Service-level controls
Individual tool-level permissions

Organizations set broad defaults and make exceptions for specific teams or tools.

Teams can bundle tools into tool groups (like “reads,” “writes,” and “admin”) for efficient policy management. The core MCPX product is open source on GitHub . Organizations can evaluate, customize, and deploy without vendor lock-in. Enterprise features add centralized control planes, private MCP registries, and MCP evaluation sandboxes for testing servers before production deployment.

Use the Lunar.dev MCPX for control and customization, as well as for:

Tool-level access control with multi-tier policy inheritance
Self-hosted deployments (on Docker or Kubernetes) for data sovereignty
Customizing tool behavior by hardening parameters, rewriting descriptions, and locking parameters
Isolating agent groups (such as marketing, developers, and admin) with distinct tool access
Using an open-source core with optional enterprise features

Lunar.dev MCPX runs entirely inside the customer infrastructure. Enterprise pricing is custom, based on dedicated instances per user or agent using Kubernetes deployment. The related Lunar.dev AI Gateway product offers a Team tier at $250 per gateway per month and is SOC 2-certified.

Hybrid MCP gateways

Hybrid gateways combine governance capabilities with managed integrations or deployment services.

Governance-first gateways require organizations to bring their own MCP servers. Hybrid gateways provide both the control plane and either prebuilt integrations or simplified deployment infrastructure.

Integration platforms: Build vs buy

Integration platforms build and maintain MCP servers so organizations don’t have to.

Composio

Composio’s MCP gateway provides the largest managed integration catalog with over 500 toolkits built and maintained in-house. The catalog includes Gmail, GitHub, Jira, Slack, Salesforce, and Shopify with zero external dependencies.

The platform supports unified OAuth, API key, and JWT authentication across all integrations, with a latency overhead of less than 5ms. Intelligent MCP routing selects only the relevant tools for each query, reducing token consumption when agents need access to large tool catalogs. The platform supports cloud-hosted deployment for instant setup and self-hosted options for infrastructure control.

Choose Composio for its broad integration coverage, which includes:

Access to over 500 managed tools (without maintaining individual MCP servers)
Unified authentication across SaaS platforms with single sign-on (SSO)
Framework-agnostic support (OpenAI, Anthropic, LangChain, CrewAI, and Vercel AI SDK)
Transparent usage-based pricing with a free tier for prototyping
Managed integrations (instead of building and maintaining custom MCP servers)

Composio offers a free tier (20,000 calls per month), mid-tier plans ($29 per month for 200,000 calls, or $229 per month for 2,000,000 calls), and custom enterprise pricing. Premium tool calls (such as search APIs and code execution) cost triple the standard rate. The platform holds SOC 2 Type II and ISO certifications.

Security platforms: Community ecosystem access

Security platforms provide governance for the broader MCP ecosystem rather than building integrations in-house.

Runlayer

Runlayer provides enterprise governance for the over 18,000 MCP servers in the community ecosystem. The platform vets and secures community-built servers rather than building integrations in-house.

Runlayer offers enterprise-grade controls, including identity integration (with Okta or Microsoft Entra) and zero-trust architecture. Its primary differentiator is its MCP-specific threat detection models. Detection covers tool poisoning, tool shadowing, command injections, and fake MCP detection.

Choose Runlayer for its ecosystem security, which includes:

One-click MCP deployment without JSON editing or CLI installation
MCP-specific threat detection and security scanning
Enterprise identity integration with zero-trust architecture
Access to the broader MCP ecosystem with enterprise governance

Runlayer requires enterprise contracts with annual subscriptions based on API call volume. Organizations must schedule a demo. No self-service or free tier is available. The platform holds SOC 2 Type II and HIPAA certifications.

Deployment platforms: Governance and hosting

Deployment platforms combine governance features with hosting infrastructure, eliminating the operational burden of running MCP servers.

MintMCP

MintMCP transforms local stdio-based MCP servers into production-ready services. Organizations with developers running MCP servers locally can deploy their MCP servers to managed infrastructure without rebuilding them.

The platform offers three connector types:

Remote connectors point to existing servers
Hosted connectors are stdio servers that run in managed containers
Custom connectors have proprietary implementations

Enterprise authentication includes Okta SAML SSO integration with full OAuth 2.0, SAML, and OIDC support. Virtual MCP servers expose only the minimum required tools per role, enabling tool-level RBAC.

Choose MintMCP for stdio server deployment, including:

Productionizing existing stdio MCP servers with compliance wrapping
SOC 2 Type II-certified infrastructure with HIPAA-compliant options
Official Cursor IDE integration for enterprise teams
Tool-level RBAC with virtual MCP servers
Enterprise deployment for developers with local MCP servers

MintMCP pricing is based on user count across four tiers:

1-50 users
51-1,000 users
1,001-9,999 users
Over 10,000 users

You can contact enterprise@mintmcp.com for specific pricing. The platform is SOC 2 Type II-certified (verified at trust.mintmcp.com) and offers HIPAA-compliant infrastructure with BAA agreements.

DeployStack

DeployStack provides zero-installation MCP access through a single URL. Developers authenticate via their browsers and access MCP servers without npm, CLI, or local dependencies.

The platform uses a three-tier governance system:

The template level provides global admin security boundaries
The team level includes shared credentials with lock and unlock controls
The user level implements personal preferences

Credential injection uses AES-256-GCM encryption, eliminating developers’ direct handling of secrets.

Choose DeployStack when you need:

Zero-installation MCP access via a URL-only setup
Hierarchical configuration with granular lock and unlock controls
Secure credential injection without developers handling secrets
An open-source option (SSPL license) with a self-hosting capability
Minimal developer onboarding friction

DeployStack offers free personal use at cloud.deploystack.io . Enterprise-tier pricing is available but not publicly documented. The platform offers self-hosted deployment and is working toward SOC 2 Type II certification.

Gram

Unlike other gateways that work with pre-existing MCP servers, Gram generates custom servers and routes. In addition to picking tools and servers from the catalog, you can use Gram to create MCP servers from OpenAPI documents or custom code (using Gram Functions). The platform performs core gateway functions, including routing agent requests to the appropriate toolset, managing OAuth flows, enforcing access policies (private or public), and logging tool calls.

Gram lets you organize tools from different sources (such as OpenAPI documents, TypeScript functions, and existing MCP servers) into toolsets. Each toolset then becomes a hosted MCP server with its own endpoint. This allows you to create efficient toolsets for specific use cases, such as a customer support toolset that bundles your CRM and ticketing tools, or a sales toolset that combines Salesforce and email tools.

In addition to automatically generating MCP servers from OpenAPI specifications, Gram provides:

Minimal developer onboarding friction
Serverless deployment
Gateway infrastructure that handles logging, permissions, and authentication, so you can focus on adding tools
Embedded chat experiences

With a free Gram account, you can access one MCP server with 1,000 tool calls per month and a 14-day log retention. For more features, upgrade to the Pro plan, which includes a custom OAuth configuration, three MCP servers, and 5,000 tool calls for $29 per month, or set up a custom Enterprise plan with SSO, audit logs, and a self-hosted dataplane.

Choosing an MCP gateway

Categorizing MCP gateways according to architecture helps you choose an MCP gateway based on your needs:

For routing infrastructure with basic governance, choose an infrastructure-first gateway like Microsoft or Docker.
For enterprise compliance and access control, select a governance-first gateway like TrueFoundry or Lunar.dev.
For prebuilt integrations, select an integration platform like Composio or Gram.
For securing community MCP servers, select a security platform like Runlayer.
For deploying existing or local MCP servers, select a deployment platform like MintMCP or DeployStack.
For generating MCP servers from existing APIs and getting gateway features automatically, select Gram.

You can also use the following table, which compares MCP gateway solutions in more detail:

Product	Category	Routing	Auth	RBAC	Audit	Managed integrations	Deployment	Pricing model	Compliance
Microsoft MCP Gateway	Infrastructure-first	✅	✅ Azure Entra ID	✅ Application-level	✅ Azure Monitor	✅ Azure ecosystem	✅ K8s-native (AKS)	Free + Azure infra costs	-
Docker MCP Gateway	Infrastructure-first	✅	✅ Basic	⚠️ Container isolation	✅ Call logging	✅ 200+ catalog	✅ Container-native	Free + Docker Desktop (enterprise)	-
TrueFoundry	Governance-first	✅	✅ OAuth 2.0, Okta, Azure AD	✅ Enterprise-grade	✅ Complete	⚠️ Limited	✅ K8s SDK	Free tier, $499/mo Pro, Enterprise custom	SOC 2, HIPAA/GDPR (Enterprise)
Lunar.dev MCPX	Governance-first	✅	✅ OAuth, API key, SSO	✅ Four-tier ACL	✅ Complete	⚠️ Limited	⚠️ Docker/K8s	Custom enterprise pricing	SOC 2
Composio	Hybrid – Integration platform	✅	✅ OAuth, API key, JWT	✅	✅	✅ 500+ in-house	✅ Cloud + self-hosted	Free tier, $29-$229/mo, Enterprise custom	SOC 2 Type II, ISO
Runlayer	Hybrid – Security platform	✅	✅ Okta, Entra	✅	✅	⚠️ 18,000+ vetted	✅	Custom enterprise (annual)	SOC 2 Type II, HIPAA
MintMCP	Hybrid – Deployment platform	✅	✅ Okta SAML, OAuth 2.0, OIDC	✅ Tool-level	✅ Complete	✅	✅ stdio → production	Tiered by user count (contact sales)	SOC 2 Type II, HIPAA
DeployStack	Hybrid – Deployment platform	✅	✅ OAuth, JWT	✅	⚠️ Incomplete	✅	✅ URL-only access	Free personal, Enterprise custom	Working toward SOC 2
Gram	Hybrid – Deployment platform	✅	✅ OAuth, API keys	✅ Toolset-level	✅ Metadata only	✅ Catalog	✅ API → MCP serverless	Free tier, $29/mo Pro, Enterprise custom	SOC 2 Type II, ISO

Conclusion

The architecture of different MCP gateway solutions reflects their different priorities. Infrastructure-first gateways (Microsoft and Docker) provide routing with basic governance, governance-first gateways (TrueFoundry and Lunar.dev) prioritize enterprise-grade controls, and hybrid gateways combine governance with integrations (Composio), security (Runlayer), or deployment (MintMCP and DeployStack).

Organizations with existing REST APIs face a different challenge: generating MCP servers rather than managing them. Gram autogenerates MCP servers from OpenAPI documents, reducing large APIs to curated toolsets, while handling OAuth and serverless deployment.

Last updated on February 3, 2026