Model Context Protocol (MCP) is how AI coding assistants like Claude Code, Cursor, Windsurf, and GitHub Copilot connect to external tools, data, and APIs. Since Anthropic released MCP in late 2024, usage has skyrocketed.
70% of MCP consumers already have between two and seven MCP servers configured, found Zuplo’s State of MCP report, and 72% expect their MCP usage to increase over the next 12 months. This has engineering leaders wondering how to govern the rise of rogue MCP servers before shadow AI and sprawl set in. That is where an MCP gateway comes in.
An MCP gateway sits between AI agents and MCP servers, acting as a control plane for agent-to-tool communication. It typically has an MCP registry to catalog servers and make them discoverable to AI agents, and acts as a unified enforcement layer for authentication, tool-level permissions and access control, and visibility into MCP use.
Without one, every developer pastes long-lived tokens into local config files, and nobody can say which agents can reach which systems, let alone revoke that access when someone leaves.
On scope: most gateways in this comparison govern remote MCP servers over Streamable HTTP, so local STDIO servers typically need to be wrapped as HTTP services or containerized before a gateway can front them.
- Engineering leaders governing team-wide MCP usage
- Platform teams choosing an MCP control plane
- Security engineers auditing agent-to-tool traffic
A number of MCP gateways have emerged to serve this need. Below, we assess some of the leading options on the market, comparing their functionality, security features, deployment model, and standout features.
Quick rundown of 10 MCP gateways
The following table compares leading MCP gateways at a glance.
| Gateway | Deployment model | Security features | Observability | Usability | Differentiator(s) |
|---|---|---|---|---|---|
| Zuplo MCP Gateway | Fully managed cloud | OAuth/OIDC, per-team/role access, curated tool access | Analytics, structured logs, audit logs | Cloud UI and config workflow | Virtual MCP servers, OpenAPI-to-MCP generation, AI/API gateway |
| Lunar.dev MCPX | Open source, private deploy | Token auth, RBAC, agent-specific restrictions | Tool invocation metrics | GUI control plane | Low-latency aggregation, evaluation sandbox |
| Composio MCP Gateway | Fully managed cloud | IdP delegation, tool allow/deny lists | Rate limit visibility | Team MCP endpoints | 1,000+ integrations, runtime tool selection |
| Kong AI Gateway | Konnect, hybrid, self-managed | Security policies, throttling, rate limiting | Analytics tracking | Kong ecosystem familiarity | LLM, MCP, A2A governance |
| TrueFoundry MCP Gateway | Kubernetes, VPC, on-prem | RBAC, approvals, IdP federation | Request-level behavior tracking | Cloud-native setup | Multi-step workflows, customer-controlled deployment |
| Operant MCP Gateway | Cloud-native, public/private | Threat detection, encryption, least privilege controls | Traffic graphics, metrics | Security-team focused | OWASP mapping, runtime threat detection |
| Portkey MCP Gateway | SaaS, VPC, self-hosted | Fine-grained auth, OAuth 2.1 flows | In-depth tracing | Balanced admin usability | Flexible auth, AI gateway integration |
| Lasso MCP Gateway | Open source | Sanitization, reputation scanning, secret filtering | Security risk analysis | Easy setup | Open source, lightweight security filtering |
| Usercentrics MCP Manager | Multiple gateways, local/remote | RBAC, OAuth, PII filtering | Alerts, token usage, logs | Private registry | Monitoring alerts, multiple server types |
| Workato Enterprise MCP | Managed enterprise iPaaS | Universal auth, identity management, governance | Comprehensive logging | Single GUI console | 26+ prebuilt servers, iPaaS foundation |
1. Zuplo MCP Gateway
Zuplo, the API and AI gateway platform, offers an MCP Gateway that acts as a central access point for approved servers, providing a way to discover, govern, and secure the use of approved MCP servers.
The core primitive is the virtual MCP server: a curated view of an upstream MCP server that exposes only the tools, prompts, and resources you pick, at its own gateway URL. Each virtual server fronts a single upstream, so rather than merging servers into one endpoint, you govern a fleet of curated endpoints from one gateway. The isolation is deliberate: tokens are scoped to a single virtual server, so a token issued for one can’t be replayed against another.
Pick an upstream from the curated library of popular servers like Linear, GitHub, Notion, and Stripe, or bring your own: it can connect to any remote, spec-compliant MCP server that works over Streamable HTTP. Zuplo’s MCP server handler can also turn your own OpenAPI routes into MCP tools.
Authentication is standards-based and handled at two layers: between the client and the gateway, and between the gateway and the upstream servers. The gateway puts access to MCPs behind an OAuth-protected endpoint, with a full OAuth 2.0 authorization server bundled in. For user identity, Zuplo uses the identity provider (IdP) of your choice, whether it’s Okta, Microsoft Entra, Auth0, or another OIDC-compliant provider.
For the upstream side, the gateway brokers credentials with multiple models: per-user OAuth, a shared OAuth grant, or a shared API key held in an encrypted vault.
Through a cloud-based UI or configuration, IT and platform leaders can curate MCP permissions and policies on a per-user, per-team, per-role, or per-virtual-server basis. The MCP Gateway produces structured logs and audit events.
One useful security pattern is creating read-only versions of MCP servers by curating the exposed capabilities: filter out the destructive tools and hand agents the safe subset. Capability curation also makes virtual servers handy for testing and development.
Run within the Zuplo platform, the MCP Gateway complements Zuplo’s API and AI gateway and its tools for building MCP servers from an OpenAPI file, making it an easy add-on for existing Zuplo users.
One consideration is that the gateway is new: it entered public beta in June 2026. Like many MCP gateways, Zuplo’s is still early, reflecting the newness of the category more than any lack of enterprise maturity.
Differentiators: Fully managed cloud platform, OAuth/OIDC with credential brokering, virtual MCP servers, capability curation, structured analytics and audit logs, MCP server generation.
MCP Gateway Quickstart
Build a virtual MCP server in the browser: pick an upstream, wire up OAuth, and point an agent at it.
2. Lunar.dev MCPX
Lunar.dev, API egress and AI gateway provider, offers an MCP gateway called MCPX. Using MCPX, teams can aggregate multiple MCP servers behind a single gateway, restrict tools, enforce policies and limits, and gain visibility into MCP tool calls.
MCPX, technically an MCP server that aggregates other MCP servers, ships in the open-source version and in an enterprise edition that can be deployed in a private cloud or datacenter.
The platform provides a GUI control plane for adding MCP servers, handling authentication, authorization, and permissions, and syncing AI agents with the gateway. It includes a built-in administrative approval process for approving or denying requests to add MCP servers, with dedicated per-agent workspaces.
For security, MCPX supports token-based authentication, role-based access, and agent-specific tool restrictions, and it connects to whatever identity and access management (IAM) system you use. For visibility, MCPX provides metrics on tool invocations, prompt payloads, and tool responses, feeding audit logging.
Thanks to its compatibility with Lunar.dev’s AI gateway, MCPX makes sense for cloud-native enterprises that want to govern both LLM-based AI agents and MCP authentication at low latency and scale in a unified platform.
Differentiators: Open-source MCP aggregation, low-latency performance, enterprise deployment flexibility, MCP evaluation sandbox, Lunar Gateway integration.
3. Composio MCP Gateway
Composio MCP Gateway is a fully managed cloud-based MCP gateway that can be placed in front of MCP tools to scope access, create allow or deny lists, and enact just-in-time tool selection to improve efficiency.
Composio emphasizes ease of use for administrators and developers, shipping with 1,000+ pre-built MCP server integrations. Once administrators register compliant MCP servers, they give each team a single MCP endpoint to share with their coding agent of choice.
Composio delegates authentication to external identity providers (IdPs) like Okta, Microsoft Entra, and Google Workspace.
Notably, Composio suggests the proper MCP tools on the fly and creates sandboxed environments for response summaries, reducing the likelihood of lengthy MCP server descriptions and chat histories draining context windows. It also handles rate limits and can mitigate schema drift and malformed payloads.
Although Composio isn’t the lowest-latency option here, it’s a good choice for engineering leaders wanting a user-friendly proxy to govern their team’s MCP tooling.
Differentiators: 1,000+ integrations out of the box, operator usability, runtime tool selection.
4. Kong AI Gateway
Kong, a connectivity middleware platform, provides an AI gateway as part of its Kong Konnect ecosystem. The gateway offers a unified way to govern traffic to major LLM providers, MCP servers, and agent-to-agent (A2A) systems.
For MCP, the gateway can set global security policies for accessing MCP servers, throttle and rate limit MCP calls, and track calls with analytics. It also provides broader AI gateway functions such as LLM routing, semantic caching for LLM responses, and other governance controls.
Kong’s compatibility with other Kong products makes it easier to govern LLM traffic at scale or generate MCP servers. Kong also provides an MCP Registry product, a more standalone directory for cataloging and discovering MCP servers and observing their traffic.
Kong has many bells and whistles compared to the others here, which might make it too bulky for those after a lean MCP gateway. Its setup and operation may require more platform engineering maturity than other managed tools.
Kong’s AI Gateway makes sense for teams established on the Kong product line that want an MCP gateway also supporting broader LLM routing and A2A traffic management.
Differentiators: Kong ecosystem compatibility, flexible deployment models, LLM and A2A governance in addition to MCP.
5. TrueFoundry MCP Gateway
TrueFoundry provides an MCP Gateway that allows you to connect MCP servers, oversee task execution, and observe request-level behaviors. TrueFoundry containerizes MCP servers, which enterprises can then run alongside the MCP Gateway on their own infrastructure, whether Kubernetes, a virtual private cloud (VPC), or an on-premise system.
The MCP Gateway ships with a central registry for cataloging and discovering authorized MCP servers. You can use the TrueFoundry SDK to generate custom servers from your APIs, or use their pre-built servers for select popular enterprise tools.
For security, operators can set global limits and policies, apply approval flows, and enact role-based access control (RBAC) across MCP tools. TrueFoundry federates identity through external providers like Okta or Microsoft Entra, and the platform is mature, meeting SOC 2, HIPAA, and GDPR-aligned security standards.
Like Kong AI Gateway, TrueFoundry handles both LLM requests and MCP server access, making it a more all-purpose AI gateway. It also supports agentic task execution, including multi-step workflows involving multiple tools and MCP servers.
TrueFoundry is great for regulated enterprises seeking a self-hosted deployment model, but it may be less intuitive for those wanting a lightweight, fully managed cloud offering.
Differentiators: Multi-step agentic workflows, prebuilt MCP servers, customer-controlled deployment, custom server support, enterprise compliance posture.
6. Operant MCP Gateway
Operant MCP Gateway offers a centralized control plane to manage agent to MCP server traffic. Sitting between cloud agents and local development tools and MCP servers, the tool prioritizes discovery, security, and threat detection.
The Operant MCP Gateway analyzes all data passed through MCP servers to spot security flaws like prompt injection and tool poisoning (malicious instructions hidden in tool descriptions) to detect potentially malicious use and unauthorized behaviors.
Admins can set least privilege controls, block untrusted servers, and introduce rate limiting and encryption for all MCP communications.
The platform produces graphics and metrics to visualize traffic patterns and can map threats to OWASP’s Top Ten LLM list for more context. The gateway can be deployed on cloud-native infrastructure or private or public clouds.
The downside is that Operant is heavily security-centric. It’s primarily an MCP threat detection and runtime protection layer, with less emphasis on delegated OAuth flows, approval workflows, prebuilt MCP server catalogs, or tool-call optimization.
Operant MCP Gateway is a good option for enterprise security engineers who want visibility into MCP usage across local development tools and cloud-based AI agents, and to surface security issues that could lead to unauthorized access or data leaks.
Differentiators: Security vulnerability scanning, runtime threat detection, agentic usage metrics, OWASP threat mapping.
7. Portkey MCP Gateway
Portkey MCP Gateway is a more SaaS-friendly MCP gateway that covers the gamut of typical MCP gateway features, enabling organizations to set policies and monitor the use of MCP servers.
Portkey provides an MCP registry that supports remote MCP servers over HTTP (local STDIO MCP servers, the kind that run as processes on a developer’s machine, require extra HTTP wrapping). From there, operators can build consistent policies for tool use, monitor agentic usage patterns, and gain in-depth tracing.
Its fine-grained authorization model and flexible authentication schemes stand out. Authentication can be configured organization-wide or at the team, workspace, or individual user level. Unlike other gateways, Portkey can initiate its own OAuth 2.1 flow. Alternatively, you can use an IdP of your choice or an API key.
Portkey offers a SaaS version but can also run in a VPC or be self-hosted, and you can integrate it with an AI gateway to manage models alongside MCP servers.
On the downside, local servers require more effort, and Portkey’s MCP Gateway sits inside its larger AI gateway and observability platform. For those after a lightweight MCP gateway, it may be more than you need.
Portkey is a well-balanced MCP gateway offering a good mix of features, administrator usability, deployment flexibility, and enterprise maturity.
Differentiators: Fine-grained authentication, flexible deployment, OAuth 2.1 support, AI gateway integration.
8. Lasso MCP Gateway
Lasso supports an open-source
MCP Gateway that acts as a straightforward intermediary between agents and MCP
servers. Being open source, it’s easy to download and get started with.
Operators can configure an MCP registry for agents to discover servers based on
an mcp.json file.
Lasso’s MCP Gateway provides distinctive security features, including MCP server reputation scanning and security risk analysis. It can also sanitize data sent to and received from MCP servers to avoid exposing sensitive data and secrets.
That said, the tool is more a security scanning utility than a full enterprise MCP control plane. While helpful for security filtering and avoiding exposure of access tokens, it lacks broader gateway features like rate limiting, identity delegation, role-based permissions, approval workflows, or MCP usage optimization.
For a team wanting a simple way to enact security guardrails and filter information exposure, Lasso MCP Gateway is a helpful utility.
Differentiators: Data sanitization, security scanning, secret filters, open source, and easy setup.
9. Usercentrics MCP Manager
Usercentrics’ MCP Manager is a fully featured MCP gateway that centralizes provisioning, control, and monitoring for MCP servers. Using MCP Manager, you can easily spin up multiple gateways for testing purposes, and integrate both remote and local MCP servers.
Using Usercentrics, administrators can create a private MCP registry, limit what tools are available based on RBAC policies, and enact OAuth across all MCP servers using dynamic client registration.
Usercentrics also provides distinctive monitoring features, including token-level usage patterns to see which MCP tools drive high costs and exportable audit logs that detail server requests and responses.
It supports multiple MCP server types out of the box and offers PII filtering for sensitive data, making it a fit for security teams. You can also set up alerts for abnormal behavior, server outages, or content filter triggers.
On the downside, Usercentrics doesn’t come with a catalog of pre-built MCP integrations for popular third-party tools, and it’s more focused on MCP governance than broader AI gateway functionality.
MCP Manager is a well-balanced gateway, fit for scenarios that require a range of security measures to spot common MCP vulnerabilities.
Differentiators: Monitoring alerts, support for multiple MCP server types, advanced security features.
10. Workato Enterprise MCP
Workato’s Enterprise MCP provides a layer to automatically connect agentic systems with popular external tools. Workato emphasizes pre-built integrations, with 26 pre-built MCP servers ready to use and over 100 more rolling out through 2026.
You can manage MCP server governance from a single GUI console. A gateway manages all agent access along with universal authentication and user identity management, plus comprehensive logging.
Solution architects and platform engineers already using Workato with Recipe Functions can benefit, since Enterprise MCP turns those workflows into agentic skills to initiate on command.
Workato’s core benefit is its integration-platform-as-a-service (iPaaS) foundation, with process automation, data orchestration, API management, and more. That said, it could be overkill for teams that only need a simple MCP gateway or developer-first proxy, and the platform is more optimized for Workato-managed integrations than for bringing in arbitrary local MCP servers.
For an enterprise wanting a plug-and-play layer between corporate agent use and external MCP solutions, especially for business users, Workato Enterprise MCP is a good fit.
Differentiators: Mature iPaaS foundation, pre-built MCP servers, enterprise readiness, plug-and-play setup.
Other MCP gateway tools worth mentioning
The ten gateways above are among the leading offerings, but others are worth mentioning. Some open source tools include:
- Agentgateway: An open-source project hosted by the Linux Foundation that can handle LLM routing, MCP traffic, and A2A from a single plane.
- Docker MCP Gateway: An open-source MCP gateway from Docker that containerizes MCP servers and integrates with the Docker ecosystem.
- Microsoft MCP Gateway: Microsoft’s open-source reverse-proxy for managing MCP server traffic.
- Obot: An open-source platform ecosystem for managing MCPs, skills, policies, and tool use auditing.
Major clouds are also experimenting with their own solutions. For example, AWS AgentCore Gateway can now unite MCP servers as a target type within this agent-focused gateway.
Beyond that, several enterprise and integration-focused gateways are built for MCP or now support it as a type within their gateways:
- Aembit MCP Gateway: A security and routing service for centralizing MCP governance.
- Agen.co: A more general-purpose agent gateway for standardizing API connectivity that supports MCP.
- Airbyte Agents: An agent-to-data access layer emphasizing token monitoring and cost optimization.
- MintMCP: Another agent-focused gateway for governing MCP access and use.
- Smithery: A layer for connecting agents to external tools like skills and MCP servers.
- Tyk MCP Gateway: Tool-level controls and unified observability for remote MCP servers.
- WSO2 API Portal & MCP Hub: A proxy to help expose MCP servers and APIs to agents.
Finally, a number of MCP registries have emerged. These standalone tools are less like fully-fledged gateways and act more as a static list of approved internal MCP servers.
Choosing the right MCP gateway
Most MCP gateways share common features: access control, guardrails, reporting, and analytics. Still, some differentiators stand out, and knowing which gateway fits your scenario can be tricky. Here’s a quick guide on when to use what:
| If you need | Consider |
|---|---|
| An all-purpose, fully managed gateway for the MCP servers your team uses or exposes | Zuplo MCP Gateway |
| A broader AI gateway with more control over agents, LLMs, and skills | Kong AI Gateway, TrueFoundry MCP Gateway |
| A vast library of pre-built connectors or workflows | Composio MCP Gateway, Workato Enterprise MCP |
| Security monitoring, detection, and filtering | Operant MCP Gateway, Usercentrics MCP Manager, Lasso |
| Flexible deployment options with fine-grained authorization | Portkey MCP Gateway |
| A gateway-like layer for data access and cost optimization | Airbyte Agents |
| A static list of approved MCP servers | An open-source gateway or MCP registry |
If all you need is limited cataloging and discovery functionality, you may also be able to build your own, though weigh that against the maintenance cost.
The benefits of using an MCP gateway
MCP use is still climbing: directories like Pulse MCP now track thousands of MCP servers and estimate ecosystem-wide downloads in the millions. As usage grows, a centralized control plane to govern MCP tool calls makes a lot of sense.
An MCP gateway improves security and compliance and avoids shadow IT and scattered OAuth tokens. Granular security at the gateway level lets you avoid over-privileged access. By aggregating and tracking MCP use, you gain visibility into usage patterns, which can inform auditing, cost optimization, threat detection, and more.
Given agentic AI’s propensity to act in unpredictable ways, mature infrastructure is becoming more critical. It can be the difference between a contained incident and a breach, and it supports site reliability and platform architecture goals. MCP gateways are becoming table stakes when scaling MCP use across engineering teams.
Not all MCP gateways are alike, so it takes some work to find the right one. By reviewing this guide, CTOs, heads of engineering, and security engineers should be able to choose the gateway that works best for them. For a closer look at what a managed MCP gateway handles for you, see Introducing the Zuplo MCP Gateway.