---
title: "MCP Gateway Comparison: 10 Tools for Governing AI Agent Access"
description: "An MCP gateway is becoming table stakes for governing AI agent access to tools and APIs. We compare 10 leading MCP gateways across security, observability, deployment model, and standout features."
canonicalUrl: "https://zuplo.com/blog/2026/06/02/mcp-gateway-comparison"
pageType: "blog"
date: "2026-06-02"
authors: "billDoerrfeld"
tags: "Model Context Protocol, ai-agents"
image: "https://zuplo.com/og?text=MCP%20Gateway%20Comparison%3A%2010%20Tools%20for%20Governing%20AI%20Agent%20Access"
---
Model Context Protocol (MCP) is how AI coding assistants like Claude Code,
Cursor, Windsurf, and GitHub Copilot connect to external tools, data, and APIs.
Since Anthropic released MCP in late 2024, usage has skyrocketed.
70% of MCP consumers already have between two and seven MCP servers configured,
found [Zuplo's State of MCP report](https://zuplo.com/mcp-report), and 72%
expect their MCP usage to increase over the next 12 months. This has engineering
leaders wondering how to govern the rise of rogue MCP servers before shadow AI
and sprawl set in. That is where an MCP gateway comes in.
An MCP gateway sits between AI agents and MCP servers, acting as a control plane
for agent-to-tool communication. It typically has an MCP registry to catalog
servers and make them discoverable to AI agents, and acts as a unified
enforcement layer for authentication, tool-level permissions and access control,
and visibility into MCP use.
Without one, every developer pastes long-lived tokens into local config files,
and nobody can say which agents can reach which systems, let alone revoke that
access when someone leaves.
On scope: most gateways in this comparison govern remote MCP servers over
Streamable HTTP, so local STDIO servers typically need to be wrapped as HTTP
services or containerized before a gateway can front them.
A number of MCP gateways have emerged to serve this need. Below, we assess some
of the leading options on the market, comparing their functionality, security
features, deployment model, and standout features.
## Quick rundown of 10 MCP gateways
The following table compares leading MCP gateways at a glance.
| Gateway | Deployment model | Security features | Observability | Usability | Differentiator(s) |
| ------------------------ | ------------------------------- | ------------------------------------------------------ | -------------------------------------- | ---------------------------- | -------------------------------------------------------------- |
| Zuplo MCP Gateway | Fully managed cloud | OAuth/OIDC, per-team/role access, curated tool access | Analytics, structured logs, audit logs | Cloud UI and config workflow | Virtual MCP servers, OpenAPI-to-MCP generation, AI/API gateway |
| Lunar.dev MCPX | Open source, private deploy | Token auth, RBAC, agent-specific restrictions | Tool invocation metrics | GUI control plane | Low-latency aggregation, evaluation sandbox |
| Composio MCP Gateway | Fully managed cloud | IdP delegation, tool allow/deny lists | Rate limit visibility | Team MCP endpoints | 1,000+ integrations, runtime tool selection |
| Kong AI Gateway | Konnect, hybrid, self-managed | Security policies, throttling, rate limiting | Analytics tracking | Kong ecosystem familiarity | LLM, MCP, A2A governance |
| TrueFoundry MCP Gateway | Kubernetes, VPC, on-prem | RBAC, approvals, IdP federation | Request-level behavior tracking | Cloud-native setup | Multi-step workflows, customer-controlled deployment |
| Operant MCP Gateway | Cloud-native, public/private | Threat detection, encryption, least privilege controls | Traffic graphics, metrics | Security-team focused | OWASP mapping, runtime threat detection |
| Portkey MCP Gateway | SaaS, VPC, self-hosted | Fine-grained auth, OAuth 2.1 flows | In-depth tracing | Balanced admin usability | Flexible auth, AI gateway integration |
| Lasso MCP Gateway | Open source | Sanitization, reputation scanning, secret filtering | Security risk analysis | Easy setup | Open source, lightweight security filtering |
| Usercentrics MCP Manager | Multiple gateways, local/remote | RBAC, OAuth, PII filtering | Alerts, token usage, logs | Private registry | Monitoring alerts, multiple server types |
| Workato Enterprise MCP | Managed enterprise iPaaS | Universal auth, identity management, governance | Comprehensive logging | Single GUI console | 26+ prebuilt servers, iPaaS foundation |
## 1. Zuplo MCP Gateway
[Zuplo](https://zuplo.com), the API and AI gateway platform, offers an
[MCP Gateway](https://zuplo.com/mcp-gateway) that acts as a central access point
for approved servers, providing a way to discover, govern, and secure the use of
approved MCP servers.
The core primitive is the virtual MCP server: a curated view of an upstream MCP
server that exposes only the tools, prompts, and resources you pick, at its own
gateway URL. Each virtual server fronts a single upstream, so rather than
merging servers into one endpoint, you govern a fleet of curated endpoints from
one gateway. The isolation is deliberate: tokens are scoped to a single virtual
server, so a token issued for one can't be replayed against another.
Pick an upstream from the curated library of popular servers like Linear,
GitHub, Notion, and Stripe, or bring your own: it can connect to any remote,
[spec-compliant](https://modelcontextprotocol.io) MCP server that works over
Streamable HTTP. Zuplo's
[MCP server handler](https://zuplo.com/features/mcp-servers) can also turn your
own OpenAPI routes into MCP tools.
Authentication is standards-based and handled at two layers: between the client
and the gateway, and between the gateway and the upstream servers. The gateway
puts access to MCPs behind an OAuth-protected endpoint, with a full OAuth 2.0
authorization server bundled in. For user identity, Zuplo uses the identity
provider (IdP) of your choice, whether it's Okta, Microsoft Entra, Auth0, or
another OIDC-compliant provider.
For the upstream side, the gateway brokers credentials with multiple models:
per-user OAuth, a shared OAuth grant, or a shared API key held in an encrypted
vault.
Through a cloud-based UI or configuration, IT and platform leaders can curate
MCP permissions and policies on a per-user, per-team, per-role, or
per-virtual-server basis. The MCP Gateway produces structured logs and audit
events.
One useful security pattern is creating read-only versions of MCP servers by
curating the exposed capabilities: filter out the destructive tools and hand
agents the safe subset. Capability curation also makes virtual servers handy for
testing and development.
Run within the Zuplo platform, the MCP Gateway complements Zuplo's API and AI
gateway and its tools for building MCP servers from an OpenAPI file, making it
an easy add-on for existing Zuplo users.
One consideration is that the gateway is new: it
[entered public beta in June 2026](https://zuplo.com/blog/introducing-zuplo-mcp-gateway).
Like many MCP gateways, Zuplo's is still early, reflecting the newness of the
category more than any lack of enterprise maturity.
**Differentiators:** Fully managed cloud platform, OAuth/OIDC with credential
brokering, virtual MCP servers, capability curation, structured analytics and
audit logs, MCP server generation.
## 2. Lunar.dev MCPX
[Lunar.dev](https://www.lunar.dev), API egress and AI gateway provider, offers
an MCP gateway called MCPX. Using MCPX, teams can aggregate multiple MCP servers
behind a single gateway, restrict tools, enforce policies and limits, and gain
visibility into MCP tool calls.
MCPX, technically an MCP server that aggregates other MCP servers, ships in the
open-source version and in an enterprise edition that can be deployed in a
private cloud or datacenter.
The platform provides a GUI control plane for adding MCP servers, handling
authentication, authorization, and permissions, and syncing AI agents with the
gateway. It includes a built-in administrative approval process for approving or
denying requests to add MCP servers, with dedicated per-agent workspaces.
For security, MCPX supports token-based authentication, role-based access, and
agent-specific tool restrictions, and it connects to whatever identity and
access management (IAM) system you use. For visibility, MCPX provides metrics on
tool invocations, prompt payloads, and tool responses, feeding audit logging.
Thanks to its compatibility with Lunar.dev's AI gateway, MCPX makes sense for
cloud-native enterprises that want to govern both LLM-based AI agents and MCP
authentication at low latency and scale in a unified platform.
**Differentiators:** Open-source MCP aggregation, low-latency performance,
enterprise deployment flexibility, MCP evaluation sandbox, Lunar Gateway
integration.
## 3. Composio MCP Gateway
[Composio MCP Gateway](https://composio.dev) is a fully managed cloud-based MCP
gateway that can be placed in front of MCP tools to scope access, create allow
or deny lists, and enact just-in-time tool selection to improve efficiency.
Composio emphasizes ease of use for administrators and developers, shipping with
1,000+ pre-built MCP server integrations. Once administrators register compliant
MCP servers, they give each team a single MCP endpoint to share with their
coding agent of choice.
Composio delegates authentication to external identity providers (IdPs) like
Okta, Microsoft Entra, and Google Workspace.
Notably, Composio suggests the proper MCP tools on the fly and creates sandboxed
environments for response summaries, reducing the likelihood of lengthy MCP
server descriptions and chat histories draining context windows. It also handles
rate limits and can mitigate schema drift and malformed payloads.
Although Composio isn't the lowest-latency option here, it's a good choice for
engineering leaders wanting a user-friendly proxy to govern their team's MCP
tooling.
**Differentiators:** 1,000+ integrations out of the box, operator usability,
runtime tool selection.
## 4. Kong AI Gateway
[Kong](https://konghq.com), a connectivity middleware platform, provides an AI
gateway as part of its Kong Konnect ecosystem. The gateway offers a unified way
to govern traffic to major LLM providers, MCP servers, and agent-to-agent (A2A)
systems.
For MCP, the gateway can set global security policies for accessing MCP servers,
throttle and rate limit MCP calls, and track calls with analytics. It also
provides broader AI gateway functions such as LLM routing, semantic caching for
LLM responses, and other governance controls.
Kong's compatibility with other Kong products makes it easier to govern LLM
traffic at scale or generate MCP servers. Kong also provides an MCP Registry
product, a more standalone directory for cataloging and discovering MCP servers
and observing their traffic.
Kong has many bells and whistles compared to the others here, which might make
it too bulky for those after a lean MCP gateway. Its setup and operation may
require more platform engineering maturity than other managed tools.
Kong's AI Gateway makes sense for teams established on the Kong product line
that want an MCP gateway also supporting broader LLM routing and A2A traffic
management.
**Differentiators:** Kong ecosystem compatibility, flexible deployment models,
LLM and A2A governance in addition to MCP.
## 5. TrueFoundry MCP Gateway
[TrueFoundry](https://www.truefoundry.com) provides an MCP Gateway that allows
you to connect MCP servers, oversee task execution, and observe request-level
behaviors. TrueFoundry containerizes MCP servers, which enterprises can then run
alongside the MCP Gateway on their own infrastructure, whether Kubernetes, a
virtual private cloud (VPC), or an on-premise system.
The MCP Gateway ships with a central registry for cataloging and discovering
authorized MCP servers. You can use the TrueFoundry SDK to generate custom
servers from your APIs, or use their pre-built servers for select popular
enterprise tools.
For security, operators can set global limits and policies, apply approval
flows, and enact role-based access control (RBAC) across MCP tools. TrueFoundry
federates identity through external providers like Okta or Microsoft Entra, and
the platform is mature, meeting SOC 2, HIPAA, and GDPR-aligned security
standards.
Like Kong AI Gateway, TrueFoundry handles both LLM requests and MCP server
access, making it a more all-purpose AI gateway. It also supports agentic task
execution, including multi-step workflows involving multiple tools and MCP
servers.
TrueFoundry is great for regulated enterprises seeking a self-hosted deployment
model, but it may be less intuitive for those wanting a lightweight, fully
managed cloud offering.
**Differentiators:** Multi-step agentic workflows, prebuilt MCP servers,
customer-controlled deployment, custom server support, enterprise compliance
posture.
## 6. Operant MCP Gateway
[Operant MCP Gateway](https://www.operant.ai) offers a centralized control plane
to manage agent to MCP server traffic. Sitting between cloud agents and local
development tools and MCP servers, the tool prioritizes discovery, security, and
threat detection.
The Operant MCP Gateway analyzes all data passed through MCP servers to spot
security flaws like prompt injection and tool poisoning (malicious instructions
hidden in tool descriptions) to detect potentially malicious use and
unauthorized behaviors.
Admins can set least privilege controls, block untrusted servers, and introduce
rate limiting and encryption for all MCP communications.
The platform produces graphics and metrics to visualize traffic patterns and can
map threats to OWASP's Top Ten LLM list for more context. The gateway can be
deployed on cloud-native infrastructure or private or public clouds.
The downside is that Operant is heavily security-centric. It's primarily an MCP
threat detection and runtime protection layer, with less emphasis on delegated
OAuth flows, approval workflows, prebuilt MCP server catalogs, or tool-call
optimization.
Operant MCP Gateway is a good option for enterprise security engineers who want
visibility into MCP usage across local development tools and cloud-based AI
agents, and to surface security issues that could lead to unauthorized access or
data leaks.
**Differentiators:** Security vulnerability scanning, runtime threat detection,
agentic usage metrics, OWASP threat mapping.
## 7. Portkey MCP Gateway
[Portkey MCP Gateway](https://portkey.ai) is a more SaaS-friendly MCP gateway
that covers the gamut of typical MCP gateway features, enabling organizations to
set policies and monitor the use of MCP servers.
Portkey provides an MCP registry that supports remote MCP servers over HTTP
(local STDIO MCP servers, the kind that run as processes on a developer's
machine, require extra HTTP wrapping). From there, operators can build
consistent policies for tool use, monitor agentic usage patterns, and gain
in-depth tracing.
Its fine-grained authorization model and flexible authentication schemes stand
out. Authentication can be configured organization-wide or at the team,
workspace, or individual user level. Unlike other gateways, Portkey can initiate
its own OAuth 2.1 flow. Alternatively, you can use an IdP of your choice or an
API key.
Portkey offers a SaaS version but can also run in a VPC or be self-hosted, and
you can integrate it with an AI gateway to manage models alongside MCP servers.
On the downside, local servers require more effort, and Portkey's MCP Gateway
sits inside its larger AI gateway and observability platform. For those after a
lightweight MCP gateway, it may be more than you need.
Portkey is a well-balanced MCP gateway offering a good mix of features,
administrator usability, deployment flexibility, and enterprise maturity.
**Differentiators:** Fine-grained authentication, flexible deployment, OAuth 2.1
support, AI gateway integration.
## 8. Lasso MCP Gateway
[Lasso](https://github.com/lasso-security/mcp-gateway) supports an open-source
MCP Gateway that acts as a straightforward intermediary between agents and MCP
servers. Being open source, it's easy to download and get started with.
Operators can configure an MCP registry for agents to discover servers based on
an `mcp.json` file.
Lasso's MCP Gateway provides distinctive security features, including MCP server
reputation scanning and security risk analysis. It can also sanitize data sent
to and received from MCP servers to avoid exposing sensitive data and secrets.
That said, the tool is more a security scanning utility than a full enterprise
MCP control plane. While helpful for security filtering and avoiding exposure of
access tokens, it lacks broader gateway features like rate limiting, identity
delegation, role-based permissions, approval workflows, or MCP usage
optimization.
For a team wanting a simple way to enact security guardrails and filter
information exposure, Lasso MCP Gateway is a helpful utility.
**Differentiators:** Data sanitization, security scanning, secret filters, open
source, and easy setup.
## 9. Usercentrics MCP Manager
[Usercentrics' MCP Manager](https://usercentrics.com/ai-model-context-protocol-manager/)
is a fully featured MCP gateway that centralizes provisioning, control, and
monitoring for MCP servers. Using MCP Manager, you can easily spin up multiple
gateways for testing purposes, and integrate both remote and local MCP servers.
Using Usercentrics, administrators can create a private MCP registry, limit what
tools are available based on RBAC policies, and enact OAuth across all MCP
servers using dynamic client registration.
Usercentrics also provides distinctive monitoring features, including
token-level usage patterns to see which MCP tools drive high costs and
exportable audit logs that detail server requests and responses.
It supports multiple MCP server types out of the box and offers PII filtering
for sensitive data, making it a fit for security teams. You can also set up
alerts for abnormal behavior, server outages, or content filter triggers.
On the downside, Usercentrics doesn't come with a catalog of pre-built MCP
integrations for popular third-party tools, and it's more focused on MCP
governance than broader AI gateway functionality.
MCP Manager is a well-balanced gateway, fit for scenarios that require a range
of security measures to spot common MCP vulnerabilities.
**Differentiators:** Monitoring alerts, support for multiple MCP server types,
advanced security features.
## 10. Workato Enterprise MCP
[Workato's Enterprise MCP](https://www.workato.com) provides a layer to
automatically connect agentic systems with popular external tools. Workato
emphasizes pre-built integrations, with 26 pre-built MCP servers ready to use
and over 100 more rolling out through 2026.
You can manage MCP server governance from a single GUI console. A gateway
manages all agent access along with universal authentication and user identity
management, plus comprehensive logging.
Solution architects and platform engineers already using Workato with Recipe
Functions can benefit, since Enterprise MCP turns those workflows into agentic
skills to initiate on command.
Workato's core benefit is its integration-platform-as-a-service (iPaaS)
foundation, with process automation, data orchestration, API management, and
more. That said, it could be overkill for teams that only need a simple MCP
gateway or developer-first proxy, and the platform is more optimized for
Workato-managed integrations than for bringing in arbitrary local MCP servers.
For an enterprise wanting a plug-and-play layer between corporate agent use and
external MCP solutions, especially for business users, Workato Enterprise MCP is
a good fit.
**Differentiators:** Mature iPaaS foundation, pre-built MCP servers, enterprise
readiness, plug-and-play setup.
## Other MCP gateway tools worth mentioning
The ten gateways above are among the leading offerings, but others are worth
mentioning. Some open source tools include:
- [Agentgateway](https://agentgateway.dev): An open-source project hosted by the
Linux Foundation that can handle LLM routing, MCP traffic, and A2A from a
single plane.
- [Docker MCP Gateway](https://github.com/docker/mcp-gateway): An open-source
MCP gateway from Docker that containerizes MCP servers and integrates with the
Docker ecosystem.
- [Microsoft MCP Gateway](https://github.com/microsoft/mcp-gateway): Microsoft's
open-source reverse-proxy for managing MCP server traffic.
- [Obot](https://obot.ai): An open-source platform ecosystem for managing MCPs,
skills, policies, and tool use auditing.
Major clouds are also experimenting with their own solutions. For example,
[AWS AgentCore Gateway](https://aws.amazon.com/bedrock/agentcore/) can now unite
MCP servers as a target type within this agent-focused gateway.
Beyond that, several enterprise and integration-focused gateways are built for
MCP or now support it as a type within their gateways:
- [Aembit MCP Gateway](https://aembit.io): A security and routing service for
centralizing MCP governance.
- [Agen.co](https://agen.co): A more general-purpose agent gateway for
standardizing API connectivity that supports MCP.
- [Airbyte Agents](https://airbyte.com): An agent-to-data access layer
emphasizing token monitoring and cost optimization.
- [MintMCP](https://mintmcp.com): Another agent-focused gateway for governing
MCP access and use.
- [Smithery](https://smithery.ai): A layer for connecting agents to external
tools like skills and MCP servers.
- [Tyk MCP Gateway](https://tyk.io): Tool-level controls and unified
observability for remote MCP servers.
- [WSO2 API Portal & MCP Hub](https://wso2.com): A proxy to help expose MCP
servers and APIs to agents.
Finally, a number of MCP registries have emerged. These standalone tools are
less like fully-fledged gateways and act more as a static list of approved
internal MCP servers.
## Choosing the right MCP gateway
Most MCP gateways share common features: access control, guardrails, reporting,
and analytics. Still, some differentiators stand out, and knowing which gateway
fits your scenario can be tricky. Here's a quick guide on when to use what:
| If you need | Consider |
| ----------------------------------------------------------------------------------- | ---------------------------------------------------- |
| An all-purpose, fully managed gateway for the MCP servers your team uses or exposes | Zuplo MCP Gateway |
| A broader AI gateway with more control over agents, LLMs, and skills | Kong AI Gateway, TrueFoundry MCP Gateway |
| A vast library of pre-built connectors or workflows | Composio MCP Gateway, Workato Enterprise MCP |
| Security monitoring, detection, and filtering | Operant MCP Gateway, Usercentrics MCP Manager, Lasso |
| Flexible deployment options with fine-grained authorization | Portkey MCP Gateway |
| A gateway-like layer for data access and cost optimization | Airbyte Agents |
| A static list of approved MCP servers | An open-source gateway or MCP registry |
If all you need is limited cataloging and discovery functionality, you may also
be able to
[build your own](https://zuplo.com/learning-center/build-vs-buy-mcp-server-infrastructure),
though weigh that against the maintenance cost.
## The benefits of using an MCP gateway
MCP use is still climbing: directories like
[Pulse MCP](https://www.pulsemcp.com) now track thousands of MCP servers and
estimate ecosystem-wide downloads in the millions. As usage grows, a centralized
control plane to govern MCP tool calls makes a lot of sense.
An MCP gateway improves security and compliance and avoids shadow IT and
scattered OAuth tokens. Granular security at the gateway level lets you avoid
over-privileged access. By aggregating and tracking MCP use, you gain visibility
into usage patterns, which can inform auditing, cost optimization, threat
detection, and more.
Given agentic AI's propensity to act in unpredictable ways, mature
infrastructure is becoming more critical. It can be the difference between a
contained incident and a breach, and it supports site reliability and platform
architecture goals. MCP gateways are becoming table stakes when scaling MCP use
across engineering teams.
Not all MCP gateways are alike, so it takes some work to find the right one. By
reviewing this guide, CTOs, heads of engineering, and security engineers should
be able to choose the gateway that works best for them. For a closer look at
what a managed MCP gateway handles for you, see
[Introducing the Zuplo MCP Gateway](https://zuplo.com/blog/introducing-zuplo-mcp-gateway).