--- title: "MCP Gateway Public Beta" description: "" canonicalUrl: "https://zuplo.com/changelog/2026/06/02/mcp-gateway-public-beta" pageType: "changelog" date: "2026-06-02" tags: "runtime, portal, policy, security" --- With the explosion of AI workloads, agents are being granted unprecedented access to your critical systems. The MCP Gateway, now in public beta, lets you monitor, control, and customize how agents reach your systems through MCP: a fully-managed proxy built into the Zuplo API Gateway you already run. - **See every call**: Detailed analytics on which agents are calling which tools - **One identity layer**: Gate access through a single layer that enforces your company policies - **Least privilege by default**: Filter tools by user, agent, role, or anything else, for humans and agents alike Here's what's in the beta. ## Virtual servers in the Portal Create a virtual server in the Zuplo Portal and pick an upstream from the server library (Stripe, Linear, GitHub, PostHog, and more) or set up a custom one. The setup wizard walks through upstream selection, inbound authentication, tool exposure, and outbound credentials. ![New MCP Gateway virtual server wizard with upstream MCP server library](../public/media/changelog/2026-06/mcp-gateway-setup.png) ## Gateway authentication - **10+ identity providers**: Auth0, WorkOS, Google, Okta, Microsoft Entra, Amazon Cognito, Keycloak, Logto, OneLogin, and Ping, all configurable from the Portal UI - **Real client compatibility**: OAuth flows work with ChatGPT Apps SDK, Claude Desktop, Claude Code, Cursor, VS Code, and other MCP clients, including Dynamic Client Registration for `private_key_jwt` clients - **Stable refresh tokens**: Downstream refresh tokens are no longer rotated on each use, so clients can't become stranded by a lost refresh response All gateway-hosted UI pages (consent, sign-in, OAuth callback) use a clean, unbranded design with domain-derived favicons, ready to serve from your custom domain. ## Capability filtering The wizard's Tools step offers two modes: **Passthrough** federates the upstream's catalog live with zero config, while **Curate** lets you pick the specific tools, prompts, and resources to expose, grouped by read-only versus state-modifying behavior. ![Tools step of the MCP Gateway wizard in Curate mode, selecting which upstream tools to expose](../public/media/changelog/2026-06/curate-tools-wizard.png) Under the hood, the MCP Capability Filter policy works as an allowlist: list responses (`tools/list`, `prompts/list`, etc.) only show permitted capabilities, and direct calls to hidden capabilities are blocked before they reach the upstream server. See the [capability filtering documentation](https://zuplo.com/docs/mcp-gateway/capability-filtering). ## End-user analytics MCP Gateway events attribute usage to individual end users. The new MCP analytics dashboard shows tool calls, active sessions, error rate, and p95 latency, with top capabilities breakdown tables across your upstream servers. ![MCP analytics top capabilities breakdown with call volume, error rate, and p95 latency per tool](../public/media/changelog/2026-06/mcp-analytics-dashboard.png) ## Policy-composed routes For code-first workflows, each upstream MCP server is a standard Zuplo route using the new `McpProxyHandler`, with gateway authentication, upstream credential injection, and capability filtering applied as composable inbound policies: ```json { "x-zuplo-route": { "handler": { "export": "McpProxyHandler", "module": "$import(@zuplo/runtime)", "options": { "upstream": { "url": "https://my-upstream-mcp.example.com/mcp" } } }, "policies": { "inbound": [ "mcp-oauth-inbound", "mcp-token-exchange-inbound", "mcp-capability-filter-inbound" ] } } } ``` Because MCP servers are just routes, existing policies (rate limiting, logging, custom code) work on MCP traffic too. Four MCP policies are now public in the [policy catalog](https://zuplo.com/docs/policies): MCP OAuth, MCP Auth0 OAuth, MCP Token Exchange, and MCP Capability Filter. ## Getting started Wire up your first server and point an agent at it. It takes minutes. The [MCP Gateway quickstart](https://zuplo.com/docs/mcp-gateway/quickstart) is the fastest way in, and the [MCP Gateway documentation](https://zuplo.com/docs/mcp-gateway/introduction) covers architecture details, authentication guides, and client connection instructions.