MCP Gateway Overview

Enterprise-grade MCP service gateway providing unified MCP service access, authentication, and access control for AI Agents.

Core Features

Standardized Authentication

Eliminates the need for each MCP Server to implement its own authentication. The gateway handles API Key validation, OAuth 2.0 + PKCE authorization flow.

User Identity Passthrough

Automatically injects an RS512-signed JWT id_token for each request, enabling MCP Servers to directly obtain caller identity information.

Granular Access Control

Controls access to each MCP Server at three levels — visible to all, department-only, or specific users.

End-to-End Audit Trail

Complete logging of caller, target service, request content, and response status for every request, with log archiving for analysis.

Secure Credential Storage

MCP Server credentials are encrypted with AES-256-CBC and verified with SHA-256 hashing, ensuring credentials remain confidential.

Real-time Monitoring & Alerts

30-second heartbeat checks with real-time connection status display. Visualize success rate, response time, and call trends.

Request Flow

AI AgentMCP GatewayMCP Server
1.AI Agent sends request with API Key to https://mcp.gateway.ai/{serverCode}/mcp
2.Gateway validates API Key, generates JWT id_token (with user identity), looks up target MCP Server configuration
3.Gateway injects authentication headers (OAuth2 token / API Key / Basic Auth) and forwards the request to the upstream MCP Server
4.MCP Server obtains user identity from X-MCP-Id-Token header, processes the request and returns the response
5.Gateway records audit log and returns the response to the AI Agent

Protocol Support

The gateway supports three MCP transport protocols: HTTP, SSE, and WebSocket, with automatic protocol detection and adaptation, including SSE/HTTP fallback.

Important Notes

  • The server code (serverCode) cannot be modified after creation. Choose a meaningful English identifier carefully.
  • OAuth 2.0 mode only supports services that declare grant_types_supported including both authorization_code and refresh_token.
  • Credentials (API Key, Token, passwords, etc.) are encrypted with AES-256-CBC. Leave fields empty during editing to keep existing values.
  • The gateway performs automatic heartbeat checks every 30 seconds. Automatic reconnection is triggered after 5 consecutive failures.
  • Ensure the MCP Server endpoint is accessible by the gateway. Internal network deployment requires network connectivity configuration.
  • User identity is passed through the X-MCP-Id-Token header. MCP Servers must verify the JWT signature using the tenant's public key.