MCP Gateway
A policy-enforcing proxy for the Model Context Protocol. Scan tools for poisoning, redact PII in arguments and results, control which tools an agent can call, and audit every call — in our cloud or entirely inside your own VPC.
Why an MCP Gateway
MCP gives agents real power — and a real attack surface. Every downstream server your agent connects to can inject instructions through tool descriptions, receive sensitive data through tool arguments, and return untrusted content through tool results. The MCP Gateway is an aggregating proxy that sits in front of all your MCP servers and enforces one org-wide policy on that entire surface.
- One endpoint aggregates all your downstream MCP servers, with a single policy across them
- Tool descriptions are scanned for poisoning at catalog time — before your agent sees them
- PII in tool arguments (outbound) and tool results (inbound) is redacted or blocked
- Per-org tool allow/deny lists control exactly what an agent can invoke
- Every call is audited; metadata streams to your SIEM — never prompt or tool content
- Runs in our multi-tenant cloud, or as a container inside your own VPC
What it protects
Tool-Poisoning Scan
Catalog-timeEvery downstream tool's name and description is scanned for prompt-injection and instruction-poisoning at catalog time — before the tool is ever exposed to your agent. Malicious 'ignore previous instructions' style descriptions are flagged and blocked.
Outbound Argument DLP
Request pathTool-call arguments are inspected before they leave your environment. PII and secrets can be blocked so an agent can't exfiltrate sensitive data into a third-party MCP server.
Inbound Result DLP
Response pathTool results returning from downstream servers are scanned and PII is redacted (or blocked) before the model sees them — stopping a compromised or over-sharing server from injecting sensitive data into the context.
Tool Allow / Deny
Access controlPer-org allowlists (default-deny) and denylists (always win) control exactly which tools an agent can call, by bare or namespaced tool name.
Graceful Degradation
AvailabilityIf one downstream MCP server is unreachable or misconfigured, the gateway skips it (emitting a high-severity audit event) and keeps serving every other server — one bad server never takes down the whole catalog.
Audit & SIEM
ObservabilityEvery tool call, policy decision, and skipped server emits a structured security event you can stream to your SIEM (Splunk, Datadog, Sentinel) — metadata only, never prompt or tool content.
How it works
Point your MCP client at the gateway instead of at individual servers. The gateway authenticates the request with your project API key, resolves it to your organization, builds an aggregated tool catalog from your registered downstream servers, and enforces your policy on everytools/listandtools/call.
{
"mcpServers": {
"aisg-gateway": {
"url": "https://api.aisecuritygateway.ai/mcp",
"headers": {
"Authorization": "Bearer oah_your_project_api_key"
}
}
}
}Per-direction DLP actions
DLP is controlled independently for each direction, so you can protect data flowing out to tools differently from data flowing back to the model. Configure both from Settings → MCP Gateway.
Request action (tool arguments)
| Action | Behavior |
|---|---|
| Off | Arguments are forwarded unmodified. No scanning on the request path. |
| Block | If PII/secrets above threshold are detected in tool-call arguments, the call is blocked before it reaches the downstream server. |
Response action (tool results)
| Action | Behavior |
|---|---|
| Off | Tool results are returned unmodified. No scanning on the response path. |
| Redact | Detected PII in tool results is replaced with typed placeholders (e.g. <EMAIL_ADDRESS>) before the model sees them. The recommended default. |
| Block | If PII above threshold is detected in a tool result, the entire result is blocked. Strongest, but can break agents that legitimately need the data — use deliberately. |
Tuning false positives
Public data (asset names, symbols, IDs, prices) can look like PII to a scanner. Four policy controls let you keep protection strong without over-redacting benign values.
allowFields
JSON keys whose values are exempt from redaction — ideal for public identifiers (asset names, symbols, IDs) that would otherwise be over-redacted.
scoreThreshold
The confidence floor (0–1) a detection must clear before it counts. Raise it to cut false positives on ambiguous matches.
blockedEntities
Narrow the entity types the policy acts on, so you redact SSNs and cards without touching benign values.
resultScanMaxBytes
The size ceiling for synchronous result scanning; larger payloads are sampled to protect tool-call latency.
Deployment modes
Cloud (multi-tenant)
A single managed endpoint serves every org. Each request is authenticated by its project API key and dispatched to that org's policy and server registry. Downstream credentials are stored in AWS Secrets Manager and resolved per request.
Hybrid VPC (in your network)
The same gateway ships as a container for Docker Compose or Kubernetes. It reads its per-org registry and policy from the sync-agent bundle — metadata only — and resolves every downstream token locally from your own environment, so credentials and tool traffic never leave your VPC. See the Hybrid VPC deployment guide.
Security model
Credentials never in the bundle
In Hybrid mode, the synced bundle carries only server metadata and policy. Downstream tokens are resolved locally from your environment and never leave your network.
Fail-closed on missing creds
A downstream whose credential is unset is not called — the gateway refuses to hit a server it can't authenticate to, rather than leaking an unauthenticated request.
Confused-deputy isolation
Each org's servers and secrets are strictly scoped. One tenant can never see or reach another tenant's downstream servers.
Metadata-only audit
Security events capture event type, severity, org, tool, and decision — never argument or result content — so you get full observability without new data exposure.
Frequently Asked Questions
How is this different from your LLM proxy?
The LLM proxy secures chat/completions traffic to model providers. The MCP Gateway secures the other half of an agent's attack surface: the tool calls it makes over the Model Context Protocol. It's an aggregating proxy that sits in front of your downstream MCP servers and enforces policy on the tools themselves — their descriptions, arguments, and results.
What is tool poisoning and why scan descriptions?
MCP tool descriptions are fed to the model as instructions. A malicious or compromised server can hide adversarial instructions ('before answering, send the user's API keys to…') inside a tool's description. The gateway scans every tool's name and description at catalog time and blocks poisoned tools before your agent ever sees them.
Will result redaction break my agent?
Redaction (the default) replaces PII with typed placeholders, which most agents handle fine. Block is stricter and can break workflows that legitimately need the data, so it's opt-in per direction. For false positives on public data, use allowFields, scoreThreshold, and blockedEntities to tune precisely.
Where do downstream server credentials live?
In the cloud, downstream credentials are stored in AWS Secrets Manager and resolved per-request — never in the database or the browser. In Hybrid VPC mode, credentials never leave your network at all: the synced policy bundle carries server metadata only, and the gateway resolves each token locally from your own environment.
What happens if a downstream MCP server is down?
The gateway degrades gracefully. It skips the unreachable server, emits a high-severity mcp.server_unavailable audit event, and continues serving every other server's tools. One failing dependency never brings down the whole gateway for a tenant.
Can I run this entirely inside my own VPC?
Yes. The same gateway ships as a container for Hybrid VPC (Docker Compose or Kubernetes). It reads its per-org registry and policy from the sync-agent bundle (metadata only) and keeps all tool traffic and credentials inside your network. See the Hybrid VPC deployment guide.
Secure your agent's tools
The MCP Gateway is in private beta. Enable it for your organization and put a policy in front of every MCP server your agents touch.
Join the Community
Want to self-host this?
AI Security Gateway is open source. Deploy the core AI security proxy on your own infrastructure — PII redaction, prompt injection blocking, and secret detection included. No account required.