See every MCP call.
Block the dangerous ones.
mcpgw sits between your AI agents and MCP servers, giving platform and security teams policy enforcement, audit logs, authentication, and Datadog-native tracing — without rewriting agents or upstream MCP servers.
mcpgw is a self-hosted MCP gateway that turns agent tool traffic into something you can route, govern, trace, and audit.
$0 Community · $599/mo Team →Your agents are calling filesystems, databases, and shells — through MCP.
Without a gateway, those calls are scattered across clients and servers with inconsistent logging, weak policy, and little observability.
- MCP tool calls invisible to Datadog APM
- shell_exec reachable from agents that should never call it
- Bearer tokens and sk- keys reach upstream verbatim
- "Which tools did agent X call last week?" has no answer
- Audit story is whatever the underlying tool happens to log
- Adding a control means a code deploy across every agent
- Authenticate MCP clients
- Route calls to the right upstream server
- Deny, redact, rate-limit, or strip risky content
- Trace every call with mcp.* telemetry
- Write one audit record per decision
- Support Claude Desktop-style stdio clients through a bridge
Three actions. First match wins. Hot-reloadable.
deny, redact, rate_limit. Match by exact name, prefix, glob, regex, or list. Set default_action: deny for explicit allowlist mode. SIGHUP reloads policy atomically with no dropped connections.
Three actions
- deny — 403 + JSON-RPC -32001
- redact — regex over body, upstream sees [REDACTED]
- rate_limit — token bucket per (rule, session)
- default_action: deny — explicit allowlist
Five matcher primitives
Same matchers in routes and policy.
Sample policy
YAMLpolicy:
default_action: deny
rules:
- id: deny-shell
action: deny
when: { tool_name: shell_exec }
- id: rl-fs-write
action: rate_limit
when: { tool_name: fs_write }
tokens_per_second: 10
burst: 20
- id: redact-secrets
action: redact
when: { tool_name: "*" }
redact:
- regex: 'Bearer [A-Za-z0-9._-]+'
replacement: "[REDACTED]" Audit + Telemetry
One audit line per request. One Datadog span per call.
Every request mcpgw sees produces exactly one JSONL audit record and exactly one OTel span — even rejected ones. Audit ships locally and to S3 (with Object Lock for tamper-evidence), GCS, Kafka, or any HTTPS webhook. Spans land in your existing Datadog Agent over OTLP/HTTP — no new pipeline, no new vendor.
- One JSONL line per request — local file is canonical
decision,rule_id,auth_key_id,latency_ms- S3 with Object Lock governance retention
- GCS, Kafka, or HTTPS webhook sinks (SIGHUP-reloadable)
- Append-only on POSIX, queryable with
jq
mcp.tool.name,mcp.session.id,mcp.policy.decisionmcp.upstream,mcp.payload.bytes_in/out- Datadog Agent OTLP/HTTP receiver — no new pipeline
- ~1ms p50, ~5ms p99 added latency
- Async export — never blocks request path
Local audit · durable sinks · Datadog-native spans
One binary. Your VPC. No phone-home.
mcpgw is a single Go binary, distroless multi-arch (linux/amd64 + linux/arm64), ~32 MB. License verifies offline against an Ed25519 key baked into the binary — no analytics ping, no update check, no live revocation API. Air-gapped deployments are a first-class topology.
ghcr.io/seanfraserio/mcpgw
Distroless multi-arch image. Liveness /healthz, readiness /readyz.
Multi-replica HA
Stateless per-request. Reference Helm chart on the roadmap; HA topology documented.
Offline license verify
Ed25519 JWT verification entirely offline. No outbound dependency on rivano.ai/mcpgw.
systemd · ECS · Nomad · raw binary — anywhere a Go binary runs
INTEGRATIONS
Speaks MCP. Ships to your existing stack.
Any MCP-spec client connects natively over HTTP. stdio clients (Claude Desktop, Cursor, Zed) bridge via the bundled mcpgw stdio subcommand. Telemetry lands in your Datadog Agent. Audit ships to whatever durable sink your compliance team already uses.
Up and running in 10 minutes.
Don't replace your MCP servers. Put mcpgw in front of them.
Your MCP servers stay the same. Your controls get serious.
- An MCP-aware gateway/proxy
- A policy checkpoint for agent tool calls
- An audit and telemetry layer for MCP traffic
- A router across multiple upstream MCP servers
- A stdio-to-HTTP bridge for local MCP clients
- A native resource store
- A prompt-template server
- A general REST/GraphQL-to-MCP wrapper
- A sandbox for unsafe tools
- A multi-tenant SaaS control plane
Run the binary free. Pay for support and the license.
Three tiers. All prices public. No "contact sales" until Enterprise.
Source-available under BSL-1.1 · converts to Apache 2.0 after 4 years
Govern MCP before it governs you.
10 minutes from docker pull to first traced span in Datadog. No credit card.