Rivano · mcpgw v1.1 · Datadog-native

See every MCP call your
agents make. Block the dangerous ones.

mcpgw is a self-hosted gateway for the Model Context Protocol. Drop it between your agents and your MCP servers and get policy, audit, and Datadog-native tracing — without touching agent code. The first product in the Rivano gateway portfolio.

Get the binary See mcpgw →
OTLP-NATIVE SELF-HOSTED NO PHONE-HOME
app.datadoghq.com/apm/services/mcpgw Live
mcp.tool.name · mcp.policy.decision · mcp.session.id stable mcp.* attrs · OTLP/HTTP
Policy · Audit · Telemetry
Policy
action: deny
tool: shell_exec
rule_id: deny-shell
http: 403 -32001
✓ deny · redact · rate_limit
Audit
Local JSONL canonical
S3 · Object Lock tamper-evident
GCS · Kafka · webhook async
⚠ jq-queryable · SIGHUP-reloadable
Telemetry
OTLP/HTTP native
Datadog Agent :4318
Latency p50/p99 ~1ms / ~5ms
stable mcp.* span attrs

$0 Community · $599/mo Team — flat, unlimited gateway instances. All prices public.

See pricing →
THE GAP

Your agents are calling things you can't see.

MCP tools moved into production faster than the controls around them.

Without mcpgw
  • MCP tool calls invisible to Datadog APM
  • shell_exec reachable from agents that should never call it
  • Bearer tokens and sk- keys reach upstream verbatim
  • "Which tools did agent X call last week?" has no answer
  • Audit story is whatever the underlying tool happens to log
  • Adding a control means a code deploy across every agent
With mcpgw
  • Every JSON-RPC call → one Datadog APM span with stable mcp.* attrs
  • Three lines of YAML deny dangerous tools at the gateway
  • Wildcard regex strips secrets before the upstream sees them
  • One JSONL audit line per request — queryable with jq
  • S3 (Object Lock), GCS, Kafka, or webhook for tamper-evident retention
  • SIGHUP hot-reloads policy with no dropped connections
Policy

Three actions. First match wins. Hot-reloadable.

deny, redact, rate_limit. Match by exact name, prefix, glob, regex, or list. Set default_action: deny for explicit allowlist mode. SIGHUP reloads policy atomically with no dropped connections.

Three actions

  • deny — 403 + JSON-RPC -32001
  • redact — regex over body, upstream sees [REDACTED]
  • rate_limit — token bucket per (rule, session)
  • default_action: deny — explicit allowlist

Five matcher primitives

tool_name exact
tool_prefix "fs_"
tool_glob "fs_*read*"
tool_regex anchored
tool_name_in [a, b, c]

Same matchers in routes and policy.

Sample policy

YAML 
policy:
  default_action: deny
  rules:
    - id: deny-shell
      action: deny
      when: { tool_name: shell_exec }
    - id: rl-fs-write
      action: rate_limit
      when: { tool_name: fs_write }
      tokens_per_second: 10
      burst: 20
    - id: redact-secrets
      action: redact
      when: { tool_name: "*" }
      redact:
        - regex: 'Bearer [A-Za-z0-9._-]+'
          replacement: "[REDACTED]"

Audit + Telemetry

One audit line per request. One Datadog span per call.

Every request mcpgw sees produces exactly one JSONL audit record and exactly one OTel span — even rejected ones. Audit ships locally and to S3 (with Object Lock for tamper-evidence), GCS, Kafka, or any HTTPS webhook. Spans land in your existing Datadog Agent over OTLP/HTTP — no new pipeline, no new vendor.

Audit · JSONL + sinks
  • One JSONL line per request — local file is canonical
  • decision, rule_id, auth_key_id, latency_ms
  • S3 with Object Lock governance retention
  • GCS, Kafka, or HTTPS webhook sinks (SIGHUP-reloadable)
  • Append-only on POSIX, queryable with jq
Telemetry · OTLP → Datadog
  • mcp.tool.name, mcp.session.id, mcp.policy.decision
  • mcp.upstream, mcp.payload.bytes_in/out
  • Datadog Agent OTLP/HTTP receiver — no new pipeline
  • ~1ms p50, ~5ms p99 added latency
  • Async export — never blocks request path

Local audit · durable sinks · Datadog-native spans

Self-hosted

One binary. Your VPC. No phone-home.

mcpgw is a single Go binary, distroless multi-arch (linux/amd64 + linux/arm64), ~32 MB. License verifies offline against an Ed25519 key baked into the binary — no analytics ping, no update check, no live revocation API. Air-gapped deployments are a first-class topology.

Docker

ghcr.io/seanfraserio/mcpgw

Distroless multi-arch image. Liveness /healthz, readiness /readyz.

Kubernetes

Multi-replica HA

Stateless per-request. Reference Helm chart on the roadmap; HA topology documented.

Air-gapped

Offline license verify

Ed25519 JWT verification entirely offline. No outbound dependency on mcpgw.dev.

systemd · ECS · Nomad · raw binary — anywhere a Go binary runs

INTEGRATIONS

Speaks MCP. Ships to your existing stack.

Any MCP-spec client connects natively over HTTP. stdio clients (Claude Desktop, Cursor, Zed) bridge via the bundled mcpgw stdio subcommand. Telemetry lands in your Datadog Agent. Audit ships to whatever durable sink your compliance team already uses.

MCP clients
Claude DesktopCursorZedCustom HTTP MCPstdio MCP via mcpgw stdio
Telemetry + audit destinations
Datadog APM (OTLP)Amazon S3 (Object Lock)Google Cloud StorageApache KafkaHTTPS webhook (Splunk, Loki, any SIEM)
Get started

Up and running in 10 minutes.

01
Pull the image.
docker pull ghcr.io/seanfraserio/mcpgw:latest. Single binary, distroless, ~32 MB.
02
Drop your license.
Place the JWT from mcpgw.dev at /etc/mcpgw/license.jwt with mode 0600. Free Community tier is self-serve.
03
Write three rules.
deny shell_exec, rate-limit fs_write, redact Bearer / sk- patterns. Three lines of YAML, hot-reloadable on SIGHUP.
04
Watch in Datadog.
Point telemetry.customer.endpoint at your Datadog Agent's OTLP/HTTP receiver. First mcp.tools.call span lands in APM within 10s.
Pricing

Run the binary free. Pay for support and the license.

Three tiers. All prices public. No "contact sales" until Enterprise.

Community
Solo developers, non-prod, teams under 10 seats.
$0
Get a license
Full gateway functionality
60-day self-issued JWT, automated rotation
All policy actions (deny / redact / rate_limit)
Datadog OTLP export, JSONL audit
Audit shipping to S3 / GCS / Kafka / webhook
GitHub Issues for support — no SLA
most chosen
Team
Production at small-to-mid teams. Flat rate.
$599 / month
Start trial
Everything in Community
90-day JWT with automated rotation
Unlimited gateway instances under one license
Email + Slack support, business-hours SLA
Private repo access for early-look features
No call-volume cap — flat rate, no usage billing
$5,990 / year (one month free)
Enterprise
Regulated industries, custom SLA, multi-tenant.
from $48,000 / year
Talk to sales
Everything in Team
Custom SLA (1h P1 response)
HIPAA / SOC 2 BAA available
Air-gapped deploy with offline issuance
Multi-tenant license partitioning
Quarterly security review + SLSA L3 attestation
Net-30 / 60 PO accepted

Source-available under BSL-1.1 · converts to Apache 2.0 after 4 years

Ready to see every MCP call your agents make?

10 minutes from docker pull to first traced span in Datadog. No credit card.

Get the binary Read the quickstart