Rivano · mcpgw v1.1 · Datadog-native

See every MCP call.
Block the dangerous ones.

mcpgw sits between your AI agents and MCP servers, giving platform and security teams policy enforcement, audit logs, authentication, and Datadog-native tracing — without rewriting agents or upstream MCP servers.

OTLP-NATIVE SELF-HOSTED NO PHONE-HOME
Policy · Audit · Telemetry
Policy
action: deny
tool: shell_exec
rule_id: deny-shell
http: 403 -32001
✓ deny · redact · rate_limit
Audit
Local JSONL canonical
S3 · Object Lock tamper-evident
GCS · Kafka · webhook async
⚠ jq-queryable · SIGHUP-reloadable
Telemetry
OTLP/HTTP native
Datadog Agent :4318
Latency p50/p99 ~1ms / ~5ms
stable mcp.* span attrs

mcpgw is a self-hosted MCP gateway that turns agent tool traffic into something you can route, govern, trace, and audit.

$0 Community · $599/mo Team →
THE GAP

Your agents are calling filesystems, databases, and shells — through MCP.

Without a gateway, those calls are scattered across clients and servers with inconsistent logging, weak policy, and little observability.

Without mcpgw
  • MCP tool calls invisible to Datadog APM
  • shell_exec reachable from agents that should never call it
  • Bearer tokens and sk- keys reach upstream verbatim
  • "Which tools did agent X call last week?" has no answer
  • Audit story is whatever the underlying tool happens to log
  • Adding a control means a code deploy across every agent
One inline enforcement point
  • Authenticate MCP clients
  • Route calls to the right upstream server
  • Deny, redact, rate-limit, or strip risky content
  • Trace every call with mcp.* telemetry
  • Write one audit record per decision
  • Support Claude Desktop-style stdio clients through a bridge
Policy

Three actions. First match wins. Hot-reloadable.

deny, redact, rate_limit. Match by exact name, prefix, glob, regex, or list. Set default_action: deny for explicit allowlist mode. SIGHUP reloads policy atomically with no dropped connections.

Three actions

  • deny — 403 + JSON-RPC -32001
  • redact — regex over body, upstream sees [REDACTED]
  • rate_limit — token bucket per (rule, session)
  • default_action: deny — explicit allowlist

Five matcher primitives

tool_name exact
tool_prefix "fs_"
tool_glob "fs_*read*"
tool_regex anchored
tool_name_in [a, b, c]

Same matchers in routes and policy.

Sample policy

YAML
policy:
  default_action: deny
  rules:
    - id: deny-shell
      action: deny
      when: { tool_name: shell_exec }
    - id: rl-fs-write
      action: rate_limit
      when: { tool_name: fs_write }
      tokens_per_second: 10
      burst: 20
    - id: redact-secrets
      action: redact
      when: { tool_name: "*" }
      redact:
        - regex: 'Bearer [A-Za-z0-9._-]+'
          replacement: "[REDACTED]"

Audit + Telemetry

One audit line per request. One Datadog span per call.

Every request mcpgw sees produces exactly one JSONL audit record and exactly one OTel span — even rejected ones. Audit ships locally and to S3 (with Object Lock for tamper-evidence), GCS, Kafka, or any HTTPS webhook. Spans land in your existing Datadog Agent over OTLP/HTTP — no new pipeline, no new vendor.

Audit · JSONL + sinks
  • One JSONL line per request — local file is canonical
  • decision, rule_id, auth_key_id, latency_ms
  • S3 with Object Lock governance retention
  • GCS, Kafka, or HTTPS webhook sinks (SIGHUP-reloadable)
  • Append-only on POSIX, queryable with jq
Telemetry · OTLP → Datadog
  • mcp.tool.name, mcp.session.id, mcp.policy.decision
  • mcp.upstream, mcp.payload.bytes_in/out
  • Datadog Agent OTLP/HTTP receiver — no new pipeline
  • ~1ms p50, ~5ms p99 added latency
  • Async export — never blocks request path

Local audit · durable sinks · Datadog-native spans

Self-hosted

One binary. Your VPC. No phone-home.

mcpgw is a single Go binary, distroless multi-arch (linux/amd64 + linux/arm64), ~32 MB. License verifies offline against an Ed25519 key baked into the binary — no analytics ping, no update check, no live revocation API. Air-gapped deployments are a first-class topology.

Docker

ghcr.io/seanfraserio/mcpgw

Distroless multi-arch image. Liveness /healthz, readiness /readyz.

Kubernetes

Multi-replica HA

Stateless per-request. Reference Helm chart on the roadmap; HA topology documented.

Air-gapped

Offline license verify

Ed25519 JWT verification entirely offline. No outbound dependency on rivano.ai/mcpgw.

systemd · ECS · Nomad · raw binary — anywhere a Go binary runs

INTEGRATIONS

Speaks MCP. Ships to your existing stack.

Any MCP-spec client connects natively over HTTP. stdio clients (Claude Desktop, Cursor, Zed) bridge via the bundled mcpgw stdio subcommand. Telemetry lands in your Datadog Agent. Audit ships to whatever durable sink your compliance team already uses.

MCP clients
Claude DesktopCursorZedCustom HTTP MCPstdio MCP via mcpgw stdio
Telemetry + audit destinations
Datadog APM (OTLP)Amazon S3 (Object Lock)Google Cloud StorageApache KafkaHTTPS webhook (Splunk, Loki, any SIEM)
Get started

Up and running in 10 minutes.

01
Pull the image.
docker pull ghcr.io/seanfraserio/mcpgw:latest. Single binary, distroless, ~32 MB.
02
Drop your license.
Place the JWT from rivano.ai/mcpgw at /etc/mcpgw/license.jwt with mode 0600. Free Community tier is self-serve.
03
Write three rules.
deny shell_exec, rate-limit fs_write, redact Bearer / sk- patterns. Three lines of YAML, hot-reloadable on SIGHUP.
04
Watch in Datadog.
Point telemetry.customer.endpoint at your Datadog Agent's OTLP/HTTP receiver. First mcp.tools.call span lands in APM within 10s.
Where it fits

Don't replace your MCP servers. Put mcpgw in front of them.

Your MCP servers stay the same. Your controls get serious.

mcpgw is
  • An MCP-aware gateway/proxy
  • A policy checkpoint for agent tool calls
  • An audit and telemetry layer for MCP traffic
  • A router across multiple upstream MCP servers
  • A stdio-to-HTTP bridge for local MCP clients
mcpgw is not
  • A native resource store
  • A prompt-template server
  • A general REST/GraphQL-to-MCP wrapper
  • A sandbox for unsafe tools
  • A multi-tenant SaaS control plane
Pricing

Run the binary free. Pay for support and the license.

Three tiers. All prices public. No "contact sales" until Enterprise.

Community
Solo developers, non-prod, teams under 10 seats.
$0
Get a license
Full gateway functionality
60-day self-issued JWT, automated rotation
All policy actions (deny / redact / rate_limit)
Datadog OTLP export, JSONL audit
Audit shipping to S3 / GCS / Kafka / webhook
GitHub Issues for support — no SLA
most chosen
Team
Production at small-to-mid teams. Flat rate.
$599 / month
Start trial
Everything in Community
90-day JWT with automated rotation
Unlimited gateway instances under one license
Email + Slack support, business-hours SLA
Private repo access for early-look features
No call-volume cap — flat rate, no usage billing
$5,990 / year (one month free)
Enterprise
Regulated industries, custom SLA, multi-tenant.
from $48,000 / year
Talk to sales
Everything in Team
Custom SLA (1h P1 response)
HIPAA / SOC 2 BAA available
Air-gapped deploy with offline issuance
Multi-tenant license partitioning
Quarterly security review + SLSA L3 attestation
Net-30 / 60 PO accepted

Source-available under BSL-1.1 · converts to Apache 2.0 after 4 years

Govern MCP before it governs you.

10 minutes from docker pull to first traced span in Datadog. No credit card.