Rivano · mcpgw · v1.1

Self-hosted MCP gateway with Datadog-native tracing.

One binary, one inline hop. Policy, audit, and OTel spans for every Model Context Protocol tool call your agents make. No code changes.

Policy

Three actions. First match wins. Hot-reloadable.

deny, redact, rate_limit. Match by exact name, prefix, glob, regex, or list. Set policy.default_action: deny to flip into explicit allowlist mode for regulated environments. SIGHUP swaps the policy engine atomically with no dropped connections.

  • deny — HTTP 403 with JSON-RPC -32001 policy_denied; upstream never contacted
  • redact — regex over body; upstream sees [REDACTED] for Bearer / sk- / AKIA / JWT shapes
  • rate_limit — token bucket per (rule, session); fractional rates supported
  • default_action: deny — explicit allowlist mode for SOC 2 / HIPAA / FedRAMP postures

Authentication

Three options. Argon2id-hashed keys. SIGHUP-rotatable.

Front mcpgw with your existing auth proxy, terminate mTLS at the gateway, or enable inbound API-key auth. Generate keys with mcpgw key generate; each successful request gets an auth_key_id in the audit log and the corresponding mcp.auth.key_id span attribute.

  • External auth proxy — Cloudflare Access, cloud-LB auth, internal SSO. Default if auth.enabled is unset.
  • mTLS at the gateway — set tls.client_ca, every connection presents a client cert.
  • Inbound API-key auth — Argon2id hashes in YAML, hot-rotatable on SIGHUP.

Audit + Telemetry

One JSONL line per request. One Datadog span per call.

The local audit file is canonical and append-only on POSIX. Optional sinks ship copies asynchronously to S3 (with Object Lock governance retention), GCS, Apache Kafka, or any HTTPS webhook. Spans land in your existing Datadog Agent over OTLP/HTTP — no new pipeline. ~1ms p50, ~5ms p99 added latency.

Stable mcp.* span attributes

  • mcp.tool.name
  • mcp.session.id
  • mcp.policy.decision · mcp.policy.rule_id
  • mcp.upstream
  • mcp.payload.bytes_in · mcp.payload.bytes_out
  • mcp.auth.key_id · mcp.auth.result
  • mcp.error.kind

Audit JSONL fields

  • ts, request_id, session_id, client_ip
  • method, tool, upstream
  • decision, rule_id, error
  • auth_key_id, auth_result
  • bytes_in, bytes_out, status
  • duration_ms, transport

Self-hosted

One binary. Your VPC. No phone-home.

mcpgw is a single Go binary, distroless multi-arch (amd64 + arm64), ~32 MB. License JWT verifies offline using an Ed25519 public key baked into the binary. There is no analytics ping, no update check, no live revocation API — air-gapped deployments are first-class.

  • Native TLStls.cert_file + tls.key_file; SIGHUP-reloadable for cert renewal.
  • Input rate-limit — pre-parse, pre-auth flood protection keyed on RemoteAddr.
  • Stateless per-request — multiple replicas behind your existing LB. Distributed rate-limit via Redis is on the roadmap.

The Rivano portfolio

mcpgw is the first. More gateways are coming.

Each Rivano product solves a specific agent-protocol gap with the same playbook: self-hosted single binary, no phone-home, transparent pricing, Datadog-native telemetry.

Available · v1.1

mcpgw

Model Context Protocol. Datadog-native tracing. Single Go binary.

Roadmap

a2agw

Agent-to-Agent (A2A) skill invocations. Same posture, different protocol.

See every MCP call in 10 minutes.

docker pull, drop a license, run. First traced span lands in Datadog within seconds.

Get the binary Read the quickstart