An MCP gateway aggregates multiple MCP servers behind one addressable endpoint. Instead of configuring each server in every AI client, you configure the gateway once, and it routes each tool request to the server that handles it. The gateway centralizes authentication, credential injection, tool filtering, access control, rate limits, and logging. Docker MCP Gateway is MIT-licensed and runs each server in an isolated container.
What MCP Is, Briefly
The Model Context Protocol (MCP) is an open standard for connecting AI applications to external data sources, tools, and workflows. The official docs describe it as a USB-C port for AI applications: one standard plug instead of a custom integration per tool.
Anthropic created MCP and announced it as an open-source standard on November 25, 2024, releasing it with SDKs in Python, TypeScript, C#, and Java. It uses a client-server architecture: developers expose data and tools through MCP servers, and AI applications act as MCP clients that connect to those servers. Clients that support MCP include Claude, ChatGPT, VS Code, and Cursor.
Messages are encoded as JSON-RPC over UTF-8. MCP currently defines two standard transports. The first is stdio, where a server runs as a subprocess and communicates over stdin and stdout. The second is Streamable HTTP, which uses HTTP POST and GET on a single MCP endpoint and can optionally use Server-Sent Events to stream multiple server messages.
Streamable HTTP replaced the older HTTP+SSE transport from protocol version 2024-11-05. Per the MCP transports docs, clients should support stdio whenever possible, since it is the simplest path for locally-running servers.
The Problem: Many Servers, Many Clients
MCP works cleanly with one server and one client. The friction appears when a team accumulates servers: a GitHub server, a Slack server, a database server, an internal search server, a filesystem server. Each one is a separate process with separate credentials and a separate transport.
Now multiply by clients. Claude Desktop, Cursor, VS Code, and an internal agent each need every server configured independently. Ten servers across five clients is fifty configurations to keep in sync. Rotating one credential means editing it in every client that uses that server.
The security surface grows with it. Credentials for every server sit in plain client config or environment variables. There is no central place to say which tools an agent may call, no shared rate limit, and no single log of what tool activity happened across the fleet.
Where the cost concentrates
The per-server, per-client configuration model means authentication, credential injection, tool filtering and RBAC, rate limits, and logging all have to be configured separately for every server in every client. An MCP gateway exists to pull that work into one component.
What an MCP Gateway Does
An MCP gateway aggregates multiple MCP servers behind one addressable endpoint. A client connects to the gateway, not to each server. When the client invokes a tool, the gateway routes that request to the server that handles it. You configure the gateway once instead of configuring each server in every client.
That single point of control is where the value sits. Centralizing the connection lets the gateway own the cross-cutting concerns that were previously scattered across every client config.
Aggregation and routing
One endpoint fronts many MCP servers. The gateway multiplexes calls and routes each tool request to the server that handles it, so the agent connects to a single endpoint instead of juggling multiple server connections.
Centralized authentication and credentials
The gateway authenticates each request, then injects the upstream credentials a server needs (OAuth tokens, API keys, identity headers) as it forwards the call. Credentials live in the gateway, not in every client config.
Tool filtering and access control
Allowlists and RBAC decide which tools an agent or client may invoke. Docker MCP Gateway uses server.tool dot notation to enable specific tools; Portkey supports per-user enable/disable and RBAC over tools.
Observability and governance
Built-in logging and call-tracing give visibility into AI tool activity. One log of every tool call across the fleet, plus per-tool or per-consumer rate limits and budget quotas, is the governance layer enterprises need.
Isolation is the fourth pillar. A gateway can run each MCP server in its own sandbox so a misbehaving or untrusted server cannot reach the host or the other servers. Docker MCP Gateway does this with containers; the section below covers it.
Docker MCP Gateway
Docker MCP Gateway is an open-source, MIT-licensed Docker CLI plugin that acts as a centralized proxy between MCP clients and servers, managing configuration, credentials, and access control. It is the reference implementation most teams reach for first because the isolation model is concrete.
It runs each MCP server in an isolated Docker container with restricted privileges, network access, and resource usage. Servers launched via npx and uvx are granted minimal host privileges. The gateway manages each server's entire lifecycle, starting a container on demand when a tool is invoked.
It keeps secrets out of environment variables by using Docker Desktop's secrets management, then injects the required credentials into requests as it forwards them to servers. For tool control, it supports allowlists: enable specific tools with server.tool dot notation, or enable and disable all tools for a server. Profiles determine which servers are available at runtime.
For governance, it includes built-in logging and call-tracing for full visibility of AI tool activity. It can run over stdio (the default profile) or as a streaming HTTP server on a port, exposing the aggregated servers through a single gateway interface.
Portkey and Other Implementations
Portkey's MCP Gateway acts as a proxy between MCP clients and servers, multiplexing and aggregating calls so an agent connects to a single endpoint instead of juggling multiple server connections. Its focus is the auth and policy layer.
It authenticates each request via the agent's API key or IdP token, checks the user's access to the requested server and tool, then injects upstream credentials such as OAuth tokens for GitHub or Slack, API keys, or identity headers. On top of that it supports per-user tool enable and disable, RBAC to restrict which tools an agent or client can invoke, and per-tool or per-consumer rate limits and budget quotas.
Two open aggregators fill out the picture. MetaMCP is an aggregator, orchestrator, middleware, and gateway that dynamically combines multiple MCP servers into a unified endpoint. McpMesh aggregates multiple MCP servers into a single HTTP API. Both target the same core job: collapse many servers into one interface.
Pick by what you are protecting
Choose Docker MCP Gateway when container-level isolation of untrusted servers is the priority. Choose Portkey when fine-grained RBAC, per-consumer rate limits, and budget quotas across users matter most. MetaMCP and McpMesh suit teams that mainly need clean aggregation into a single endpoint.
Gateway Options Compared
The implementations differ on licensing, isolation model, and how much access-control machinery they ship. The table maps each against the facts each project documents.
| Gateway | Open source | Isolation | Auth / access control | Notes |
|---|---|---|---|---|
| Docker MCP Gateway | MIT | Per-server Docker container | Docker secrets + tool allowlists (server.tool) | Lifecycle mgmt, built-in logging and call-tracing; stdio or HTTP |
| Portkey MCP Gateway | Hosted gateway | Proxy / multiplexer | API key or IdP token, RBAC, per-user tool toggles | Per-tool and per-consumer rate limits and budget quotas |
| MetaMCP | Open source | Aggregator / middleware | Unified endpoint over many servers | Aggregator, orchestrator, middleware, and gateway in one |
| McpMesh | Open source | Aggregator | Single HTTP API surface | Aggregates multiple MCP servers into one HTTP API |
All four collapse many servers behind one endpoint. The split is where they invest: Docker in isolation and lifecycle, Portkey in identity and quotas, MetaMCP and McpMesh in straightforward aggregation.
Configuring a Gateway
The mental model is the same across implementations. You point a client at the gateway endpoint, then on the gateway side you declare which servers exist, which tools are enabled, and what credentials get injected. The client only ever sees one connection.
A conceptual gateway config groups servers, applies a tool allowlist using server.tool dot notation, and references secrets by name rather than inlining them. The exact file format varies by tool; the shape below illustrates the concepts the pack documents.
Conceptual MCP gateway configuration
# One gateway endpoint fronts several MCP servers.
# Clients connect to the gateway; the gateway routes
# each tool call to the server that handles it.
transport: streamable-http # or stdio (default for local)
listen: 0.0.0.0:8765
servers:
github:
# Each server can run isolated (e.g. its own container).
# Credentials are referenced by name, not inlined.
secrets:
- GITHUB_TOKEN
tools:
# Allowlist with <server>.<tool> dot notation.
enabled:
- github.search_issues
- github.create_pull_request
filesystem:
tools:
enabled: all # or disable all for a server
morph:
# Morph ships an MCP server with edit_file +
# codebase_search. Front it like any other server.
secrets:
- MORPH_API_KEY
tools:
enabled:
- morph.edit_file
- morph.codebase_search
# Access control and observability are applied centrally:
# RBAC decides who may call which tool, rate limits cap
# per-consumer usage, and every call is logged for governance.The point is leverage. One change to the gateway, such as rotating a credential, adding a server, or disabling a risky tool, propagates to every client at once. Without the gateway, the same change is N edits across N clients.
MCP Gateway vs LLM Gateway
The names are close and the confusion is common. An MCP gateway governs tools. An LLM gateway, also called an AI gateway, governs models. They sit at different layers of the same stack.
An LLM gateway sits between applications and provider APIs, exposing a single OpenAI-compatible endpoint so any client built for OpenAI works without code changes. It adds key management, rate limiting, fallbacks, caching, cost tracking, and load balancing across providers. An MCP gateway does the analogous job one layer over, for the tools an agent calls rather than the models it talks to.
| Dimension | MCP gateway | LLM gateway |
|---|---|---|
| What it fronts | MCP servers (tools) | Model provider APIs |
| Single endpoint for | Many tool servers | Many models, OpenAI-compatible |
| Centralizes | Credentials, tool RBAC, call logs | Keys, rate limits, fallbacks, caching, cost |
| Protocol | JSON-RPC (MCP) | OpenAI-compatible HTTP |
| Example | Docker MCP Gateway, Portkey | LiteLLM, Portkey, Cloudflare AI Gateway |
The governance pattern is identical at both layers. An MCP gateway governs which tools run the same way an LLM gateway governs which providers serve a request, and the same way an LLM router governs which model handles a given prompt. Many teams run all three: a router to pick the model, an LLM gateway to reach it, and an MCP gateway to govern the tools it calls.
Morph ships tools a gateway can front
Morph ships an MCP server exposing edit_file (Fast Apply code edits) and codebase_search (WarpGrep semantic search). It registers behind an MCP gateway like any other server, so a team can put Morph's coding tools under the same central auth, tool allowlist, and audit log as the rest of its MCP fleet. Pair it with Morph's model router, which classifies prompt difficulty in ~430ms and cuts API cost 40-70%, to govern models and tools with one consistent policy.
When You Need One
A single MCP server wired into a single client does not need a gateway. The extra hop and the extra component to operate are not worth it. The gateway earns its place as servers and clients multiply.
Many servers, many clients
When the same servers are configured across several clients, the gateway collapses N x M configurations into one. Rotating a credential or adding a server becomes a single edit.
Untrusted or third-party servers
Running community MCP servers means running other people's code. Per-server container isolation, as in Docker MCP Gateway, contains a misbehaving server away from the host and the rest of the fleet.
Governance requirements
When you need one audit log of all tool activity, RBAC over which agents may call which tools, and per-consumer rate limits, the gateway is the only place to enforce them consistently.
The tradeoff is real and worth stating. A gateway adds a hop, a component to deploy and monitor, and a single point whose failure affects every client. For a solo developer with one server it is overhead. For a team with an MCP fleet and security review, it is the difference between governable and ungovernable tool access.
Frequently Asked Questions
What is an MCP gateway?
An MCP gateway aggregates multiple MCP (Model Context Protocol) servers behind one addressable endpoint. Instead of configuring each server in every AI client, you configure the gateway once and it routes each tool request to the server that handles it. The gateway centralizes authentication, credential injection, tool filtering, access control, rate limits, and logging across all the servers it fronts.
Why use an MCP gateway?
Running many MCP servers across many clients means duplicating configuration, credentials, and transport settings everywhere. The gateway centralizes authentication, credential injection, tool filtering and RBAC, rate limits, and logging and observability that would otherwise have to be configured per server in every client. It is the difference between editing one config and editing fifty.
MCP gateway vs running MCP servers directly?
Running servers directly means each client connects to each server independently, with credentials and tool exposure managed per client. A gateway puts one endpoint in front of all servers, so credentials live in one place, tool access is filtered centrally with allowlists or RBAC, and every tool call is logged. The tradeoff is an extra hop and one more component to operate.
What is Docker MCP Gateway?
Docker MCP Gateway is an open-source, MIT-licensed Docker CLI plugin that acts as a centralized proxy between MCP clients and servers. It runs each MCP server in an isolated Docker container with restricted privileges, network access, and resource usage, keeps secrets out of environment variables via Docker Desktop's secrets management, supports tool allowlists using server.tool dot notation, and includes built-in logging and call-tracing. It runs over stdio or as a streaming HTTP server on a port.
Is there an open-source MCP gateway?
Yes. Docker MCP Gateway is MIT-licensed. Other open aggregator and gateway implementations include MetaMCP, which dynamically combines multiple MCP servers into a unified endpoint as aggregator, orchestrator, middleware, and gateway, and McpMesh, which aggregates multiple MCP servers into a single HTTP API.
MCP gateway vs LLM gateway?
An MCP gateway governs tools: it aggregates MCP servers behind one endpoint and centralizes credentials, tool filtering, RBAC, and observability for tool calls. An LLM gateway governs models: it exposes a single OpenAI-compatible endpoint in front of many providers and adds key management, rate limiting, fallbacks, caching, and cost tracking. One sits in front of your tools, the other in front of your models. Many teams run both.
What transports does an MCP gateway support?
MCP defines two standard transports: stdio, where a server runs as a subprocess over stdin and stdout, and Streamable HTTP, which uses HTTP POST and GET on a single endpoint with optional Server-Sent Events streaming. Docker MCP Gateway, for example, can run over stdio by default or expose its aggregated servers as a streaming HTTP server on a port.
Related Resources
Govern Your Tools and Models With One Policy
An MCP gateway governs which tools run the same way Morph's model router governs which model handles a prompt. Morph ships an MCP server (edit_file + codebase_search) you can front behind any gateway, plus a router that classifies prompt difficulty in ~430ms and cuts API cost 40-70%.