MCP gateway · the tool boundary

Verify every MCP tool call.

Sits between any MCP client and any MCP server. Every tool call is interpreted, evaluated, and either authorized with a token or refused. Compatible with any MCP-speaking client. No client changes.

Quickstart Read the docs

02 · What you get

01 · Pass-through

Wire-compatible

Speaks MCP on both sides. Drop it between your client and the upstream server.

02 · Policy

Per-tool evaluation

Each tool call is interpreted into an IntentRequest and evaluated against your policy. Deny means the call never reaches the upstream server.

03 · Tokens

Authority Tokens in-line

Approved calls receive an Authority Token attached to the upstream request. Verified at the tool boundary.

04 · Audit

Every call sealed

Decision, rationale, tool, and arguments hash-linked into your audit chain. Replayable.

Govern your tool surface.

Watch the ceremony Talk to us