MCPGateway
MCPGateway is a universal MCP aggregation server that exposes a single HTTP/SSE endpoint (/mcp and /sse) to route to multiple upstream MCP servers (STDIO/HTTP/SSE), while applying aggressive token/context optimizations, result filtering/aggregation, sandboxed code execution, and providing a web dashboard for managing backends and tools.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Provides AUTH_MODE=none/api-key/oauth plus mention of JWT; blocks sensitive endpoints when auth is disabled unless ALLOW_INSECURE=1. Also lists helmet/cors usage and includes an audit logging claim. Specific TLS enforcement, rotation policies, and detailed security controls for code-execution are not fully verifiable from provided excerpt.
⚡ Reliability
Best When
You need a single MCP endpoint for heterogeneous tool servers plus substantial context/token savings and a management dashboard.
Avoid When
You cannot lock down authentication for sensitive endpoints, or you need a fully specified, strongly contract-tested REST API with comprehensive machine-readable schemas.
Use Cases
- • Expose many MCP tools from multiple upstream servers through one endpoint for AI clients
- • Reduce token/context usage by progressive tool discovery, result filtering, batching, deduplication, delta responses, and auto-summarization
- • Run sandboxed TypeScript/JavaScript operations via gateway code-execution MCP tools
- • Operate a centralized dashboard to add/manage/reconnect MCP backends and toggle tool enablement
- • Use Prometheus and JSON metrics endpoints for gateway observability
Not For
- • High-security, multi-tenant production deployments without careful security configuration and secret management
- • Environments requiring formal, published SLAs or strong guarantees around API stability
- • Use cases where HTTP endpoint access must be avoided (gateway is inherently an HTTP service)
- • Systems that require an official OpenAPI spec or guaranteed stable API contract for the dashboard/code endpoints
Interface
Authentication
README indicates AUTH_MODE supports none/api-key/oauth and API_KEYS or OAUTH_* settings; it also states sensitive endpoints are blocked by default when running with AUTH_MODE=none unless ALLOW_INSECURE=1 is set.
Pricing
Open-source repository; no vendor pricing described in provided content.
Agent Metadata
Known Gotchas
- ⚠ Authentication modes affect access to sensitive endpoints (/dashboard, /dashboard/api/*, /api/code/*, /metrics/json). Agents should not assume unauthenticated access works by default.
- ⚠ Code execution endpoint (/api/code/execute) may be restricted/secured in practice; ensure sandbox and permissions are configured appropriately.
- ⚠ Token-optimization behaviors (delta responses, session context) may cause surprising outputs if an agent expects raw upstream responses.
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for MCPGateway.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-30.