supergateway
Supergateway bridges MCP servers that run over stdio to network transports (SSE, WebSockets, or Streamable HTTP) and can also proxy remote SSE/Streamable HTTP MCP servers back to a local stdio interface.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
TLS is not explicitly required for all inbound modes; outbound/upstream URLs are shown as https in examples, but no security policy is documented. Auth support is header-based (Bearer token/custom headers) without mention of scoped/role-based controls. CORS can be enabled broadly (allow all origins when --cors has no values), which can increase exposure if deployed beyond localhost.
⚡ Reliability
Best When
You need to convert MCP transport style (stdio <-> SSE/WS/Streamable HTTP) with a lightweight command-line/server runtime.
Avoid When
You need strict operational guarantees around retries/idempotency semantics and clear published error codes for all failure modes.
Use Cases
- • Expose an MCP stdio server as an SSE server for web/remote clients
- • Connect to a remote MCP server over SSE or Streamable HTTP and make it usable from local CLI/MCP tooling via stdio
- • Provide WebSocket access to MCP stdio servers
- • Debug or integrate MCP servers that only support stdio in environments that expect network transports
- • Run MCP servers behind a public tunnel (e.g., ngrok) for remote access
Not For
- • Use as a general-purpose API gateway for arbitrary HTTP APIs (it is MCP-transport focused)
- • Handling production-grade multi-tenant auth/authorization unless additional access controls are added around its endpoints
- • Cases where you require published, machine-readable API specs (no OpenAPI/SDK is described)
Interface
Authentication
The README describes adding headers when connecting to upstream SSE/Streamable HTTP MCP servers (and enabling CORS for incoming clients). It does not describe OAuth flows, per-route authorization, or fine-grained scopes for Supergateway itself.
Pricing
No pricing information for the package itself. The README mentions hosted services (Supermachine/Superinterface/Supercorp) but does not specify their pricing.
Agent Metadata
Known Gotchas
- ⚠ Supergateway is a transport bridge, not a standard CRUD API; client code must speak MCP-over-chosen-transport (JSON-RPC style).
- ⚠ Authentication is implemented by injecting headers to upstream requests (and enabling CORS). No guidance is provided on retry behavior or how failures map to specific MCP error codes.
- ⚠ Some client tools may have CLI argument limitations (README mentions Cursor bug with spaces in Authorization; use --oauth2Bearer instead of --header for Bearer tokens).
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for supergateway.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-30.