{"id":"abdullah1854-mcpgateway","name":"MCPGateway","homepage":null,"repo_url":"https://github.com/abdullah1854/MCPGateway","category":"infrastructure","subcategories":[],"tags":["mcp","gateway","routing","token-optimization","dashboard","typescript","sse","http","code-execution","observability","aggregation"],"what_it_does":"MCPGateway is a universal MCP aggregation server that exposes a single HTTP/SSE endpoint (/mcp and /sse) to route to multiple upstream MCP servers (STDIO/HTTP/SSE), while applying aggressive token/context optimizations, result filtering/aggregation, sandboxed code execution, and providing a web dashboard for managing backends and tools.","use_cases":["Expose many MCP tools from multiple upstream servers through one endpoint for AI clients","Reduce token/context usage by progressive tool discovery, result filtering, batching, deduplication, delta responses, and auto-summarization","Run sandboxed TypeScript/JavaScript operations via gateway code-execution MCP tools","Operate a centralized dashboard to add/manage/reconnect MCP backends and toggle tool enablement","Use Prometheus and JSON metrics endpoints for gateway observability"],"not_for":["High-security, multi-tenant production deployments without careful security configuration and secret management","Environments requiring formal, published SLAs or strong guarantees around API stability","Use cases where HTTP endpoint access must be avoided (gateway is inherently an HTTP service)","Systems that require an official OpenAPI spec or guaranteed stable API contract for the dashboard/code endpoints"],"best_when":"You need a single MCP endpoint for heterogeneous tool servers plus substantial context/token savings and a management dashboard.","avoid_when":"You cannot lock down authentication for sensitive endpoints, or you need a fully specified, strongly contract-tested REST API with comprehensive machine-readable schemas.","alternatives":["Directly connect each MCP server to the client (no gateway/token optimizations)","Use MCP-compatible tool discovery/search features where available (e.g., provider-native tool search) without aggregation","Build a custom MCP router/proxy that performs only specific filtering/caching for your workloads","Use existing MCP gateway/proxy projects (if available in your ecosystem)"],"af_score":59.5,"security_score":61.8,"reliability_score":36.2,"package_type":"mcp_server","discovery_source":["github"],"priority":"high","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-03-30T15:40:44.026424+00:00","interface":{"has_rest_api":true,"has_graphql":false,"has_grpc":false,"has_mcp_server":true,"mcp_server_url":"http://localhost:3010/mcp","has_sdk":true,"sdk_languages":["TypeScript"],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":["API key","OAuth","JWT"],"oauth":true,"scopes":false,"notes":"README indicates AUTH_MODE supports none/api-key/oauth and API_KEYS or OAUTH_* settings; it also states sensitive endpoints are blocked by default when running with AUTH_MODE=none unless ALLOW_INSECURE=1 is set."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"Open-source repository; no vendor pricing described in provided content."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":59.5,"security_score":61.8,"reliability_score":36.2,"mcp_server_quality":78.0,"documentation_accuracy":70.0,"error_message_quality":0.0,"error_message_notes":null,"auth_complexity":70.0,"rate_limit_clarity":35.0,"tls_enforcement":85.0,"auth_strength":70.0,"scope_granularity":40.0,"dependency_hygiene":55.0,"secret_handling":55.0,"security_notes":"Provides AUTH_MODE=none/api-key/oauth plus mention of JWT; blocks sensitive endpoints when auth is disabled unless ALLOW_INSECURE=1. Also lists helmet/cors usage and includes an audit logging claim. Specific TLS enforcement, rotation policies, and detailed security controls for code-execution are not fully verifiable from provided excerpt.","uptime_documented":10.0,"version_stability":35.0,"breaking_changes_history":45.0,"error_recovery":55.0,"idempotency_support":"false","idempotency_notes":null,"pagination_style":"none","retry_guidance_documented":false,"known_agent_gotchas":["Authentication modes affect access to sensitive endpoints (/dashboard, /dashboard/api/*, /api/code/*, /metrics/json). Agents should not assume unauthenticated access works by default.","Code execution endpoint (/api/code/execute) may be restricted/secured in practice; ensure sandbox and permissions are configured appropriately.","Token-optimization behaviors (delta responses, session context) may cause surprising outputs if an agent expects raw upstream responses."]}}