The Model Context Protocol (MCP) standardized how AI agents talk to external tools. But MCP itself has no built-in authentication, no rate limiting, no audit logging, and no access control. In production, that is a problem. MCP gateways solve it by sitting between your agents and your MCP servers, enforcing policy on every tool call.
By June 2026, the MCP gateway market has split into two tiers. Open-source projects like Bifrost, ToolHive, and agentgateway focus on performance and developer experience. Enterprise platforms like TrueFoundry, Composio, and Lunar MCPX add governance, compliance, and managed operations. This guide compares all twelve gateways that matter.
Why you need an MCP gateway
Without a gateway, every agent connects to every MCP server directly. This creates three problems:
Security: MCP servers often hold credentials for databases, APIs, and internal services. Direct connections mean every agent needs every credential. A single compromised agent exposes everything.
Observability: You cannot answer "which agent called which tool, how many times, at what cost" without centralized logging. Direct connections scatter audit data across dozens of server logs.
Governance: There is no way to enforce "Agent X can only call read tools, not write tools" or "no agent can exceed 1,000 tool calls per hour" without a policy layer in between.
An MCP gateway centralizes all three. Agents authenticate to the gateway. The gateway authenticates to MCP servers. Policies enforce what each agent can do. Every call is logged.
The twelve gateways compared
| Gateway | License | Language | Transport | Isolation | Auth | RBAC | Audit | Best For |
|---|---|---|---|---|---|---|---|---|
| Bifrost | MIT | Go | stdio | Process-level | API key | Basic | Structured logs | Ultra-low latency |
| Lunar MCPX | MIT (core) | TS/Go | Streamable HTTP | Per-server | IdP integration | Global/service/tool-level ACLs | Immutable audit trail | Open-source governance |
| ToolHive | Apache 2.0 | Go | stdio/HTTP | Container per server | OIDC/mTLS | Per-container | Container logs | Container isolation |
| agentgateway | Apache 2.0 | Rust | stdio/HTTP/SSE | Process-level | OAuth 2.1 + PKCE | CEL policy engine | OTel traces | Performance-critical routing |
| Docker MCP Gateway | Open source | Go | stdio | OCI container | Docker auth | Image-level | Docker logs | Docker-native stacks |
| Microsoft MCP Gateway | Open source | Go | HTTP | K8s pod | Entra ID | RBAC via Entra | Azure Monitor | Azure/K8s environments |
| IBM ContextForge | MIT | Python | HTTP/gRPC | K8s multi-cluster | OAuth/mTLS | Per-federation | Structured logs | Multi-protocol federation |
| Composio | Proprietary | N/A | Managed | Managed sandbox | SOC 2 Type II | Team/user/key | Full audit | Managed integrations at scale |
| TrueFoundry | Proprietary | N/A | Managed | Managed | IdP/SAML | Full RBAC | Compliance logs | Enterprise compliance |
| Obot | MIT | Go | K8s/Docker | Container | Multi-role | RBAC + GitOps | Structured logs | Self-hosted catalog |
| MCPJungle | Open source | TypeScript | HTTP | Single process | API key | Basic | Request logs | Lightweight self-hosting |
| MCP Mesh | Open source | Multi | Decorator DI | Runtime-level | Varied | Varied | Varied | Distributed agent discovery |
Deep dives: the five gateways that matter most
Bifrost: 11 microseconds of overhead
Bifrost is the fastest MCP gateway available. Written in Go, it reports 11 microseconds of overhead per request at 5,000 RPS in published benchmarks. The trick is architectural: Bifrost keeps MCP servers running as long-lived subprocesses and communicates over stdio, avoiding HTTP connection overhead entirely.
How it works: Bifrost spawns each MCP server as a child process and maintains a persistent stdio pipe. When an agent sends a tool call, Bifrost routes it to the right subprocess over the pipe, applies any configured middleware (auth, rate limiting, logging), and returns the response. No HTTP handshake, no TLS negotiation, no connection pooling needed.
Limitations: The stdio transport means Bifrost only works with MCP servers that support stdio mode. Remote HTTP-based MCP servers need a bridge adapter. The project is newer and less battle-tested than Lunar or ToolHive.
Use when: Latency is your primary constraint. You run MCP servers on the same machine or cluster as your agents. You need the absolute minimum overhead per tool call.
Lunar MCPX: the governance leader
Lunar MCPX has the most granular access control model of any open-source MCP gateway. Policies operate at three levels: global (all servers), per-service (one server), and per-tool (individual tool functions). This lets you write rules like "all agents can list files, only admin agents can delete files, and no agent can access the production database server."
Key features:
The enterprise tier adds hosted deployment, identity provider integration, automated risk scoring for tool catalogs, and a pre-production sandbox for validating new MCP server additions before they reach production agents.
Rate limiting and circuit breakers are built into the core. If an MCP server starts responding slowly, MCPX trips the circuit breaker and returns cached results or graceful errors instead of letting agents wait indefinitely.
Interceptor middleware: MCPX supports request/response interceptors that can transform, filter, or enrich tool calls in transit. Use cases include PII redaction (strip email addresses from tool responses before they reach the agent), cost attribution (tag each call with a team/project label), and compliance logging.
Use when: You need fine-grained access control per tool, not just per server. Your compliance team requires an audit trail for every tool call. You want open-source core with an enterprise upgrade path.
ToolHive: container isolation per server
ToolHive from Stacklok runs every MCP server inside its own container with minimal permissions and no local credentials. This is the strongest isolation model in the market: a compromised MCP server cannot access the filesystem, network, or credentials of any other server.
Three runtime shapes:
- Desktop UI for local development and testing
- CLI for terminal-based workflows and CI/CD pipelines
- Kubernetes Operator for shared multi-user environments
vMCP Optimizer: The standout feature is the MCP Optimizer in the vMCP component. It uses hybrid semantic and keyword search to surface only the tools relevant to a given request, reducing token usage by 60 to 85% per call. When an agent has access to 200 tools but a request only needs 3, the optimizer filters the tool list before sending it to the LLM. Fewer tools in the context window means fewer tokens, lower cost, and faster responses.
Use when: Security is non-negotiable. You need container-level isolation between MCP servers. You want a Kubernetes-native deployment model. You care about token efficiency via tool filtering.
agentgateway: the Linux Foundation standard
agentgateway is the first AI-native data plane project under the Linux Foundation. Written in Rust, it is designed as a Layer 7 proxy for agent traffic, supporting both MCP (tool calls) and the A2A protocol (agent-to-agent communication) through a unified routing plane.
Architecture: agentgateway uses a CEL (Common Expression Language) policy engine for authorization decisions. CEL policies are declarative and composable, similar to Cedar policies used by AWS Verified Permissions. This means you can write policies like request.tool.name.startsWith("read_") || request.agent.role == "admin" and enforce them at wire speed.
OAuth 2.1 compliance: Full OAuth 2.1 with PKCE is mandatory per the MCP specification. agentgateway enforces it natively rather than treating it as an optional add-on.
Use when: You want a standards-based, Linux Foundation backed project. You need both MCP and A2A protocol support. You prefer Rust performance with CEL-based policy authoring.
Composio: 500+ managed integrations
Composio takes a different approach from the infrastructure-focused gateways. Instead of "bring your own MCP servers," Composio hosts and manages 500+ pre-built integrations: GitHub, Slack, Jira, Salesforce, Google Workspace, databases, and more. Each integration is an MCP server that Composio runs, secures, and maintains.
SOC 2 Type II certified. Authentication is handled per integration (OAuth flows, API keys, service accounts) with credentials stored in Composio's vault. You never touch raw credentials in your agent code.
Agent framework integrations: SDKs for LangGraph, CrewAI, OpenAI Agents SDK, Claude Agent SDK, and Google ADK. This means your agents call Composio tools through the same interface they call any other tool, no custom integration code needed.
Use when: You want managed integrations out of the box. You do not want to run MCP servers yourself. Your compliance team requires SOC 2 certification. You need 50+ tool integrations and do not want to build them.
Enterprise evaluation framework
When evaluating MCP gateways for production, score each option against these five dimensions:
1. Isolation model
How does the gateway prevent one compromised MCP server from affecting others?
| Level | Gateways | Risk |
|---|---|---|
| Container per server | ToolHive, Docker MCP Gateway, Obot | Lowest. Filesystem, network, and process isolation. |
| Process per server | Bifrost, agentgateway | Medium. Process isolation but shared filesystem. |
| Shared process | MCPJungle, Lunar MCPX (core) | Highest. All servers share one process space. |
| Managed | Composio, TrueFoundry | Provider-managed. You trust the vendor's isolation. |
2. Policy granularity
Can you control access per tool, per server, per agent, or only globally?
Lunar MCPX offers the finest granularity: global, per-service, and per-tool ACLs. agentgateway uses CEL policies that can match on any request attribute. ToolHive enforces at the container level. Most others enforce per-server or globally.
3. Audit completeness
Every production deployment needs answers to: who called what tool, when, with what arguments, and what was returned?
TrueFoundry and Composio provide the most complete audit logs, including request/response payloads, latency, error codes, and cost attribution. Open-source options vary: Lunar MCPX claims an immutable audit trail but the architecture is not fully public. agentgateway exports to OpenTelemetry, giving you audit data in whatever observability stack you already use.
4. Transport compatibility
MCP supports three transports: stdio, HTTP with SSE, and streamable HTTP. Not every gateway supports all three.
| Transport | Bifrost | Lunar | ToolHive | agentgateway | Docker | Microsoft |
|---|---|---|---|---|---|---|
| stdio | Yes | No | Yes | Yes | Yes | No |
| HTTP/SSE | No | Yes | Yes | Yes | Yes | Yes |
| Streamable HTTP | No | Yes | No | Yes | No | Yes |
If your MCP servers use stdio (the most common for local servers), check that your gateway supports it before committing.
5. Scale characteristics
| Gateway | Tested RPS | Overhead | Horizontal scaling |
|---|---|---|---|
| Bifrost | 5,000 | 11 microseconds | Manual |
| agentgateway | N/A (no published data) | Sub-millisecond (Rust) | K8s-native |
| ToolHive | N/A | Container startup + runtime | K8s Operator |
| Lunar MCPX | N/A | Milliseconds (TS/Go) | Enterprise tier |
| Composio | Managed | Managed | Managed |
How MCP gateways fit with LLM gateways
An MCP gateway handles tool calls. An LLM gateway like Requesty handles model calls. In production, you use both:
Agent SDK
├── Model calls → Requesty AI Gateway → OpenAI / Anthropic / Google / 400+ models
└── Tool calls → MCP Gateway → MCP Servers (GitHub, Slack, DBs, APIs)Requesty routes the LLM traffic with smart routing, failover, caching, and cost controls. Your MCP gateway routes the tool traffic with auth, rate limiting, and audit logging. Together, they give you full observability and governance over both layers of your agent stack.
For teams using Requesty's MCP integration, you can also expose Requesty's routing policies as MCP tools, letting agents call route_to_best_model as a tool action within their MCP workflow.
Decision matrix
| Your Situation | Recommended Gateway | Why |
|---|---|---|
| Ultra-low latency, same-cluster servers | Bifrost | 11 microsecond overhead via stdio |
| Fine-grained per-tool access control | Lunar MCPX | Three-level ACL model |
| Container isolation is non-negotiable | ToolHive | OCI container per server, vMCP optimizer |
| Standards-based, Linux Foundation backing | agentgateway | CEL policies, A2A support, Rust performance |
| Docker-native development workflow | Docker MCP Gateway | OCI-signed catalog, Docker Desktop integration |
| Azure and Kubernetes | Microsoft MCP Gateway | Entra ID RBAC, AKS-native |
| Multi-protocol (MCP + A2A + REST + gRPC) | IBM ContextForge | Multi-cluster federation |
| 500+ managed integrations, no self-hosting | Composio | SOC 2, managed auth, agent SDK integrations |
| Full enterprise compliance (HIPAA, GDPR) | TrueFoundry | RBAC, PII redaction, compliance logging |
| Self-hosted catalog with GitOps admin | Obot | MIT license, curated catalog, multi-role RBAC |
The bottom line
The MCP gateway you choose depends on what you value most: raw performance (Bifrost), governance depth (Lunar MCPX), isolation strength (ToolHive), or operational simplicity (Composio). Most production deployments will combine an MCP gateway for tool governance with an LLM gateway like Requesty for model routing. The two layers are complementary, not competitive, and together they give you full control over your agent infrastructure.
Frequently asked questions
- What is an MCP gateway?
- An MCP gateway sits between AI agents and MCP tool servers. It handles authentication, authorization, rate limiting, audit logging, and traffic routing for all tool calls. Instead of each agent connecting to each MCP server directly, agents connect to one gateway, and the gateway manages every downstream connection with centralized policy enforcement.
- Which MCP gateway has the lowest latency?
- Bifrost reports 11 microseconds of overhead per request at 5,000 requests per second, the lowest of any MCP gateway tested. It is written in Go, maintains persistent connections via a long-lived subprocess, and uses a stdio transport that avoids HTTP overhead entirely. For HTTP-based gateways, agentgateway (written in Rust) is the fastest, with sub-millisecond routing overhead.
- Which MCP gateway is best for enterprise compliance?
- TrueFoundry and Composio lead on enterprise compliance. TrueFoundry offers RBAC, PII redaction, HIPAA and GDPR compliance, rate limiting, and budget controls in a single platform. Composio holds SOC 2 Type II certification and manages 500+ integrations with enterprise-grade auth. For open-source self-hosted compliance, Lunar MCPX offers the most granular access control model.
- How do MCP gateways work with LLM routing gateways?
- MCP gateways and LLM routing gateways serve different layers. An LLM gateway like Requesty routes model API calls (completions, embeddings) across providers. An MCP gateway routes tool calls from agents to tool servers. In a production stack, you use both: Requesty routes the LLM traffic, and an MCP gateway routes the tool traffic. Some platforms like Requesty also provide MCP tool routing alongside model routing.
- Is there an open-source MCP gateway?
- Yes, multiple. Bifrost (Go, MIT), ToolHive (Apache 2.0), agentgateway (Apache 2.0, Linux Foundation), Docker MCP Gateway (open source), Microsoft MCP Gateway (open source), IBM ContextForge (MIT), Lunar MCPX (MIT core), and MCPJungle (open source) all offer open-source options. The most popular by GitHub stars are ToolHive and agentgateway.
- JUN '26
Best AI Agent SDKs Compared (2026): LangGraph, CrewAI, OpenAI, Anthropic, and Google ADK
Six agent SDKs compete for production deployments in 2026. LangGraph leads on state control, CrewAI on rapid prototyping, and the vendor SDKs from Anthropic, OpenAI, and Google ship native tool execution. This guide compares architecture, benchmarks, token efficiency, and gateway compatibility so you can pick the right SDK for your stack.
- MAY '26
Building Production AI Agents in 2026: The Complete SDK Guide
A hands on guide to the three major agent SDKs of 2026: Claude Agent SDK, OpenAI Agents SDK, and Google ADK. Learn how each one works, when to pick it, and how to route all of them through a unified AI gateway for cost tracking, failover, and observability.
- MAY '26
Agent Harness: Why Your LLM Gateway Is the Backbone of Production Agents
The model is the brain. The harness is the body. In 2026 the agent harness has become the critical infrastructure layer for production AI. This post breaks down the stack and shows how an LLM gateway like Requesty fits in with real code examples.
- MAY '26
Agentic Coding Tools Compared (2026): Claude Code vs Cursor vs Codex vs Aider
Claude Code, Cursor 3, OpenAI Codex, Aider, Roo Code, and Cline are all shipping autonomous agents in 2026. Here is how they compare on architecture, pricing, benchmarks, and which LLM gateway they support.