Your first governed tool call
This is the end‑to‑end loop that makes MCP Gateway “governed”: you only ever see the tools policy allows, calls are enforced and brokered at the data plane, and everything lands in the audit trail.
-
Discover what you can use. The catalog is policy‑filtered — tools you aren’t allowed to call don’t appear at all.
-
Call an allowed tool. The data plane authenticates you, evaluates policy, brokers the credential, and routes to the approved backend.
-
See it in the audit trail. Both the allowed call and any denied attempt are recorded as metadata‑only events.
1 · Discover allowed tools (catalog‑lite)
Section titled “1 · Discover allowed tools (catalog‑lite)”- Open Govern → Catalog in the console.
- The catalog shows only the servers and tools your policy permits — unauthorized tools are hidden, not greyed out.
curl "$GATEWAY/v1/catalog/capabilities?environment_id=prod" \
-H "authorization: Bearer $TOKEN"queryCatalogLite in the API reference →gatewayctl call-tool --helpDiscovery is exposed via the API (GET /v1/catalog/capabilities). Use gatewayctl call-tool to invoke a tool once you know its name.
2 · Call an allowed tool
Section titled “2 · Call an allowed tool”The actual tool invocation happens at the data plane (:8081), which enforces policy and brokers credentials on every request.
- From the catalog, open a tool you're allowed to call.
- Fill in the tool's input fields and run it — the response comes back through the gateway.
curl -X POST "$DATA_PLANE/v1/mcp/servers/legal-contract-review" \
-H "authorization: Bearer $TOKEN" \
-H "content-type: application/json" \
--data '{"jsonrpc":"2.0","id":"1","method":"tools/call",
"params":{"name":"contract_read","arguments":{}}}'gatewayctl call-tool --server legal-contract-review --tool contract_readEvery gatewayctl verb accepts --format text|json.
3 · See it in the audit trail
Section titled “3 · See it in the audit trail”Every decision — allow or deny — is recorded. Head to Search the audit trail to find the two events you just generated.
See it illustrated Watch the whole request lifecycle — allowed vs denied — illustrated step by step.Type set in Geist, Source Serif 4, and Departure Mono.