The three interfaces

Every governed operation in MCP Gateway is available three ways. Throughout these docs each task is shown in all three so you can use whichever fits your workflow — clicking through a console, scripting against the API, or running a command in CI.

Web UI

The control‑plane console is organized into five workspaces — Govern, Access, Operate, Investigate, and Settings — plus an Overview. It’s the fastest way to review submissions, author policy, and investigate audit events interactively.

Admin API

The control plane serves a REST admin API under /v1/... on port :8080. It is the source of truth that the UI itself calls, specified in an OpenAPI 3.1 contract. Browse the full, generated API reference.

# Convention used in every API snippet:
export GATEWAY="https://your-gateway.example.com"
export TOKEN="<your access token>"   # see Authenticate to the gateway

curl "$GATEWAY/v1/identity/me" -H "authorization: Bearer $TOKEN"

The data plane (runtime enforcement and MCP routing) serves a separate, narrower surface on port :8081 — see Control plane vs data plane.

CLI — gatewayctl

gatewayctl is the Go command‑line tool for onboarding, policy, diagnostics, and operations. Every verb accepts --format text|json, so the same command works for a human at a terminal and for a script.

gatewayctl simulate-policy --help
gatewayctl search-audit --environment prod --format json

Parity, not duplication

A few operations are reachable through the UI and API but do not yet have a dedicated gatewayctl verb (for example, approvals and role bindings). On those pages the CLI tab says so explicitly and points you at the API rather than inventing a command.