Security model overview
MCP Gateway’s security posture rests on a few load‑bearing principles. Understanding them explains why the defaults are what they are.
Default‑deny, everywhere
Section titled “Default‑deny, everywhere”Nothing is reachable until it is explicitly registered, approved, projected, and permitted by policy. Discovery is policy‑filtered, so a caller can’t even enumerate capabilities it isn’t allowed to use. See Authorization & policy.
Authority lives in the control plane
Section titled “Authority lives in the control plane”The data plane enforces projected truth; it never holds standalone authority. That’s why revocation and emergency‑disable take effect on the next request everywhere, rather than waiting for a cache to expire.
Secrets never cross the boundary
Section titled “Secrets never cross the boundary”The credential broker resolves secrets at the edge and injects them only into the upstream call. Secrets are never returned to the agent and never written to logs, fixtures, docs, or audit. Audit records the credential mode, not the value.
Audit is metadata‑only
Section titled “Audit is metadata‑only”The audit trail records decisions, versions, and safe metadata — never raw tool arguments or secret material. This is a deliberate guarantee, not an oversight: it’s what makes broad search, export, and SIEM delivery safe.
Constrained connectivity
Section titled “Constrained connectivity”Private routing and the API‑to‑MCP adapter enforce host allowlists and SSRF boundaries. There is no arbitrary URL proxying, no private‑endpoint bypass, and no secrets in schemas.
See it illustrated See the trust boundaries and the metadata-only audit guarantee illustrated.Type set in Geist, Source Serif 4, and Departure Mono.