An MCP server exposes tools. delete_repository, create_charge, execute_query. The agent calls whatever it decides to call, and the server runs it. Nothing sits in between.

Connect a coding agent to a GitHub MCP server and it can delete a repository as readily as it can read one. Point it at a Stripe server and create_refund is one tool call away from list_charges. The Model Context Protocol defines how tools are discovered and invoked. It does not define who is allowed to invoke what. An MCP gateway is the layer that adds that missing decision.

What is an MCP gateway

An MCP gateway is a proxy that sits between your AI clients and the MCP servers they call. Every tools/call leaves the client, reaches the gateway first, and is evaluated against policy before it is forwarded upstream. The gateway allows the call, denies it, or hides the tool from the agent, and can attach argument-level conditions and quota limits.

It is the same architectural idea as an API gateway, applied to agent tool calls. A single control point in front of many backends. The difference is what it inspects: not REST routes, but MCP method calls and their arguments, made by a non-deterministic caller that can be steered by the content it reads.