MCP Gateway
STOA's MCP Gateway is a purpose-built MCP-native API Gateway, enabling AI agents like Claude, GPT, and custom LLM applications to securely consume enterprise APIs through the Model Context Protocol.
Overviewβ
The MCP Gateway acts as the bridge between AI agents and your API ecosystem. It handles authentication, rate limiting, subscription validation, and multi-tenant isolationβall while speaking the native MCP protocol.
Current Implementationβ
The MCP Gateway is built with Python and FastAPI for rapid development and flexibility.
| Aspect | Details |
|---|---|
| Language | Python 3.12+ |
| Framework | FastAPI (async) |
| Policy Engine | OPA (Open Policy Agent) |
| Protocol | MCP 2024-11-05 |
A high-performance Rust + Tokio + Hyper implementation is planned for Q4 2026, bringing:
- Kernel-level eBPF acceleration
- Sub-millisecond latency overhead
- Significantly reduced memory footprint
See our Roadmap for details.
Key Featuresβ
π Enterprise Securityβ
- Keycloak OIDC integration with multi-realm per tenant
- JWT token validation with audience mapping
- API key management with automatic rotation
π’ Multi-Tenant Isolationβ
- Kubernetes namespace per tenant (
tenant-{name}) - Network policies preventing cross-tenant communication
- Per-tenant rate limiting and quotas
π Full Observabilityβ
- Prometheus metrics on port 9090
- Request tracing with correlation IDs
- Usage analytics per subscription
β‘ Production Readyβ
- Async request handling with FastAPI
- Kafka/Redpanda-based metering pipeline
- Connection pooling and request batching
- OPA-based policy enforcement
MCP Protocol Supportβ
STOA implements the full MCP specification (version 2024-11-05) with enterprise extensions.
Supported Methodsβ
| Method | Description |
|---|---|
tools/list | Discover available tools |
tools/call | Invoke a tool |
resources/list | List available resources |
resources/read | Read resource content |
prompts/list | List available prompts |
prompts/get | Get prompt template |
Transport Optionsβ
- HTTP/SSE: Server-Sent Events for streaming responses
- WebSocket: Bidirectional communication (planned)
Authentication Flowβ
Multi-Tenant Tool Visibilityβ
Each tenant only sees tools they're authorized to access:
| Tenant | Visible Tools |
|---|---|
| Parzival (High Five) | stoa_*, highfive:* |
| Sorrento (IOI) | stoa_*, ioi:* |
| Halliday (Admin) | All tools (cross-tenant) |
Configurationβ
Environment Variablesβ
# Server
MCP_GATEWAY_HOST=0.0.0.0
MCP_GATEWAY_PORT=3001
# Control Plane
CONTROL_PLANE_URL=http://control-plane:8080
# Keycloak
KEYCLOAK_URL=https://auth.<YOUR_DOMAIN>
KEYCLOAK_REALM=stoa
# OPA (for policies)
OPA_URL=http://opa:8181
Kubernetes Deploymentβ
apiVersion: apps/v1
kind: Deployment
metadata:
name: mcp-gateway
namespace: stoa-system
spec:
replicas: 3
template:
spec:
containers:
- name: mcp-gateway
image: stoaplatform/mcp-gateway:latest
ports:
- containerPort: 3001
resources:
requests:
cpu: 500m
memory: 512Mi
limits:
cpu: 2000m
memory: 2Gi
Integration with Claude.aiβ
STOA MCP Gateway integrates directly with Claude.ai through the MCP connector:
- Configure MCP Server in Claude.ai settings
- Authenticate with your STOA API key
- Discover tools automatically via
tools/list - Invoke tools through natural conversation
Example Tool Invocationβ
{
"method": "tools/call",
"params": {
"name": "stoa_catalog",
"arguments": {
"action": "list",
"status": "active"
}
}
}
Metrics & Monitoringβ
Prometheus Metricsβ
| Metric | Type | Description |
|---|---|---|
mcp_requests_total | Counter | Total MCP requests |
mcp_request_duration_seconds | Histogram | Request latency |
mcp_tool_invocations_total | Counter | Tool invocations by name |
mcp_errors_total | Counter | Errors by type |
Grafana Dashboardβ
Pre-built dashboards available for:
- Request throughput and latency
- Tool invocation patterns
- Error rates by tenant
- Rate limiting events
Next Stepsβ
- Quick Start Guide - Get started with STOA
- API Reference - MCP Gateway endpoints
- Authentication Guide - Configure auth