Operations & Gateways
How to Choose an MCP Gateway: A Buyer's Guide
By Ralph Duin·
The best MCP gateway for your team is the one that passes seven tests: credential isolation, policy and approvals, audit logging, a deployment model that matches your data boundary, token efficiency, registry and discovery, and a pricing model that survives scale. This guide turns each test into concrete questions you can put to any candidate — no rankings, no vendor lists.
Rankings age badly in a market this young; evaluation criteria do not. Score every candidate — including "build it ourselves" and "do nothing" — against the same seven criteria, weight them for your situation, and the decision usually makes itself. If you are still unsure what a gateway is versus a plain proxy, start with MCP Gateway vs Proxy vs Router and the gateway overview.
Criterion 1: Credential Isolation
The single most important question: after deployment, do your AI clients still hold downstream secrets?
Without a gateway, every API key gets pasted into every client's config file — plaintext JSON on disk, multiplied across each machine and each tool. A gateway only fixes this if it actually takes custody of the credentials and clients authenticate to the gateway instead.
Ask each candidate:
- Where are downstream credentials stored at rest, and how are they encrypted? (OS keychain, cloud KMS, vault integration — "in a config file on the gateway host" is not isolation.)
- Can a connected client ever read a credential back, or only cause it to be used?
- How do clients authenticate to the gateway itself — per-client tokens, OAuth, or a shared secret? Shared secrets recreate the original problem one layer up.
- What does revoking one client, one user, or one downstream integration take?
If a candidate fails here, the remaining criteria barely matter. Credential sprawl is the risk a gateway exists to remove; the broader threat model is laid out in our MCP security guide.
Criterion 2: Policy and Approvals
Tool calls are actions, and some actions need a gate. Evaluate the policy engine on expressiveness and placement:
- Granularity. Can you allow a server but deny one of its tools? Allow reads but require approval for writes or deletes?
- Identity-awareness. Do policies bind to who is calling — user, client, agent — or only to what is called? Policy without identity is a global switch, not access control.
- Approvals. For sensitive tools, can the gateway hold a call until a human approves it? Where does the approval surface — a desktop prompt, Slack, a dashboard?
- Default posture. What happens for a brand-new server: everything allowed until denied, or denied until allowed?
A practical test: take your most dangerous real tool (a production database write, a payments API) and ask the vendor to demo the exact policy you would want around it.
Criterion 3: Audit
When something goes wrong — and with autonomous tool use, something eventually does — the audit log is the difference between a forensic timeline and guesswork.
- Is every tool call logged with identity, tool name, arguments, outcome, and timing — including discovery queries and denied calls?
- Is the log structured and queryable, or prose in a text file?
- Can it be exported or streamed to your SIEM and observability stack?
- Can the log be altered by the same people whose actions it records?
Match the schema against what you actually need to answer later: "which agents touched customer data this quarter" is a one-line query in a good audit system and a week of grepping in a bad one. See MCP monitoring and observability for what a complete telemetry picture looks like.
Criterion 4: Deployment Model — Local vs Cloud
Where the gateway runs decides where your traffic and secrets go. There are three honest options:
- Local. The gateway runs on the developer's machine. Tool traffic and credentials never leave the laptop unless you route them out. Best privacy posture, lowest setup cost; management is per-machine.
- Self-hosted. The gateway runs in your VPC or on-prem. You keep the data boundary and inherit the ops burden: availability, upgrades, scaling.
- Vendor cloud. Fastest to adopt and easiest to manage centrally — and every tool call and possibly every credential transits a third party. That is a real data-processing relationship; involve security and legal.
Ask: can you start local and grow into a managed control plane without replatforming? Teams that pick a cloud-only gateway for a five-person pilot often discover the data-boundary conversation only at procurement time.
Criterion 5: Token Efficiency
This criterion is invisible in demos and dominant in production. Most MCP clients inject the full tool definitions of every connected server into the model's context before the conversation starts. An aggregating gateway can make this worse — one endpoint now fronting the combined tool list of everything behind it.
- Does the gateway expose all backend tools to the client at once, or does it support on-demand discovery — a compact dispatcher the model queries for relevant tools per request?
- Can you filter or scope which tools each client sees?
- Can you measure per-client token overhead before and after?
The mechanics and the audit method get a full article in How to Cut MCP Token Usage. For evaluation purposes, one question suffices: "If I connect twenty servers, what does my client's context window look like?"
Criterion 6: Registry and Discovery
A gateway is only as useful as its knowledge of what is behind it.
- Is there a catalog of available servers and tools, with search — for humans and for agents?
- How do new servers get added: config file edit and restart, or a managed onboarding flow with health checks?
- Are entries governed — ownership, approval status, version pinning — or is the registry just a list?
- Can different users or teams see different slices of the catalog?
The registry is also where supply-chain trust lives: an ungoverned catalog happily routes agents to an unvetted or tampered server. The full argument is in MCP Server Registry: Discovery, Versioning, Trust and the registry pillar page.
Criterion 7: Pricing Model
MCP gateway pricing varies across a few axes; model your cost at 10× current usage on each:
- Per-seat — predictable, fits team tooling; check what happens to non-human identities (service agents, CI).
- Per-call or usage-based — cheap to start; an agent loop that retries a failing tool all night is now a billing event.
- Flat / free local tier — best for evaluation; check what is actually gated behind the paid tier (often the team/policy/audit layer).
Also price the alternative honestly: a self-built gateway costs the engineering time to build credential storage, policy, and audit — then the permanent on-call to keep it alive.
The Printable Checklist
Score each candidate 0–2 per line (0 = absent, 1 = partial, 2 = strong), weight what matters for your deployment, and compare totals.
MCP GATEWAY EVALUATION — candidate: ____________________ date: ________
CREDENTIAL ISOLATION
[ ] Clients hold zero downstream secrets after setup
[ ] Secrets encrypted at rest (keychain / KMS / vault)
[ ] Per-client authentication to the gateway (no shared secret)
[ ] One-step revocation per client / user / integration
POLICY & APPROVALS
[ ] Per-tool allow / deny (not just per-server)
[ ] Policies bind to caller identity
[ ] Human-approval gate for designated tools
[ ] Deny-by-default available for new servers
AUDIT
[ ] Every call logged: identity, tool, args, outcome, timing
[ ] Denied and discovery requests also logged
[ ] Structured + queryable; SIEM export
[ ] Log tamper-resistant relative to admins
DEPLOYMENT
[ ] Mode matches our data boundary (local / self-hosted / cloud)
[ ] Local-first path exists; can grow to managed without replatform
[ ] Clear statement of what data transits the vendor
TOKEN EFFICIENCY
[ ] On-demand tool discovery (not all-tools-up-front)
[ ] Per-client tool filtering / scoping
[ ] Token overhead is measurable
REGISTRY & DISCOVERY
[ ] Searchable catalog for humans and agents
[ ] Governed onboarding (ownership, approval, versions)
[ ] Per-user / per-team catalog visibility
PRICING
[ ] Model survives 10x usage growth
[ ] Non-human identities priced sanely
[ ] Free / local tier sufficient for a real evaluation
Frequently Asked Questions
What is the best MCP gateway?
The one that scores highest against your weighted criteria — there is no universal answer. A solo developer should weight credential isolation, token efficiency, and a free local tier; a platform team in a regulated industry should weight policy, audit, and deployment model. Run a structured checklist against every candidate, including building in-house.
Do I need an MCP gateway if I only use two or three MCP servers?
For trusted, read-only servers on one machine, possibly not — a simple proxy or direct connections may suffice. The threshold is risk, not count: the day one server can write to production data or spend money, you need policy and audit, which means a gateway.
Should we build our own MCP gateway?
Treat "build" as a candidate and score it like the rest. It tends to win on deployment fit and lose on everything that takes sustained engineering — policy engines, audit pipelines, credential custody — plus the ongoing maintenance as the MCP spec evolves. Be honest about who owns it in year two.
How long should an MCP gateway evaluation take?
A focused two-week pilot is usually enough: week one to connect your real servers and clients and verify credential isolation, week two to exercise policy, approvals, and audit against your riskiest workflow. If a candidate cannot show all seven criteria working in two weeks, that is itself a result.
Put MCP Beast Through the Checklist
We built MCP Beast to score well on exactly these seven lines: Keychain-held credentials on the free Mac app, per-tool policy and approvals, a structured audit log per call, a local-first deployment model that grows into a team control plane, on-demand tool discovery instead of all-tools-up-front, and a built-in registry. Run the checklist against it yourself — download the free Mac app or talk to us about Enterprise.
Related: