SMCP Gateway sits between your AI tools and MCP servers. SSO authentication, role-based policies, credential injection, and full audit logging. One config file. One binary. Zero secrets on developer machines.
SSO users via Okta/Entra/Google, API key holders for small teams, and registered agents with delegation limits. All resolve to one identity.
SSO groups map to roles, roles map to tool permissions. Interns read Slack but can't push to GitHub. Agents limited by delegation depth.
API tokens live on the gateway, not on laptops. Three modes per server: gateway-managed, passthrough, or optional fallback.
Every tool call logged with who, what, when, and the allow/deny decision. Structured JSON. OpenTelemetry export. Git-versioned policies.
Humans and agents authenticate through the same gateway. The policy engine doesn't care how you logged in.
Authenticates via corporate IdP. Token prefix: session token from /auth/login
Static key from admin. Token prefix: smcp_key_. Optional expiration date.
Registered with code hash + delegation depth. Token prefix: smcp_agent_
One binary, one config file. Point your MCP client at the gateway URL.
# smcp.yaml listen: ":8080" servers: slack: url: "https://mcp.slack.com/sse" credential_mode: "gateway" credentials: headers: Authorization: "Bearer ${SLACK_BOT_TOKEN}" github: url: "https://api.githubcopilot.com/mcp" credential_mode: "passthrough" api_keys: - name: "alice" key: "${ALICE_KEY}" role: "eng" roles: eng: allow: ["slack:*", "github:*"] intern: allow: ["slack:read_*"] deny: ["github:push_*"]
// ~/.claude.json { "mcpServers": { "slack": { "url": "https://gateway.company.com/mcp/slack", "headers": { "Authorization": "Bearer smcp_key_a8f3..." } }, "github": { "url": "https://gateway.company.com/mcp/github", "headers": { "Authorization": "Bearer smcp_key_a8f3...", "X-GitHub-Token": "ghp_your_pat" } } } }
// .cursor/mcp.json { "mcpServers": { "slack": { "url": "https://gateway.company.com/mcp/slack", "headers": { "Authorization": "Bearer smcp_key_a8f3..." } } } }
# Run the gateway $ smcp-gateway --config smcp.yaml INFO listening on :8080 INFO loaded 2 servers: slack, github INFO loaded 1 API key, 0 agents INFO loaded 2 roles: eng, intern # Or with Docker $ docker run -v ./smcp.yaml:/etc/smcp/smcp.yaml \ -p 8080:8080 \ ghcr.io/smcp-gateway/smcp-gateway:latest
Claude Code, Cursor, or any MCP client sends a request to the gateway URL instead of directly to the MCP server.
Resolves the bearer token to an identity: SSO user, API key holder, or registered agent. For agents, validates code hash and delegation chain.
Evaluates the caller's role against the tool being called. Checks delegation depth for agents. Allow or deny in under 1ms.
Injects the stored API token (gateway mode), forwards the client's own token (passthrough), or falls back to shared credentials (optional). Streams the response back.
Every decision is recorded: who, what tool, allow/deny, latency, delegation chain. Structured JSON, exportable to any observability stack.
The gateway implements ideas from three 2026 papers on MCP and agent security.
Unified identity, security context propagation, fine-grained policy enforcement, audit logging.
98K skills analyzed, 157 confirmed malicious. Data Thieves and Agent Hijackers. Our scanner uses their 14 detection patterns.
Core, Connection, Cognition, Compliance. The gateway implements Core (code hash), Connection (delegation), and Compliance (audit).