Do I need an MCP gateway for Claude?

Not to get started — Claude connects directly to remote MCP servers on every plan, and Claude Code adds local servers with one command. You need a gateway when the rollout grows: Claude Enterprise's audit logs don't include connector or MCP events, Anthropic doesn't security-audit MCP servers, and on Team and Enterprise plans an Owner must add each connector by hand. A gateway puts one governed, logged, curated endpoint behind Claude's own admin controls.

How do I connect Claude to an MCP server?

On claude.ai, add the server's URL as a custom connector (Settings → Connectors; on Team and Enterprise plans only Owners can do this, in Org settings → Connectors), then authenticate via the server's OAuth flow. The server should be a remote MCP server speaking streamable HTTP (the legacy SSE transport still connects but is being deprecated) with OAuth and PKCE — Claude doesn't currently accept pasted bearer tokens. In Claude Code, run claude mcp add or the /mcp command; enterprises can pin servers centrally in a managed-mcp.json file.

Do Claude Enterprise audit logs cover MCP connector activity?

No. As of Anthropic's documentation dated March 2026, the documented audit-log event list covers SSO, projects, membership, and exports — no connector or MCP usage events. Audit logs are also Enterprise-only with a 180-day window. If you need a record of which tools Claude called in which systems with what data, that log has to come from the MCP layer itself — which is what a gateway's request logs provide.

How many MCP tools can Claude handle?

There's no fixed per-server tool cap — per Anthropic's docs, the practical limit is your context-window budget, since every enabled tool's definition competes for context. Claude Code adds a Tool Search feature (on by default) that defers definitions until needed; our Claude Code guide covers the specifics. The real bottleneck is tool quality and governance, not raw count — some gateways expose search-and-execute meta-tools, which keeps context constant regardless of catalog size.

Can admins control which actions a Claude connector can take?

Yes. On Team and Enterprise plans, each tool a connector exposes can be set to Always allow, Needs approval, or Blocked — org-wide, and individual users can't override it. Per Anthropic's docs, 'Restricting actions in Claude never grants more access than the source system permits,' so the source system's permissions still decide what succeeds. These controls are only as usable as the tool list: a curated gateway catalog gives admins a tractable set of clearly named actions to review instead of hundreds of raw API wrappers.

Does Anthropic security-audit the MCP connectors in its directory?

No. Anthropic reviews directory connectors against listing criteria — read/write separation per tool, readOnlyHint/destructiveHint annotations, no prompt-injection patterns in descriptions — but its docs state it 'doesn't security-audit or manage any MCP server.' Its guidance: 'Only connect Claude to servers built and hosted by organizations and applications you trust.' Vetting what's behind each server URL is your job, or your gateway's.

The Best MCP Gateways for Claude in 2026

Last updated: June 2026. Claude capabilities below are drawn from Anthropic’s public documentation as of June 9, 2026; gateway capabilities from each vendor’s documentation. StackOne is one of the products compared — we’ve disclosed our criteria so you can check our work.

An MCP gateway gives Claude one governed connection to many business systems instead of one Owner-added connector per system. It supplies the two things Claude’s own admin plane doesn’t: a security-vetted catalog behind each URL, and an audit trail of tool calls (which Claude Enterprise’s audit logs don’t capture). Claude’s admin plane governs the Claude side — who can add connectors, which actions need approval. The gateway governs what’s behind them. The best MCP gateway for Claude depends on who’s deploying it — verdict: StackOne for Team/Enterprise deployments acting on systems of record (the same URL is verified working in Claude Code — claude mcp add, /mcp OAuth — and can be pinned in managed-mcp.json); Composio for solo builders; Docker for one developer running local servers.

This is the Claude MCP gateway companion to our MCP gateway comparison — read that for the full twelve-vendor field.

How does Claude connect to MCP servers today?

Claude.ai (including Team and Enterprise)

Per Anthropic’s support documentation (dated April 2, 2026), custom connectors via remote MCP servers are available on every plan — Free (one connector max), Pro, Max, Team, and Enterprise. On Team and Enterprise, the control plane is admin-first: only Owners and Primary Owners can add connectors (Org settings → Connectors), and each member then individually enables and authenticates the connector for their own account.

Admins also get action-level controls: each tool a connector exposes can be set to Always allow, Needs approval, or Blocked, org-wide; users can’t override it. Anthropic is precise about the boundary: “Restricting actions in Claude never grants more access than the source system permits” — the source system’s permissions still decide what succeeds.

The technical bar for the server is specific (per Anthropic’s connector-building docs, June 2026): streamable HTTP transport is the going-forward standard (the legacy HTTP+SSE transport still connects but is being deprecated), and OAuth with mandatory PKCE is required — user-pasted bearer tokens are not currently supported. Dynamic Client Registration is the default registration path, with Client ID Metadata Documents, Anthropic-stored credentials, or a custom connection as alternatives. The practical gate: a gateway that can’t serve a remote streamable-HTTP endpoint with OAuth 2.1 isn’t a claude.ai connector candidate.

There’s also a connector directory at claude.ai/directory. Worth quoting exactly: Anthropic reviews directory connectors against its listing criteria — read/write separation per tool, readOnlyHint/destructiveHint annotations, no prompt-injection patterns in descriptions — but, per its own docs, “doesn’t security-audit or manage any MCP server.”

Claude Code

Claude Code supports MCP at three scopes — local, project (a shared .mcp.json), and user — with OAuth via the /mcp command and tokens stored in the system keychain. For enterprises, a managed-mcp.json file gives IT exclusive control over which servers exist — per the docs, “Users cannot add, modify, or use any other MCP servers” — which is why one gateway URL matters there too. Tool count isn’t the bottleneck (Tool Search defers definitions by default); tool quality and governance are. We’ve gone deeper on all of it — managed-mcp.json deployment, Tool Search, CI and devcontainers — in the dedicated Claude Code guide.

What Claude’s native controls don’t cover

Claude’s admin plane is genuinely good — Owner-gated adds, org-wide action controls, managed-mcp.json. These gaps sit behind it, at the MCP server layer Claude connects to:

No connector events in the audit log. Claude Enterprise’s audit logs (documentation dated March 16, 2026) list 35 event types — SSO, sign-ins, projects, membership, exports, conversations. None cover connector or MCP usage. Audit logs are Enterprise-only, 180-day window. When security asks “which records did the agent touch in Salesforce last Tuesday?”, Claude has no answer; that log has to come from the MCP layer.
Nobody audits the servers. Anthropic reviews directory listings but, as quoted above, doesn’t security-audit or manage any MCP server, and its guidance is blunt: “Malicious MCP servers may include hidden instructions”; “Only connect Claude to servers built and hosted by organizations and applications you trust.” For the Research feature it recommends disabling write-capable tools outright. Vetting is your job.
Admin toil scales linearly. Every connector is a manual Owner add, a per-action review, and a per-member authenticate. Twenty systems means twenty of everything.
Claude Code has no registry. Per the managed-mcp docs, Claude Code “doesn’t have a built-in MCP server registry that users can browse and install from” — Anthropic suggests an internal wiki or plugin marketplace.
Action controls are only as good as the tool list. Raw API-wrapper servers hand admins hundreds of ambiguous tools to triage; a curated catalog makes the same controls usable.

What to look for in an MCP gateway for Claude

Criterion	Why it matters for Claude specifically
Remote streamable-HTTP server with OAuth 2.1	Claude’s documented bar — no pasted bearer tokens, PKCE mandatory, legacy SSE being deprecated. Remote HTTP + OAuth is the baseline for a claude.ai connector.
One URL covering many systems	On Team/Enterprise, each connector is a manual Owner add. One gateway URL = one add, one action-control review.
End-user account linking under the org connector	Claude’s per-member authenticate step maps directly onto a gateway that lets each user link their own downstream accounts — least privilege without IT tickets.
Tool-call audit logs	Closes the documented gap: Claude’s audit logs carry no connector events.
Curated, scoped tools + injection defense	Makes Claude’s action controls usable, and covers what Anthropic explicitly doesn’t audit.
Claude Code coverage	The same gateway URL should drop into `claude mcp add` and pin cleanly in managed-mcp.json — one governed endpoint for chat and code.

The best MCP gateways for Claude, compared

Facts below are from each vendor’s public documentation as of June 9, 2026, carried over from our full comparison. We’ve narrowed the hub’s twelve to the six that fit Claude’s connection model: self-hosted infrastructure gateways (Microsoft, Kong, TrueFoundry, Lunar) route to MCP servers you build and operate, which puts the catalog burden back on you before claude.ai ever sees a URL — and Workato shops should read its hub entry, since Enterprise MCP rides the platform you already run. Every option here except Docker exposes the remote MCP endpoint claude.ai’s custom connectors require; how each handles auth (full OAuth flow vs. vendor-managed URLs) varies, so check each vendor’s connection docs against Anthropic’s requirements when shortlisting.

Platform	How Claude consumes it	Account linking	Tool-call audit	Catalog	Pricing
StackOne	Remote MCP URL; also works in Claude Code	End-user OAuth 2.1 (SSO + consent)	Provider-level request logs; exportable	310+ connectors / 20,000+ actions	Free plan (full catalog)
Composio	Remote MCP per toolkit	End-user via Connect Link	Observability; audit detail light	~1,000 toolkits	Free tier; from $29/mo
Zapier MCP	Remote MCP URL	User’s existing Zapier connections	History log, allowlists, approvals	9,000+ apps (automation-shaped)	Included in Zapier plans; 2 tasks per call
Arcade	Remote or self-hosted MCP	End-user OAuth via your IdP	Lifecycle governance	~150 servers in registry	Free tier; from $25/mo
Merge Agent Handler	Remote MCP	Guided end-user flow; SCIM	DLP, guardrails, audit logs	”Thousands of tools”; per-system catalog not published	Free tier; Pro $1,000/mo
Docker MCP Gateway	Local only → Claude Code, not claude.ai connectors	Local credential injection	Logging, container isolation	Docker MCP Catalog	Free (OSS)

1. StackOne

StackOne is the enterprise layer for AI agents to safely act on any application — one governed entry point in front of 310+ managed connectors exposing 20,000+ agent-optimized actions across HRIS, ERP, CRM, and ITSM. Against the Claude criteria: it ships an OAuth 2.1 flow where the end user authorizes the MCP client themselves — exactly the shape of Claude’s per-member authenticate step; one URL covers the whole catalog, so an Enterprise Owner adds one connector instead of twenty; request logs capture every call down to the underlying provider requests, exportable to Datadog or Grafana — the log Claude’s audit trail doesn’t keep; admins scope which actions each project and linked account exposes, so Claude’s action controls operate over a curated list; and StackOne Defender scans tool responses for prompt injection before they reach the agent (89.0% detection accuracy in our published evaluation). Depth is verifiable per system: Salesforce has 380 actions, ServiceNow 77 actions, Workday 128 actions. SOC 2 Type II, GDPR, HIPAA; EU/US data residency. Limitation: the catalog focuses on business systems, not consumer applications — for the consumer-app long tail, Zapier’s catalog is far bigger. When a system isn’t in the catalog, the AI Connector Builder builds or extends a connector on the same engine that powers the pre-built ones, so coverage isn’t capped at what ships out of the box.

Best for: IT-led Claude Team/Enterprise rollouts acting on systems of record, with the same governed URL available to pin for Claude Code.

2. Composio

Composio markets 1,000+ toolkits and 20,000+ tools, with good SDKs, fast setup, published pricing (free tier, from $29/month), and per-user connected accounts where end users authorize via a hosted Connect Link. For an individual Claude or Claude Code user it’s one of the quickest paths to a broad tool set. Whether it’s a gateway is a fair question: what we couldn’t find in its public docs as of June 9, 2026 is the org-level control plane — central policy enforcement and approval workflows — which is the entire question for the Enterprise Owner doing the adding.

Best for: developers wiring tools into their own Claude-powered agents, ahead of organizational governance.

3. Zapier MCP

Zapier MCP brings the largest catalog in this comparison — 9,000+ apps, 30,000+ actions — as a remote MCP endpoint, with your existing Zapier connections appearing automatically. Governance is workable for pilots: allowlists, action approval, a history log. The structural caveats: each MCP tool call consumes two tasks from your plan quota (agents are chatty; the metering was priced for workflows), and actions are automation-shaped — broad rather than deep, fine for “post to Slack,” thinner for “run this filtered Workday report.”

Best for: breadth-first Claude pilots by teams already paying for Zapier, at modest call volumes.

4. Arcade

Arcade is an MCP runtime with unusually broad deployment options — cloud, VPC, on-prem, air-gapped — that integrates your existing IdP so multi-user agents act with user-specific permissions rather than service accounts. Pricing is published (free tier; Growth $25/month plus usage). Its registry lists ~150 MCP servers — an order of magnitude fewer systems than the larger catalogs here.

Best for: teams building multi-user Claude agents with hard infrastructure-control requirements and a contained set of target systems.

5. Merge Agent Handler

Merge’s Agent Handler includes runtime security controls: DLP scanning on tool-call inputs and outputs, guardrails that block or redact sensitive data, audit logs on all plans, SCIM, SOC 2. What’s missing is published depth on the agent side: the catalog is summarized as “thousands of tools”, and while Merge documents per-integration coverage for its Unified API, Agent Handler doesn’t publish an equivalent per-system tool catalog. Pricing is credit-metered (free tier; Pro $1,000/month).

Best for: teams that want DLP-style redaction bundled into a managed tool-call path — verify per-system tool coverage on your systems first.

6. Docker MCP Gateway

Docker’s MCP Gateway (open source, free) runs MCP servers as isolated containers with central credential injection and call tracing — a clean local-first security model. For Claude, the boundary matters: it lives on one machine, so it pairs with Claude Code, not claude.ai’s remote custom connectors, and multi-tenancy isn’t addressed.

Best for: one developer on a laptop who wants isolated, credential-managed local servers behind Claude Code.

How to connect Claude to an MCP gateway (StackOne example)

The same first step applies to any remote MCP gateway: Org settings → Connectors → add the server’s URL as a custom connector. With StackOne:

Admin (Owner), once: grab the MCP URL from your StackOne project dashboard (the free plan covers the full catalog), then in claude.ai, Org settings → Connectors → add it as a custom connector. One add covers the full catalog; set per-action controls (Always allow / Needs approval / Blocked) over StackOne’s curated action list.
Each member: enables the connector and hits Claude’s authenticate step, which hands off to StackOne’s OAuth 2.1 end-user flow — sign in through SSO, approve a co-branded consent screen, and opt in the specific linked accounts — the user’s own connections to downstream systems like Workday or Salesforce — that Claude may use. No tickets, least privilege by default.
Use it: StackOne’s tools appear in Claude’s tool menu; every call lands in request logs down to the provider request.
Claude Code: StackOne’s remote MCP URL is verified working in Claude Code: the same URL connects via claude mcp add (OAuth through /mcp, token in the keychain) — or pinned centrally in managed-mcp.json, giving IT one governed endpoint instead of an unenforceable name allowlist.

When you don’t need a gateway for Claude

One agent, a handful of systems, technical users. Direct MCP connections are simpler and free; Claude’s Free-plan single connector or a project .mcp.json may be all you need.
Everything lives behind Anthropic’s first-party connectors and your compliance bar is met by Enterprise’s SCIM, SSO, and Compliance API (Claude for Government even runs FedRAMP High MCP).
You’re still proving the use case. Connect a single managed MCP server directly, then graduate when user count makes credential sprawl and the audit-log gap real.

The trigger points: the first security review asking for a tool-call log, the first Owner groaning at connector add number twelve, and the first managed-mcp.json policy discussion.

StackOne is the governed layer between AI agents and 310+ enterprise systems with 20,000+ agent-optimized actions — over MCP, A2A, API, and SDKs — with end-user OAuth linking, connectors you can extend, and built-in prompt-injection defense. See the full MCP gateway comparison, StackOne MCP, or connector-level detail for Salesforce, Jira, and Workday. See pricing or book a demo.