Do I need an MCP gateway for Dust?

Not for governance of Dust itself — Dust's admin plane already handles that: only admins can add remote MCP servers, tools carry High/Medium/Low stake approval levels, access can be restricted per Space, and credentials can be shared or personal. You need an external MCP gateway when Dust agents must act on systems Dust's catalog doesn't reach — Workday, SAP SuccessFactors, ServiceNow, and most of the HRIS/ITSM/ERP tier — or when you want one MCP URL, one credential model, and one per-tool-call audit log instead of configuring every MCP server one by one. A gateway like StackOne connects to Dust as a single remote MCP server and runs under Dust's existing stake rules.

How do I connect Dust to an MCP server?

A workspace admin adds it under Spaces → Tools → Add Tool → Add MCP Server, entering the server's public URL; Dust then syncs the server's tools. Per Dust's documentation (June 2026), Dust connects over Streamable HTTP with an SSE fallback, and offers three auth options: Automatic (MCP-spec OAuth discovery, recommended), Bearer Token, or Static OAuth with a custom client ID and secret. The admin also chooses Shared credentials (one account for the whole workspace) or Personal credentials (each user authenticates individually on first use), and can restrict the tool to specific Spaces. Builders then attach the synced tools to agents in the Agent Builder.

How does Dust control what MCP tools can do?

Through tool stakes. Every tool in Dust carries a stake level: High stake requires explicit user approval on every execution, Medium stake asks once per agent-and-recipient combination, and Low stake lets users disable confirmations. Admins can override stake levels per tool on a remote MCP server, and Dust's guidance is to treat reads as low stake and writes as high. Combined with admin-only server installs and Space-level Restricted Access, this is Dust's native governance for MCP — an external gateway runs underneath it, governing the servers, tools, and credentials behind the MCP URL.

Can Dust users connect their own accounts to MCP tools?

Yes. When an admin sets up a tool or MCP server, Dust offers two credential models: Shared credentials, where the admin's single OAuth connection is used by all workspace users, and Personal credentials, where the admin completes an initial OAuth to validate the setup and then each user authenticates individually the first time they use the tool, managing their connections under Profile → Tools & Triggers. The gateway you connect should support per-user authorization so you can use Personal credentials mode — Bearer Token auth explicitly binds the whole workspace to a single third-party account.

The Best MCP Gateways for Dust in 2026

Q: Does Dust support MCP?

Yes. Remote MCP server support shipped as a Preview in April 2025 and is documented as a standard admin workflow as of June 2026, with no preview label remaining. Admins add servers by URL under Spaces → Tools; Dust tries Streamable HTTP first and falls back to SSE. A separate client-side MCP server feature (registering tools at runtime via the Conversations API) is still explicitly labeled Preview, and the Dust CLI can run a local MCP server that exposes Dust agents to clients like Cursor and Claude.

Q: Does Dust have integrations for Workday, ServiceNow, or SAP?

No, as of June 2026. Dust's integrations page lists around 60 action Tools across 13 categories plus around 10 read-only data Connections. In HR and recruiting the catalog covers Ashby and UKG Ready only — no Workday, SAP SuccessFactors, BambooHR, or Personio; there is no ServiceNow; and in ERP, NetSuite is the only entry — no SAP, Oracle Fusion, or Dynamics. To act on those systems from Dust, an admin connects a remote MCP server that provides the actions, such as an MCP gateway with deep HRIS/ITSM/ERP coverage.

Last updated: June 2026. Dust capabilities below are drawn from Dust’s public documentation, changelog, and source code as of June 10, 2026, with each claim linked. StackOne is one of the products compared; criteria are disclosed so you can check our work. This page describes Dust’s products factually — no partnership between StackOne and Dust is implied.

Dust has a real governance plane for MCP: admins add remote MCP servers under Spaces → Tools, choose shared or personal credentials per server, and every tool runs under High/Medium/Low-stake approval rules. The verdict: keep all of that, and connect StackOne as a remote MCP server when your agents need to act on systems Dust’s ~60-tool catalog doesn’t reach — Workday, SAP SuccessFactors, ServiceNow, the HRIS/ITSM/ERP tier. The gateway doesn’t govern Dust; it governs the servers, tools, and credentials behind the one MCP URL you hand to Dust.

This is a companion to our full MCP gateway comparison — read that for the twelve-vendor landscape; read this for the Dust-specific decision.

Does Dust support MCP?

Yes — more natively than most AI platforms: many of Dust’s own integrations are built as managed MCP servers, so MCP is the grain of the product, not a bolt-on.

Adding a remote MCP server is an admin action. A workspace admin goes to Spaces → Tools → Add Tool → Add MCP Server and enters the server’s public URL; Dust syncs the server’s tools, and Builders attach them to agents in the Agent Builder. Members can’t add servers. (Dust docs: remote MCP server; Tools, accessed June 2026)

Transport: Streamable HTTP first, SSE fallback. Dust’s MCP client (built on the official @modelcontextprotocol/sdk) tries Streamable HTTP and falls back to SSE, using SSE directly when the URL path ends in /sse — verifiable in the open-source codebase (front/lib/actions/mcp_metadata.ts, accessed June 2026). There’s no stdio path for remote servers, so the gateway you connect must be a hosted endpoint.

Three auth options per server. Dust’s docs list Automatic (recommended — Dust discovers the OAuth configuration from the URL and runs an MCP-spec OAuth flow), Bearer Token (an admin-supplied token that, per the docs, “typically links the connection to a single third-party account”), and Static OAuth (the admin creates a custom OAuth app on the third-party service and enters client ID, secret, endpoints, and scopes, with Dust’s callback URLs whitelisted by the server operator).

Shared vs. personal credentials. For each tool, the admin picks one of two credential models: Shared credentials (the admin’s single connection, used by everyone) or Personal credentials (the admin validates the setup once, then each user authenticates individually on first use, managing connections under Profile → Tools & Triggers). Dust has per-user auth — the question for your gateway is whether it can honor it.

Tool stakes are the approval system. Every tool carries a stake level — High (explicit user approval on every execution), Medium (approval once per agent + recipient combination), Low (users can disable confirmations) — and admins can override stake levels per tool on a remote MCP server. Dust’s guidance: reads low, writes high. (Dust docs, accessed June 2026)

Status notes. Remote MCP server support launched as a Preview in April 2025; as of June 2026 the docs describe it as a standard admin workflow with no preview label (Dust hasn’t published an explicit GA announcement we could find). A separate client-side MCP server feature is still explicitly labeled Preview, and the Dust CLI can expose Dust agents over a local MCP server to clients like Cursor and Claude — the inverse direction from this page’s subject.

What Dust’s native controls don’t cover

Dust’s admin plane is genuinely well-designed: admin-only installs, Space-level Restricted Access, per-tool stake overrides, shared-or-personal credentials, SOC 2 Type II with HIPAA-enabling controls and EU/US hosting. None of it needs replacing. Four things sit behind it:

The catalog is thin exactly where systems of record live. Dust’s integrations page lists 60 action Tools across 13 categories, plus around 10 read-only data Connections. The Tools list is strong on collaboration and product SaaS — Slack, Notion, Jira, Linear, HubSpot, Salesforce, Stripe — and Dust ships new MCP integrations at a steady cadence (six on May 28, 2026, Gamma on June 8). But as of June 2026: HR and recruiting coverage is Ashby and UKG Ready only — no Workday, SAP SuccessFactors, BambooHR, or Personio; there is no ServiceNow; and ERP is NetSuite only — no SAP, Oracle Fusion, or Dynamics. The regulated, high-opex workflows enterprises most want agents for run through precisely those systems.

Every server is its own admin project. Each remote MCP server is added one at a time — its own URL, its own auth configuration, and for Static OAuth, its own custom OAuth app and callback whitelisting. Ten systems means ten setups to build and maintain. A gateway collapses that to one URL and one auth flow that fans out to every system behind it.

No documented per-tool-call audit trail for MCP traffic. Dust’s admin-facing Workspace analytics covers messages, conversations, and active users with CSV export — but we found no public documentation of a per-tool-call log of MCP traffic (which tool was called, with what arguments, by whom) as of June 2026. Stake prompts govern execution in the moment; they aren’t a forensic record. A gateway sits in the request path and logs every call — across Dust plus whatever other MCP clients your company points at it.

Tool curation happens downstream. Dust syncs whatever tools a remote server exposes; curation is per-agent at build time, and stake overrides are per-tool configuration. A gateway lets a platform team publish a curated, least-privilege toolset once that every Dust agent consumes identically — and that keeps tool counts inside the range models handle well.

One thing deliberately not on this list: per-user credentials. Dust has them — the gap would be a gateway that can’t support them, which is what to screen for below.

What to look for in an MCP gateway for Dust

Each criterion maps to a verified Dust constraint:

Criterion	Why it matters for Dust specifically
Hosted remote MCP server over Streamable HTTP	Dust connects to remote servers by public URL, Streamable HTTP first with SSE fallback — no stdio path, so local-process gateways are out
Works with Dust’s Automatic OAuth	The recommended auth option is MCP-spec OAuth discovery — a gateway that supports it spares the admin a Static OAuth app and callback whitelisting per server
Per-user authorization	To use Dust’s Personal credentials mode, the gateway must let each end user link their own accounts; Bearer Token mode binds the whole workspace to one account
Systems-of-record depth	Dust’s catalog stops at Ashby/UKG Ready for HR, NetSuite for ERP, and has no ServiceNow — the gateway’s HRIS/ITSM/ERP coverage is the extension
One URL, many systems	Every Dust MCP server is a separate admin setup; a gateway should bundle many systems behind a single URL and auth flow
Curated, stake-friendly tool surface	Admins set stake levels per tool; a scoped, named action list is far easier to classify High/Medium/Low than hundreds of raw API wrappers
Per-tool-call audit	Dust’s Workspace analytics tracks messages and users, not tool calls — the gateway should log every call down to the provider request

The best MCP gateways for Dust, compared

Of the twelve gateways in our full comparison, only managed gateways running as a hosted remote MCP endpoint fit the shape Dust accepts; self-hosted routing gateways like Microsoft’s or Docker’s govern servers you’d still build and run yourself.

Platform	Role for a Dust workspace	Account linking	Systems-of-record depth	Audit & compliance	Pricing
StackOne	Depth layer behind Dust: HRIS/ITSM/ERP actions under Dust’s stake rules	OAuth 2.1 flow — each end user links their own accounts	310+ connectors / 20,000+ agent-optimized actions	Per-call request logs, action scoping, injection defense; SOC 2, HIPAA	Free plan (full catalog)
Composio	Developer toolkit breadth	Hosted Connect Link — each end user authorizes per `user_id`	~1,000 toolkits, developer-SaaS skew	Observability; audit detail light; SOC 2, ISO 27001	Free tier; from $29/mo
Zapier MCP	Long-tail consumer/SaaS breadth	Existing Zapier connections — the account owner links each app in Zapier	9,000+ apps, automation-shaped	History log, allowlists, approvals; SOC 2	Included in Zapier plans; 2 tasks per call
Workato Enterprise MCP	Governed actions for existing Workato shops	Verified User Access — each action inherits the authenticated user’s identity	Workato connector library	RBAC, searchable audit logs; SOC 2	Not published
Arcade	Auth-first runtime with infrastructure control	OAuth via your IdP — each user authorizes as themselves	~150 servers in registry	Lifecycle governance; SOC 2	Free tier; from $25/mo

1. StackOne

StackOne is the enterprise layer for AI agents to safely act on any application — 310+ managed connectors exposing 20,000+ agent-optimized actions across HRIS, ERP, CRM, and ITSM. Depth is verifiable per system: Workday has 128 actions, ServiceNow 77, SAP SuccessFactors 111 — exactly the tier Dust’s catalog doesn’t reach.

Against the Dust criteria: it connects as a managed remote MCP server over Streamable HTTP — the shape Dust’s Add MCP Server flow accepts — with OAuth that works with Dust’s Automatic option; its OAuth 2.1 end-user flow pairs with Dust’s Personal credentials mode, so every action runs as the actual employee rather than one shared token; admins scope which actions each project exposes, so the tool list Dust syncs is curated and stake-classification stays tractable; request logs capture every call down to the underlying provider requests — the per-tool-call trail Dust doesn’t document; and StackOne Defender scans tool responses for prompt injection before they return (89.0% detection accuracy in our published evaluation).

Limitation: the catalog focuses on business systems, not consumer applications — for the consumer-app long tail, Zapier’s catalog is far bigger. When a system isn’t in the catalog, the AI Connector Builder builds or extends a connector on the same engine that powers the pre-built ones, so coverage isn’t capped at what ships out of the box.

Best for: Dust customers whose agents need governed, deep actions on the systems of record Dust’s Tools catalog doesn’t cover.

2. Composio

Composio markets 1,000+ toolkits and 20,000+ tools via MCP or direct APIs, with per-user connected accounts where end users authorize via a hosted Connect Link — compatible in principle with Dust’s Personal credentials mode — and published developer-friendly pricing (free tier, then from $29/month). It’s genuinely developer-loved: good SDKs, fast setup, and the most common “more tools for my agent platform” comparison a Dust buyer will already be researching. The open question is the org-level control plane: as of June 2026 we couldn’t find central policy enforcement and approval workflows in its public docs — Dust’s stakes cover the Dust side, but IT-led reviews will want governance on the gateway side too. Breadth also skews developer-SaaS rather than the ERP/HRIS tier that motivates this page.

Best for: developer-led Dust teams wiring up agent tooling quickly, before organizational governance becomes the question.

3. Zapier MCP

Zapier MCP brings the largest catalog in this comparison — 9,000+ apps and 30,000+ pre-built actions — to any MCP client, Dust included, riding on auth infrastructure refined over 13+ years. For a Pro-tier Dust workspace it’s the lowest-friction way to add long-tail coverage. The caveats from our hub comparison apply with extra force in Dust: each MCP tool call consumes two tasks from your plan quota, and agent loops are chatty — Dust meters its own usage too (100 messages/day per active seat on Pro, as of June 2026), so a task-metered gateway compounds the accounting; actions are automation-shaped — broad rather than deep, fine for “post to Slack,” thinner for “run this filtered Workday report”; and since Dust syncs every tool a server exposes, an automation-shaped catalog means more stake triage for the admin.

Best for: Dust teams adding long-tail app coverage at pilot volumes, especially if already paying for Zapier.

4. Workato Enterprise MCP

Workato’s Enterprise MCP extends the automation platform many enterprise IT teams already run. Its distinctive idea, Verified User Access, has agent actions inherit the authenticated user’s identity, so role-based access control and audit trails apply automatically — a close cousin of Dust’s Personal credentials mode, answered at the platform layer. Governance runs through a single console with searchable audit logs, and the connector library is the mature Workato one. The flip side from our hub comparison: it’s a feature of the Workato platform rather than a standalone product — a big dependency if you’re not already a customer — and pricing isn’t published. For an Enterprise-tier Dust buyer who already owns Workato, it’s a natural fit.

Best for: existing Workato enterprises that want Dust agent actions inheriting identities and policies they’ve already built.

5. Arcade

Arcade calls itself an MCP runtime, and it’s the right comparison on the credential axis: it integrates with your existing OAuth and IdP flows so multi-user agents act with user-specific permissions rather than service accounts — a clean match for Dust’s Personal credentials mode — plus agent lifecycle governance and deployment flexibility (cloud, VPC, on-prem, air-gapped). Pricing is published: free tier, then from $25/month plus usage. The constraint is supply: its registry lists ~150 MCP servers — an order of magnitude fewer systems than the larger catalogs here — so check it covers your target systems first.

Best for: teams building multi-user agents on Dust with hard infrastructure-control requirements and a contained set of target systems.

How do you connect Dust to an MCP server?

The flow below uses StackOne as the worked example; every Dust-side step is Dust’s documented remote MCP server flow and applies to any hosted server.

Get the MCP URL from the gateway first. In StackOne, create a project, connect the systems you want to act on (Workday, ServiceNow, SAP SuccessFactors), and scope the exposed actions with a connector profile — the project’s MCP URL is what you’ll paste into Dust.
As a Dust admin, go to Spaces → Tools → Add Tool → Add MCP Server and enter the URL. Choose the Automatic auth option so Dust discovers the OAuth configuration itself — no Static OAuth app or callback whitelisting to maintain.
Choose Personal credentials so each user authenticates individually, then complete the initial OAuth yourself to validate the setup.
Dust syncs the server’s tools. Because the surface is curated by the connector profile from step 1, you see a scoped, named action list rather than an unfiltered API surface. Set stake levels per tool — reads Low, writes High — and use Restricted Access to limit the tool to the Spaces that need it (HR ops gets Workday actions, IT gets ITSM).
Builders attach the tools to agents; users authorize on first use. The first time an employee’s agent invokes a StackOne tool, they complete StackOne’s OAuth 2.1 end-user flow — sign in through SSO, approve a consent screen, opt in the specific linked accounts — and manage the connection under Profile → Tools & Triggers on the Dust side. From then on, actions run as them, Dust’s stake prompts apply, and StackOne’s request logs record every call.

The admin sees one MCP server entry, a curated tool list with stake settings, and Space-scoped access. The end user sees new tools in their agents, a one-time consent screen, and Dust’s normal approval prompts on high-stake operations.

When you don’t need an MCP gateway for Dust

Your action needs fit Dust’s catalog. If Slack, Notion, Jira, Linear, HubSpot, Salesforce and the rest of Dust’s 60 Tools cover what your agents must do, Dust’s managed integrations are simpler — use them.
You’re connecting one or two vendor servers. Adding a single official MCP server is exactly what Dust’s flow is for; a gateway earns its place when server count and credential sprawl grow.
You’re still proving the use case. Connect a single managed MCP server for the one system that matters, prove value in one Space, then graduate when more systems and users make central audit real.

The trigger point: the first time someone asks a Dust agent to change something in Workday, ServiceNow, or SAP — and the platform that can reason over everything can’t touch the system that matters.

StackOne is the governed layer between AI agents and 310+ enterprise systems with 20,000+ agent-optimized actions — over MCP, A2A, API, and SDKs — with end-user OAuth linking, connectors you can extend, and built-in prompt-injection defense. See pricing or book a demo.