Romain Sestier · · 10 min 
The Best MCP Gateways for Gemini Enterprise in 2026
Table of Contents
An MCP gateway gives Gemini Enterprise (formerly Google Agentspace) one governed entry point to the third-party systems its agents act on — one registration, one credential model, one audit trail — under Google’s own admin plane, not instead of it. Gemini Enterprise reaches external tools three ways: 50+ native connectors, custom MCP server data stores (Public Preview), and A2A agent registration (also Public Preview — Google’s documented path for external agents). The verdict: StackOne documents both Google paths — A2A registration and MCP data stores — through one engine, so one registration can serve whichever path your rollout lands on; we couldn’t find documented A2A support from the other gateways in this comparison as of June 9, 2026. Native connectors are fine for read-mostly search; Composio suits developer-led builds; Zapier suits breadth-first pilots.
Does Gemini Enterprise support MCP?
Yes — custom MCP servers are supported in Public Preview since April 28, 2026, with real constraints, covered below.
Now the naming, because it decides which docs apply to you. Gemini Enterprise is the employee-facing platform formerly called Google Agentspace — renamed October 9, 2025, with Agentspace closed to new subscriptions after December 31, 2025 — combining permissions-aware enterprise search, an assistant, an agent platform and an Agent Gallery, in Standard/Plus/Frontline editions plus a Business tier (Google’s docs, accessed June 2026). It’s distinct from the Gemini Enterprise Agent Platform, the developer platform formerly known as the Vertex AI agent stack, launched April 22, 2026 (Google Cloud blog) — a separate doc set. This page covers the employee-facing platform. (The Gemini CLI and consumer Gemini app have their own, separate MCP support — see the FAQ.)
Gemini Enterprise has three documented routes to external tools and agents:
1. Native connectors. 50+ prebuilt third-party connectors — the Microsoft suite, Salesforce, ServiceNow, Jira, Slack, Zendesk, GitHub and more — primarily for permissions-aware search, with actions expanding in waves: Box, Confluence Cloud, Dropbox, Jira Cloud, OneDrive, Outlook and SharePoint actions on January 23, 2026; Gmail, Drive, GitHub, HubSpot and Monday — the latter three in Preview — on March 31, 2026 (release notes). The catch: actions on third-party connectors require a separate connector and a separate three-legged OAuth 2.0 (3LO) app per system, with action-specific scopes and Google’s redirect URI (https://vertexaisearch.cloud.google.com/oauth-redirect) — see Google’s per-connector configuration docs, e.g. Jira Cloud; Google’s own connectors (Gmail, Drive, Calendar, Chat) can share one OAuth client.
2. Custom MCP server data stores — Public Preview. Since April 28, 2026, an admin with the Discovery Engine Editor role can register a custom MCP server as a data store (setup docs, accessed June 2026). Preview constraints, stated plainly in Google’s docs: StreamableHTTP transport only (no SSE), no Private Service Connect, no VPC Service Controls, and authentication via OAuth against your identity provider — client ID, client secret, authorization URL, token URL, and scopes.
3. A2A agent registration — Google’s documented path for externally hosted agents, also Public Preview (since April 21, 2026, per the release notes). An admin holding the Gemini Enterprise Admin IAM role registers a “Custom agent via A2A” by pasting the agent’s agent card JSON in the console (or via the agents.create API); the agent appears in the Agent Gallery under marketplace visibility controls (register and manage an A2A agent, accessed June 2026). Gemini Enterprise supports the A2A v0.3 streaming mechanism; agents built on A2A v1.0+ need SDK compatibility packages. A2A is no longer a Google-only bet — donated to the Linux Foundation on June 23, 2025, with more than 100 companies behind it at launch (Linux Foundation announcement).
Also: Google ships Google-managed MCP servers for its own services — Maps, BigQuery, GKE and more (December 10, 2025). Google covers Google well; the gap is third-party business systems.
What Gemini Enterprise’s native controls don’t cover
Gemini Enterprise’s admin plane is strong at what it governs: only the Gemini Enterprise Admin role registers and manages agents, marketplace visibility is controlled, and permissions-aware search enforces source-system ACLs (access control docs, June 2026). A gateway doesn’t replace any of that — it governs the MCP servers, tools, credentials and data behind it. Four gaps matter:
- Both external paths are Preview — and the constraints fall unevenly. The MCP path: no VPC Service Controls, no Private Service Connect, StreamableHTTP only (per Google, accessed June 2026). Teams that require VPC-SC perimeters can’t put custom MCP servers inside one yet. A2A registration is also Public Preview, but it isn’t subject to those transport and network constraints — which is why it’s the lower-friction route for external systems today, not because it’s GA (it isn’t).
- Per-connector OAuth-app overhead for actions. Every third-party connector with actions needs its own 3LO OAuth app with action-specific scopes (see Google’s per-connector configuration docs, e.g. Jira Cloud). Ten third-party systems means ten app registrations to create, scope, rotate and review — against quotas of 100 data stores per project by default (max 500, each connector entity counts) and 150 engines, i.e. apps (quotas, accessed June 2026).
- Model Armor’s console integration doesn’t reach third-party agents — and doesn’t document covering intermediate steps. Google’s integration documentation (accessed June 2026) describes routing user inputs and assistant outputs through Model Armor, and Google’s A2A registration docs state that the console settings don’t automatically protect A2A agents — developers must configure Model Armor via the REST API in the agent’s own code (ADK and Marketplace agents carry the same caveat on their registration pages). Screening of intermediate steps and tool responses isn’t documented for the console integration. (The separate Agent Platform’s gateway does sanitize MCP tool-call responses — but that’s the developer platform, not this product.) Tool responses are exactly where injection rides in from compromised third-party data.
- Action depth and cross-system audit. The actions catalog is expanding but thin on writes in HRIS, ERP and ITSM — and once an agent acts across ten SaaS systems, each logs its own slice. A single trail of every tool call, across systems, is the gateway’s job.
What should you look for in an MCP gateway for Gemini Enterprise?
| Criterion | Why it matters for Gemini Enterprise specifically |
|---|---|
| Speaks A2A and MCP | Google gives you two paths, both Public Preview: A2A registration (the one-registration path for external agents) and MCP data stores. A layer that speaks both wins whichever path matures — StackOne’s A2A implementation supports the v0.3 streaming mechanism Google requires. |
| StreamableHTTP + IdP-style OAuth | The MCP Preview only accepts StreamableHTTP with OAuth (client ID/secret, auth URL, token URL, scopes). SSE or bare API-key endpoints can’t register. |
| One registration, many systems | The alternative is a separate connector and 3LO OAuth app per third-party system, against a 100-data-store default quota. |
| Depth where Google’s actions are thin | Google covers Google; action coverage is growing in collaboration tools. HRIS/ERP/ITSM writes are where the catalog runs out. |
| Response-side injection screening | Model Armor’s console settings don’t auto-cover A2A/Marketplace agents, and screening of intermediate tool responses isn’t documented. Screening tool responses closes that gap. |
| Cross-system audit trail | One log of every tool call, every system, every user — under Google’s plane, not instead of it. |
The best MCP gateways for Gemini Enterprise, compared
Comparison set: the managed-catalog gateways from our full comparison that fit Gemini Enterprise’s connection paths, plus Google’s native connectors as the baseline.
| Platform | Path into Gemini Enterprise | Account linking | Governance | Catalog | Pricing |
|---|---|---|---|---|---|
| StackOne | A2A agent card (one registration) or MCP data store (StreamableHTTP + OAuth) | End-user self-serve (OAuth 2.1) | Audit logs, tool scoping, permissions checks, injection defense on tool responses | 310+ connectors / 20,000+ agent-optimized actions | Free plan (full catalog) |
| Composio | MCP data store (docs describe API-key header auth; Google’s wizard expects OAuth fields) | End-user via Connect Link | Observability; audit detail light | ~1,000 toolkits | Free tier; from $29/mo |
| Zapier MCP | MCP data store (documents StreamableHTTP; endpoint auth is a secret server URL, not OAuth fields) | User’s existing Zapier connections | History log, allowlists, approvals | 9,000+ apps (automation-shaped) | Included; 2 tasks per call |
| Arcade | MCP data store (documents StreamableHTTP + OAuth via your OIDC IdP) | End-user OAuth via your IdP | IdP-backed user auth, per-gateway tool selection | ~150 servers in registry | Free tier; from $25/mo |
| Gemini Enterprise native connectors | Built in | Per-connector 3LO OAuth app, action-specific scopes | Admin-role gating, marketplace visibility, ACL-aware search | 50+ connectors; actions expanding | Included in edition |
1. StackOne
StackOne is the enterprise layer for AI agents to safely act on any application — 310+ managed connectors exposing 20,000+ agent-optimized actions across HRIS, ERP, CRM, ITSM and the long tail, with depth verifiable per system on every connector page (Workday, Salesforce, Jira).
For Gemini Enterprise, the differentiator is the dual path: StackOne routes direct API, SDKs, MCP, and A2A through the same engine — same connectors, same permissions, same audit trail whichever surface calls it. You can register StackOne once via the A2A agent card — Google’s documented path for external agents, also Preview but free of the MCP preview’s transport and network constraints — and we couldn’t find documented A2A support from any other gateway in our comparison as of June 9, 2026. StackOne’s A2A implementation supports the v0.3 streaming mechanism Gemini Enterprise requires. End users link their own accounts through an OAuth 2.1 self-serve flow: 500 users means 500 isolated credential sets, no ticket queue. On the Model Armor gap: StackOne Defender scans tool responses for prompt injection before they reach the agent (89.0% detection accuracy in our published evaluation) — a layer Google’s console integration doesn’t document covering. Request logs capture every call down to provider requests; admins scope which actions each project exposes. SOC 2 Type II, GDPR, HIPAA.
Limitation: the catalog focuses on business systems, not consumer applications — for the consumer-app long tail, Zapier’s catalog is far bigger. When a system isn’t in the catalog, the AI Connector Builder builds or extends a connector on the same engine that powers the pre-built ones, so coverage isn’t capped at what ships out of the box.
Best for: IT-led Gemini Enterprise rollouts where agents must act on systems of record — one registration covering either Google path, with end-user credentials and a cross-system audit trail.
2. Composio
Composio brings ~1,000 toolkits and 20,000+ tools with genuinely good SDKs, fast setup, published pricing (free tier, from $29/month) and per-user connected accounts via a hosted Connect Link. For a developer team standing up a custom MCP server data store, it’s quick. The open question for an IT-led rollout is the same one from our hub comparison: as of June 9, 2026 we couldn’t find an org-level control plane — central policy enforcement, approval workflows — in its public docs, and it doesn’t document A2A, so you’re committed to the Preview MCP path. One concrete check: Composio’s docs describe authenticating MCP endpoints with an x-api-key header, while Google’s Preview wizard expects OAuth fields (client ID/secret, auth URL, token URL) — confirm the auth fit before committing.
Best for: developer-led builds where the team owns the MCP data-store setup and SDK speed matters more than org-level governance.
3. Zapier MCP
Zapier MCP brings the largest catalog in this comparison — 9,000+ apps, 30,000+ actions — riding on 13+ years of auth infrastructure, with allowlists, approvals and a history log. For a Gemini Enterprise pilot touching long-tail consumer SaaS, that catalog covers the long tail out of the box. Caveats: each tool call consumes two tasks from a quota priced for workflows, not chatty agent loops; actions are automation-shaped — broad rather than deep — and you’d register it via the Preview MCP data-store path. Zapier documents StreamableHTTP transport, but its endpoint authenticates via a secret server URL rather than the OAuth client ID/secret, auth URL and token URL Google’s wizard asks for — confirm the auth fit before committing.
Best for: breadth-first pilots touching long-tail consumer SaaS, at modest call volumes.
4. Arcade
Arcade stands out on infrastructure control — cloud, VPC, on-prem, air-gapped — and on IdP-integrated end-user OAuth, so agents act with user-specific permissions rather than service accounts. Its docs state its gateways serve StreamableHTTP transport with OAuth through your OIDC identity provider — the shape Google’s Preview wizard asks for; confirm the field-level fit in your tenant. Its registry lists ~150 MCP servers, an order of magnitude fewer systems than the larger catalogs, and pricing is published (free tier, Growth from $25/month). A fit when your agents target a contained set of systems and security wants the runtime in your perimeter — noting Google’s Preview doesn’t yet support Private Service Connect, so fully private end-to-end connectivity isn’t available on the MCP path regardless of vendor.
Best for: contained system sets where security wants the runtime in your perimeter — with the Preview’s Private Service Connect gap in mind.
Gemini Enterprise native connectors
The baseline: 50+ Google-managed connectors, permissions-aware search that inherits source ACLs, no extra vendor, no extra bill. If your agents mostly search and summarize across Microsoft 365, Salesforce, Jira and Slack, start here. The limits arrive with actions: a separate connector plus a separate 3LO OAuth app with action-specific scopes per third-party system (per Google’s per-connector configuration docs, accessed June 2026), action coverage that’s expanding wave by wave but thin on HRIS/ERP/ITSM writes, and a 100-data-store default quota that connector entities count against.
Best for: read-mostly search and summarization across the systems Google already covers — start here, and add a gateway when actions outgrow the catalog.
How do you connect StackOne to Gemini Enterprise?
Connecting any MCP server or external agent follows the same two Google paths; here are the steps with StackOne as the example. The practical difference between them: A2A registers the gateway as an agent in the Agent Gallery that users invoke, while an MCP data store exposes tools inline to the assistant. Both paths are Public Preview — but only the MCP path carries the transport and network constraints (StreamableHTTP only, no VPC-SC, no PSC), which is why A2A is the recommended starting point.
Path A — register StackOne via A2A (recommended; Google’s documented path for external agents, also Preview):
- In your StackOne project, configure the connectors and action scoping to expose — the MCP quickstart covers project setup, and MCP on StackOne the surface itself — and get your project’s agent card JSON. StackOne runs A2A through the same engine as MCP and supports the v0.3 streaming mechanism Google requires.
- A Gemini Enterprise Admin chooses Custom agent via A2A in the console and pastes the agent card JSON (or calls the
agents.createAPI) — Google’s steps. - The agent appears in the Agent Gallery under your marketplace visibility controls. One registration covers every StackOne connector — no per-system OAuth apps.
- End users link their own accounts through StackOne’s OAuth 2.1 end-user flow: SSO sign-in, consent screen, opt in specific linked accounts. The admin sees one governed agent and the audit trail; the user sees a sign-in and consent screen on first use.
Path B — add StackOne as a custom MCP server data store (Preview):
- An admin with the Discovery Engine Editor role adds a custom MCP server data store with StackOne’s StreamableHTTP MCP endpoint and OAuth details — both come from your StackOne project (MCP quickstart) — per Google’s setup docs.
- Attach the data store to your app; tools become available to the assistant.
- This path inherits the Preview constraints above (no VPC-SC, no PSC, StreamableHTTP only), and Preview features can change.
When you don’t need an MCP gateway for Gemini Enterprise
- Your agents only search and summarize. Permissions-aware search over the native connectors is exactly what Gemini Enterprise is built for — no gateway needed to read.
- Everything you act on is Google. Google-managed MCP servers cover Maps, BigQuery and GKE; if agents stay inside Google’s estate, Google’s own plumbing may be enough.
- You’re still proving the use case. Wire up one native action connector or a single managed MCP server, prove value, and graduate to a gateway when the per-connector OAuth apps and credential sprawl get real.
The trigger points: the first security review that asks what screens tool responses, the first quarter you’re maintaining five 3LO OAuth apps, and the first “what did the agent actually do in Workday?” question.
StackOne is the governed layer between AI agents and 310+ enterprise systems with 20,000+ agent-optimized actions — over MCP, A2A, API, and SDKs — with end-user OAuth linking, connectors you can extend, and built-in prompt-injection defense. See the full MCP gateway comparison, explore MCP on StackOne, or start with a connector: Workday, Salesforce, ServiceNow. See pricing or book a demo.
More MCP gateway guides
Every guide in this series applies the same disclosed criteria to a different AI client. Start with the full comparison, or jump to yours: