Romain Sestier · · 10 min 
The Best MCP Gateways for Lyzr in 2026
Table of Contents
An MCP gateway gives Lyzr agents one authenticated endpoint in front of all your business systems — with the per-end-user credentials, HRIS/ITSM/ERP depth, and durable tool-call audit that Lyzr’s “Add MCP” flow leaves to whatever sits behind the URL. Lyzr’s plane governs the agents: roles, Responsible AI guardrails, per-agent tool selection. The gateway governs what’s behind the URL: the MCP servers, the tools they expose, the credentials they act with, and the record of what they did. Verdict: StackOne for enterprise agents acting on systems of record; Composio for developer breadth; Workato if you already run it; Zapier for fast pilots; Arcade when infrastructure control comes first.
Does Lyzr support MCP?
Yes — Lyzr Agent Studio has been an MCP client since November 13, 2025, when Lyzr announced MCP support in Agent Studio. Here’s how it works, per Lyzr’s MCP documentation as of June 10, 2026:
Connecting a server. Open the Tools page in the sidebar, click Add MCP, enter the MCP Server URL, choose an auth mode, and click Connect. Two auth modes are documented: API Key (“pass an API key in the connection header”) and OAuth (“full OAuth flow managed by Lyzr”). One hard requirement: “the server must be publicly accessible.” Transports aren’t documented — no mention of streamable HTTP, SSE, or stdio appears on the docs page or launch post, though the public-URL requirement points to remote HTTP-based servers only.
Picking tools per agent. In the agent builder you enable Tools, select the connected MCP server, and choose the specific actions the agent may use — the launch post describes the Add Tool panel where “teams can select exactly what an agent is allowed to use,” with a worked Notion example. That per-agent selection is Lyzr’s documented allowlist mechanism.
No MCP marketplace. Lyzr’s App Store is a marketplace of agents, not MCP servers; the launch post points users at “open MCP servers available in the ecosystem” — bring your own URL.
The other direction works too. The lyzr-mcp-tool-call package runs a local stdio MCP server that exposes your Lyzr agents as callable tools in Claude Desktop and Cursor, and Lyzr’s Cognis memory module is available as an MCP server. A2A protocol support is documented separately — Lyzr frames MCP as agent-to-tool and A2A as agent-to-agent, complementary.
Plan context matters. Self-serve plans cap tools — 5 on Community, 10 on Starter, 25 on Pro — with one builder license each; multi-user RBAC arrives on Enterprise. Neither the docs page nor the launch post carries a beta or GA label, so check status in-app before building on it.
What Lyzr’s native controls don’t cover
Lyzr’s governance story is genuinely substantial for the agents themselves — Enterprise roles and permissions, Responsible AI guardrail modules, and a strong compliance posture (SOC 2 Type II, ISO 27001, ISO 42001, HIPAA, and GDPR are listed on security.lyzr.ai, as of June 2026). The gaps sit below the agent layer, in the MCP connections themselves:
- Per-end-user credentials on MCP connections. Lyzr’s tools documentation describes shared (service-account) and per-user credential modes — but for its pre-built tools layer. For MCP servers, the documented options are an API-key header or a Lyzr-managed OAuth flow, with no per-user identity model specified. So the HR agent answering 500 employees acts behind one connection, unless the server behind the URL handles user identity itself.
- No HRIS, ITSM, or ERP in the native catalog. The pre-built catalog — around 30 integrations, powered by Composio per Lyzr’s docs — covers productivity SaaS: Gmail, Slack, Notion, Jira, HubSpot, Zendesk and peers. No Workday, ServiceNow, SAP, or ADP appears, as of June 2026 — yet Lyzr’s target buyers in BFSI, healthcare, and government run exactly those systems of record.
- Audit covers admin actions, not tool calls. The documented Audit Log (Manage → Audit Log, Owner and Admin only, Enterprise governance) records configuration and access events; per-tool-call logging isn’t specified, retention and export aren’t documented, and self-serve plans keep logs for 7 days.
- RBAC doesn’t reach MCP. The roles matrix assigns users, billing, models, and data connectors across Owner/Admin/Member — but never mentions MCP servers or Tools, and the MCP docs describe the Add MCP flow with no role restriction stated. Tool allowlisting happens per agent, at build time, by whoever builds the agent; there’s no documented org-level tool allowlist or tool-call approval workflow.
- Public-URL requirement. MCP servers must be publicly accessible — agents can’t reach a server that only exists inside your network.
None of this is a knock on Lyzr — it’s a clean division of labor. Lyzr governs its agents; the question is who governs the servers, tools, and credentials behind every URL you paste into Add MCP.
What to look for in an MCP gateway for Lyzr
| Criterion | Why it matters for Lyzr specifically |
|---|---|
| One hardened public endpoint covering many systems | Lyzr requires MCP servers to be publicly accessible — the gateway fronts private and internal systems behind a single authenticated URL the Add MCP flow accepts |
| Per-end-user credentials | Lyzr documents per-user auth for pre-built tools but not for MCP connections — the gateway should hold downstream credentials per user so agents act as this employee, not a service account |
| Depth on HRIS, ITSM, ERP | The native catalog is productivity-SaaS-shaped; Lyzr’s enterprise buyers need write-capable actions on Workday, ServiceNow, SAP |
| Compact, curated tool surface | Lyzr’s own guidance is to select “only the actions your agent needs,” and self-serve plans cap tools at 5–25 — the gateway should keep the surface small without losing reach |
| Durable, exportable tool-call audit | Lyzr’s documented Audit Log covers admin actions, Owner/Admin only, with 7-day retention on self-serve plans — the gateway log should record every tool call, independent of plan tier |
| Org-level tool curation | Lyzr’s RBAC matrix doesn’t govern MCP or Tools; admins need one place to decide which tools exist before any agent builder sees them |
The best MCP gateways for Lyzr, compared
Facts below are from each vendor’s public documentation as of June 2026, carried over from our full comparison. All five expose the remote, publicly reachable MCP endpoint Lyzr’s Add MCP flow expects:
| Platform | Account linking | Tool curation | Audit | Catalog | Compliance | Pricing |
|---|---|---|---|---|---|---|
| StackOne | OAuth 2.1 end-user flow — each end user links their own accounts | Admin-scoped profiles; search + execute meta-tools | Request logs to provider level, Datadog/Grafana export | 310+ connectors, 20,000+ actions | SOC 2, HIPAA | Free plan (full catalog) |
| Composio | Hosted Connect Link — each end user authorizes under a per-user user_id | Toolkit-level selection | Observability; audit detail light | ~1,000 toolkits | SOC 2, ISO 27001 | Free tier; from $29/mo |
| Workato Enterprise MCP | Verified User Access — each action inherits the authenticated user’s identity | Governance via single console | RBAC, searchable audit logs | Workato connector library | SOC 2 | Not published |
| Zapier MCP | Workspace Zapier connections — the workspace owner links the accounts agents use | App allowlists, action approval | History log | 9,000+ apps (automation-shaped) | SOC 2 | Included; 2 tasks per call |
| Arcade | OAuth via your existing IdP — each end user authorizes with their own identity | Developer-selected toolkits | Lifecycle governance | ~150 servers in registry | SOC 2 | Free tier; from $25/mo |
1. StackOne
StackOne is the enterprise layer for AI agents to safely act on any application, and it meets the Lyzr criteria like this:
- One public URL for many systems (criterion 1). The server side is a managed remote MCP endpoint — one publicly reachable, authenticated URL that drops into Lyzr’s Add MCP flow and covers 310+ connectors at once.
- Per-user credentials (criterion 2). Each end user links accounts once through an OAuth 2.1 flow with SSO and a consent screen, StackOne holds the downstream credentials per linked account, and tool calls run as that user rather than a service account.
- Verifiable depth per system (criterion 3). Salesforce has 380 actions, Jira 147 actions, Workday 128 actions.
- A tool surface that fits Lyzr’s trim-the-actions guidance (criterion 4). Tools aren’t direct wrappers over API endpoints but curated actions, and at scale agents get two meta-tools, search and execute, so the list an agent carries stays constant at any catalog size (a 460× reduction versus loading every definition).
- Durable audit (criterion 5). Request logs capture every call down to the underlying provider requests, exportable to Datadog or Grafana — a durable record independent of Lyzr’s plan-tier log retention.
- Admin curation (criterion 6). Admins scope which actions each project exposes before any agent builder sees them.
Limitation: the catalog focuses on business systems, not consumer applications — for the consumer-app long tail, Zapier’s catalog is far bigger. When a system isn’t in the catalog, the AI Connector Builder builds or extends a connector on the same engine that powers the pre-built ones.
Best for: Lyzr’s own buyer profile — enterprises whose agents must act on systems of record under per-user identity.
2. Composio
Composio is already inside Lyzr: the pre-built tool catalog is “powered by Composio” per Lyzr’s own docs, so connecting Composio’s hosted MCP servers directly is the natural way to go beyond the ~30 bundled integrations to the full set of 1,000+ toolkits. It’s genuinely developer-loved: good SDKs, fast setup, published pricing (free tier, then from $29/month), and per-user connected accounts where end users authorize via a hosted Connect Link scoped to a user_id — which addresses the per-user gap Lyzr leaves open on MCP connections. What we couldn’t find in its public docs as of June 2026 is the org-level control plane — central policy enforcement and approval workflows — and audit detail is light, so the durable tool-call record stays your problem.
Best for: teams that want to extend the toolkit layer they already use inside Lyzr, before organizational governance becomes the question.
3. Workato Enterprise MCP
Workato’s Enterprise MCP is the incumbent option for Lyzr’s enterprise buyer — regulated industries where IT often already runs Workato. Its distinctive idea is Verified User Access: agent actions inherit the authenticated user’s identity, so role-based access control and audit trails apply automatically — a clean answer to “who did the agent act as?” that maps directly onto Lyzr’s undocumented per-user story for MCP. Governance runs through a single console with searchable audit logs, and the connector library is the mature Workato one. The flip side: this is a feature of the Workato platform, not a standalone product — if you’re not a Workato shop, adopting an enterprise automation platform to get an MCP gateway is a big dependency, and pricing isn’t published.
Best for: existing Workato enterprises that want Lyzr agents acting under identities and policies they’ve already built.
4. Zapier MCP
Zapier MCP is the fastest way to put the largest catalog in this comparison — 9,000+ apps and 30,000+ pre-built actions — behind the single public URL Lyzr’s Add MCP flow expects, riding on auth infrastructure refined over 13+ years. Existing Zapier connections appear automatically, and governance is workable for pilots: app allowlists, action approval, a history log, workspace scoping. Three structural caveats from our full comparison: each MCP tool call consumes two tasks from your plan quota, and agents are chatty; actions are automation-shaped — broad rather than deep, thinner on systems-of-record work; and connections belong to the workspace, not to each end user of your agent.
Best for: breadth-first Lyzr pilots — especially Starter/Pro single-builder workspaces — by teams already paying for Zapier, at modest call volumes.
5. Arcade
Arcade is the sharpest comparison on the per-user auth gap specifically: it integrates with your existing OAuth and IdP flows so multi-user agents act with user-specific permissions rather than service accounts — exactly the identity model Lyzr’s MCP docs leave unspecified. Its deployment flexibility — cloud, your VPC, on-premises, or fully air-gapped — also pairs naturally with Lyzr’s own VPC and on-prem deployment story for regulated buyers. The constraint is reach: its registry lists ~150 MCP servers, fewer systems than the larger catalogs here, and pricing is published (free Hobby tier, Growth at $25/month plus usage).
Best for: teams with hard infrastructure-control requirements and a contained set of target systems, where per-user authorization is the deciding criterion.
How to connect StackOne to Lyzr
- Create a StackOne project and scope which connectors and actions it exposes via connector profiles. This is the admin’s view: one place to decide the tool surface before any agent builder in Lyzr sees it.
- End users link their accounts through StackOne’s OAuth 2.1 flow: SSO sign-in, co-branded consent, and an account picker for the linked accounts the agent may act on. StackOne holds the downstream credentials per linked account.
- In Lyzr Agent Studio, open Tools → Add MCP, paste the StackOne MCP URL, and choose the auth type. Lyzr documents an API-key connection header and a Lyzr-managed OAuth flow (Lyzr MCP docs, June 2026); whether Lyzr’s OAuth connection runs per end user isn’t documented, so verify the credential model in-org before a multi-user rollout.
- In the agent builder, enable Tools and select the StackOne server. The agent builder’s view: a curated, admin-scoped action list in the Add Tool panel — or run tool modes and expose just the search + execute meta-tools, which keeps Lyzr’s “select only the actions your agent needs” guidance trivial to follow at any catalog size.
- Wire audit. StackOne request logs capture the provider-level calls under every agent action, exportable to Datadog or Grafana — durable beyond any Lyzr plan tier’s log retention.
When you don’t need a gateway for Lyzr
- Your agents live in productivity SaaS. If Gmail, Slack, Notion, and Jira cover the use case, Lyzr’s ~30 pre-built integrations — with documented per-user OAuth — already handle it natively.
- One agent, one system, your own credentials. An official public MCP server plus an API key in the Add MCP flow is simpler and free; a gateway adds a hop you don’t need yet.
- You’re still proving the use case. Prototype against a single server on a Community or Starter plan, and graduate to gateway controls when user count makes credential handling and audit real.
The trigger points: the first agent that must act on Workday or ServiceNow, the first security review asking which user a tool call ran as, and the first request for tool-call logs older than seven days.
StackOne is the governed layer between AI agents and 310+ enterprise systems with 20,000+ agent-optimized actions — over MCP, A2A, API, and SDKs — with end-user OAuth linking, connectors you can extend, and built-in prompt-injection defense. See pricing or book a demo.
More: The Best MCP Gateways in 2026, Compared · StackOne MCP platform · Workday MCP · ServiceNow MCP · SAP SuccessFactors MCP
More MCP gateway guides
Every guide in this series applies the same disclosed criteria to a different AI client. Start with the full comparison, or jump to yours: