What is the best MCP gateway for n8n?

For n8n agents acting on business systems of record (HRIS, CRM, ITSM, ERP), StackOne — one remote MCP URL with OAuth 2.1 end-user auth, per-user identity, and request logs down to the provider call, on a free plan. Zapier MCP fits consumer-app breadth (9,000+ apps, two tasks per call). Composio and Pipedream fit developers embedding integrations into their own products. n8n's native MCP nodes alone are enough for one builder connecting a handful of servers.

Do I need an MCP gateway for n8n?

Not to get started — n8n has shipped native MCP nodes since version 1.88.0 (April 2025), and any builder can paste an MCP server URL into the MCP Client Tool node. You need a gateway when the rollout grows: n8n has no documented control restricting which MCP server URLs builders connect to, credentials are shared per project rather than per user, and while n8n's execution traces log each agent tool call per run, nothing records the provider-side requests behind an MCP server or gives one queryable trail across workflows — audit-event log streaming is Enterprise-only. A gateway gives IT one governed, logged URL to standardize on.

How do I connect n8n to an MCP server?

Add the MCP Client Tool sub-node to an AI Agent node, paste the server's endpoint URL, and pick a credential — n8n supports none, bearer, custom headers, and (since 1.119.0, November 2025) OAuth2. The node discovers the server's tools, and 'Tools to Include' lets you expose all, selected, or all-except. Since 1.122.0 a standalone MCP Client node also calls MCP servers from any workflow step, without an agent.

Can admins restrict which MCP servers n8n builders connect to?

There is no documented allowlist. As of n8n's documentation in June 2026, no setting restricts which MCP server URLs a builder with edit rights can enter into an MCP Client Tool node. Self-hosted admins can disable the MCP nodes entirely via the NODES_EXCLUDE environment variable, but that's all-or-nothing. The practical alternative is to standardize on one governed gateway URL and make that the policy.

How many MCP tools should an n8n agent have?

Fewer than you think — n8n doesn't document a hard cap, but its own production guidance treats 15 tools as too many if the agent only uses 3, recommending focused agents with fewer tools each: fewer tool descriptions mean lower per-request token costs and better tool-selection accuracy. A gateway with curated actions — or search-and-execute meta-tools — keeps the agent's tool list small without hand-maintaining 'Tools to Include' across every workflow.

Is n8n an MCP server or an MCP client?

Both. The MCP Client Tool node lets n8n's AI Agent call external MCP servers, and the MCP Server Trigger exposes an n8n workflow as an MCP server other agents can call. Since 1.121.0 there's also an instance-level MCP server (launched as beta) that exposes selected workflows behind one connection secured with OAuth2 or an access token — though n8n's docs state you can't restrict specific workflows to specific clients.

The Best MCP Gateways for n8n in 2026

Last updated: June 2026. n8n capabilities below are drawn from n8n’s public documentation as of June 9, 2026 (current release n8n@2.26.0); gateway capabilities from each vendor’s documentation. StackOne is one of the products compared — we’ve disclosed our criteria so you can check our work.

An MCP gateway gives n8n one governed connection to many business systems instead of one pasted server URL per workflow. It supplies the two things n8n’s own admin plane doesn’t: a control point over which MCP servers agents reach (n8n has no documented allowlist for MCP endpoints), and provider-level audit — n8n’s execution traces log each tool call inside a workflow run, but not what the MCP server did downstream, nor in one queryable place across fifty workflows. n8n governs the workflows — projects, RBAC, log streaming. The gateway governs what’s behind the MCP Client Tool node. Verdict: StackOne for teams whose n8n agents act on business systems of record; Zapier for consumer-app breadth; Pipedream or Composio for developers embedding integrations into their own products.

This is the n8n-specific companion to our MCP gateway comparison — read that for the full twelve-vendor field.

Does n8n support MCP as a client and a server?

Both — which makes n8n unusual in this series. It’s an MCP client and an MCP server, and connectivity has been native since version 1.88.0, released April 10, 2025.

n8n as an MCP client

The n8n MCP client surface is the MCP Client Tool, a sub-node that attaches to the AI Agent node: paste an MCP server’s endpoint URL, pick a credential, and the agent discovers and calls the server’s tools. Authentication options are none, bearer token, a generic header, multiple headers, and — since 1.119.0 (November 3, 2025) — OAuth2, which is what most modern remote MCP servers expect.

One transport footnote: the docs page lists SSE, but streamable HTTP support shipped in the node around 1.104 (July 2025) per the GitHub pull request — the documentation lags the node UI here, so check the dropdown rather than the docs. STDIO (local) servers aren’t supported natively; the community n8n-nodes-mcp node covers stdio transport plus MCP resources and prompts.

Two controls matter for tool hygiene. The MCP Client Tool’s Tools to Include setting exposes All, Selected, or All Except — a per-node filter over what the agent sees. And since 1.122.0 (November 24, 2025), a standalone MCP Client node calls MCP servers from any workflow step, no agent required.

n8n as an MCP server

n8n MCP server support runs two layers deep. The MCP Server Trigger exposes an n8n workflow as an MCP server external agents can call. Self-hosters, note the ops fine print: in queue mode, all /mcp* traffic must route to a single webhook replica — with multiple replicas, “SSE and streamable HTTP connections will frequently break or fail to reliably deliver events” — and nginx proxy buffering must be off.

There’s also an instance-level MCP server, introduced as beta in 1.121.0 (November 18, 2025): one connection — secured with OAuth2 or an access token — exposing the workflows you enable, with workflow create and edit tools from v2.13 onward. The launch release notes were candid about a scoping limit the current docs still carry: “All platforms connected to your instance MCP will have access to each of the workflows you have enabled. At this time, you cannot limit access of individual workflows to particular platforms.”

All of this is available across plans, including the free self-hosted Community Edition; paid cloud plans are execution-based (Starter €20, Pro €50, Business €667 — per month, billed annually; Enterprise custom).

So connectivity is solved. The question an IT lead asks looking across fifty MCP Client Tool nodes in the company’s workflows is different: which servers are those, whose credentials are they using, and where’s the log?

What n8n’s native controls don’t cover

n8n’s admin plane is real — projects start at Starter; Pro adds admin roles and more projects; Business adds SSO/SAML/LDAP, environments, and Git version control; Enterprise adds log streaming, external secrets, and 365-day insights retention. These gaps sit behind it, at the MCP layer:

No MCP endpoint allowlist. As of June 2026 we could find no documented control restricting which MCP server URLs builders wire into MCP Client Tool nodes — any builder with edit rights can point a workflow at any reachable URL. Self-hosted admins can disable nodes wholesale via the NODES_EXCLUDE environment variable, but that removes MCP entirely rather than scoping it. There’s no middle setting between “any server” and “no servers.”
Credentials are shared, not per-user. n8n credentials live per-node in the credential store and are shared via projects — an MCP credential created once is typically reused across the project, so every agent acts as the same downstream identity. There’s no MCP-specific credential governance.
Audit stops at the workflow boundary. To be fair to n8n: its execution view logs each run node by node — including the agent’s MCP tool calls with their inputs and outputs — which is genuine per-workflow debugging visibility. What security doesn’t get is the layer below and the view across: the provider-side requests an MCP server made downstream (in which system, with what data), and a single queryable trail spanning every workflow and project. Log streaming is Enterprise-only and streams n8n platform audit events (workflow runs, user actions) to syslog, webhook, or Sentry — the provider-level record has to come from the MCP layer itself.
No MCP-specific security guidance. n8n’s production best-practices guide (January 2026) covers prompt injection well — input validation, strict system prompts, output filtering, the Guardrails node — but as of June 2026 there is no MCP-specific security guide, and nothing in the agent’s MCP tool path scans the responses MCP servers return before they reach the agent.
Tool sprawl is on the builder. n8n’s own production AI playbook says it plainly: “If an agent has 15 tools but only uses 3 for most requests, consider breaking it into focused agents with fewer tools each. Fewer tool descriptions means lower per-request token costs and often better tool selection accuracy.” The Tools to Include filter implements that — per node, per workflow, by hand, fifty times.

What to look for in an MCP gateway for n8n

Criterion	Why it matters for n8n specifically
Remote streamable-HTTP/SSE server with OAuth2	What the MCP Client Tool actually speaks — OAuth2 supported since 1.119.0.
Curated tool surface	Matches n8n’s own 15→3 guidance (gap #5 above) — admin-scoped lists or search-and-execute meta-tools beat hand-maintaining Tools to Include across fifty workflows.
One governed URL to standardize on	With no native allowlist (gap #1 above), a single gateway URL is the policy point IT can actually enforce — and communicate.
Per-user credentials	n8n credentials are per-node and shared by project; end-user account linking gives each builder and user their own downstream identity.
Provider-level, cross-workflow audit	Execution traces cover tool calls per run; the provider-side requests and a single trail across workflows need the MCP layer (log streaming is Enterprise-only and covers platform events).
Injection scanning on tool responses	n8n’s January 2026 production guide covers input-side injection (Guardrails node); nothing covers what MCP servers send back — scanning responses at the source closes that gap.

The best MCP gateways for n8n, compared

Facts below are from each vendor’s public documentation as of June 9, 2026, carried over from our full comparison. The baseline row is n8n’s native nodes alone — connectivity without a gateway.

Platform	How n8n consumes it	Account linking	Tool-call audit	Catalog	Pricing
n8n native nodes (baseline)	MCP Client Tool / MCP Client, any URL	Shared credentials per node/project	Execution traces per run; Enterprise log streaming (platform events)	Whatever URLs builders find	Included; Community Edition free
StackOne	One remote MCP URL + OAuth2 credential	End-user self-serve (OAuth 2.1)	Request logs to provider level; Datadog/Grafana export	310+ connectors / 20,000+ agent-optimized actions	Free plan (full catalog)
Zapier MCP	Remote MCP URL	User’s existing Zapier connections	History log, allowlists, approvals	9,000+ apps (automation-shaped)	Included; 2 tasks per call
Composio	Remote MCP per toolkit	End-user via Connect Link	Observability; audit detail light	~1,000 toolkits	Free tier; from $29/mo
Pipedream Connect MCP	Remote (or self-hosted) MCP	End users via managed auth, per `external_user_id`	Logging; governance not detailed	3,000+ APIs	Usage-based; free tier

1. StackOne

StackOne is the enterprise layer for AI agents to safely act on any application — one governed entry point in front of 310+ managed connectors exposing 20,000+ agent-optimized actions across HRIS, ERP, CRM, and ITSM. Against the n8n criteria:

End-user auth, per-user identity. A remote MCP server with an OAuth 2.1 flow where the end user authorizes the MCP client themselves — the auth model n8n’s OAuth2 credential option (1.119.0+) is built for — so each builder and user gets their own downstream identity instead of one shared project credential.
One governed URL to standardize on. A single endpoint covers the whole catalog — the policy point an IT team can hand n8n builders in place of the per-workflow URL sprawl gap #1 describes.
Curated tools that stay small. StackOne’s tools are curated, context-optimized actions rather than raw API wrappers, and agents can use two meta-tools, search and execute — n8n’s 15→3 guidance, implemented at the gateway instead of per workflow.
Audit and response scanning. Admins scope which actions each project and linked account exposes; request logs capture every call down to the underlying provider requests (exportable to Datadog or Grafana) — the log n8n’s workflow events don’t keep; and StackOne Defender scans tool responses for prompt injection before they reach the agent (89.0% detection accuracy in our published evaluation).

Depth is verifiable per system: Salesforce has 380 actions, Jira 147 actions, Workday 128 actions.

Limitation: the catalog focuses on business systems, not consumer applications — for the consumer-app long tail, Zapier’s catalog is far bigger. When a system isn’t in the catalog, the AI Connector Builder builds or extends a connector on the same engine that powers the pre-built ones, so coverage isn’t capped at what ships out of the box.

Best for: ops and automation teams whose n8n agents act on business systems of record, under one URL IT can govern.

2. Zapier MCP

Zapier MCP includes the largest catalog in this comparison — 9,000+ apps and 30,000+ pre-built actions — as a remote MCP endpoint, covering the consumer-app long tail the other catalogs don’t (full profile in the main comparison). The n8n-specific caveat is metering: each MCP tool call consumes two tasks from your plan quota, and an n8n AI Agent in a loop is chatty — the task model was priced for workflows, not tool-calling loops. Actions are also automation-shaped, broad rather than deep: fine for “post to Slack,” thinner for “run this filtered Workday report.”

Best for: breadth-first n8n pilots by teams already paying for Zapier, at modest call volumes.

3. Composio

Composio markets 1,000+ toolkits and 20,000+ tools via MCP or direct APIs, with published pricing (free tier, from $29/month) and per-user connected accounts where end users authorize via a hosted Connect Link — see the full profile in the main comparison. The n8n-specific question is org-level governance: as of June 9, 2026 we couldn’t find central policy enforcement or approval workflows in its public docs — the entire question for the IT lead trying to govern fifty workflows.

Best for: developers wiring tools into agent products they’re building on n8n, before organizational governance becomes the question.

4. Pipedream Connect MCP

Pipedream’s MCP is built for developers embedding integrations into their own AI products: end users connect accounts through Pipedream’s managed auth, isolated per external_user_id, across 3,000+ APIs, remote-hosted or self-hosted (full profile in the main comparison). For n8n it fits the product-builder pattern — an agent whose end customers link their own accounts — rather than the internal-IT pattern: governance beyond logging isn’t detailed in the docs.

Best for: developers embedding user-authorized integrations into a product they orchestrate with n8n.

How to connect StackOne to n8n

Admin, once: create a StackOne project, enable the connectors your team needs, and copy the MCP server URL — the MCP quickstart shows where it lives.
Builder, in the workflow: add the MCP Client Tool sub-node to your AI Agent node — or the standalone MCP Client node if you’re calling tools outside an agent — paste the StackOne MCP URL, and create an OAuth2 credential (supported since n8n 1.119.0).
Authenticate: configure the OAuth2 credential against StackOne’s OAuth 2.1 end-user flow — sign in through SSO, approve a co-branded consent screen, and opt in the specific linked accounts the workflow may use. Each user gets their own downstream identity; no shared service credential.
Pick the tool surface: n8n discovers StackOne’s curated actions — or the two search-and-execute meta-tools — and Tools to Include narrows what this agent sees. Most of the curation has already happened at the gateway.
Govern: admins scope which actions each project and linked account exposes via connector profiles, and every call lands in request logs down to the provider request — one URL to communicate as policy, one log when security asks.

When you don’t need a gateway for n8n

One builder, a handful of systems, technical users. Direct MCP Client Tool connections are simpler and free — the native n8n MCP nodes plus the community n8n-nodes-mcp node cover a lot of ground.
Your agents only touch systems n8n already integrates natively. n8n’s own node catalog with scoped credentials may be enough until agents need systems — or depth — beyond it.
You’re still proving the use case. Connect a single managed MCP server directly, prove value, then graduate when workflow count makes URL sprawl and the audit gap real.

The trigger points: the first security review asking which MCP servers production workflows call, the first shared credential nobody can attribute an action to, and the first time someone counts the MCP Client Tool nodes across the instance and stops counting at fifty.

StackOne is the governed layer between AI agents and 310+ enterprise systems with 20,000+ agent-optimized actions — over MCP, A2A, API, and SDKs — with end-user OAuth linking, connectors you can extend, and built-in prompt-injection defense. See the full MCP gateway comparison, StackOne MCP, or connector-level detail for Salesforce, Jira, and Workday. See pricing or book a demo.