Romain Sestier · · 9 min 
The Best MCP Gateways for Retool in 2026
Table of Contents
An MCP gateway gives Retool Agents one governed connection to many business systems instead of one MCP resource per server. It supplies what Retool’s admin plane — permission groups, the Settings > AI toggles, the Monitor view — doesn’t reach: per-end-user credentials behind the agent’s tools (a Retool MCP resource is authenticated once at setup and tools inherit the agent’s permissions), and a provider-level audit trail (Retool’s audit logs don’t document agent tool calls). Retool governs the agents; the gateway governs the MCP servers, tools, and credentials behind the Server URL. Verdict: StackOne for agents acting on business systems of record; Zapier for consumer-app breadth; Composio for developers building agent products.
This is the Retool-specific companion to our MCP gateway comparison — read that for the full twelve-vendor field.
Does Retool support MCP?
Yes, in both directions — but the two surfaces do very different jobs, and only one of them matters for adding SaaS tools to your agents.
Retool Agents as an MCP client
Retool Agents — still labeled public beta in Retool’s docs FAQ as of June 2026, on Retool Cloud and Self-hosted Retool — is included on every pricing tier, with roughly 20 free agent hours per month (about $50 of free agents usage, metered per model beyond that).
The MCP client surface is the Connect to MCP Server tool type. Per Retool’s docs as of June 2026: open an agent’s Configuration tab → Add new tool → Connect to MCP Server, then pick an existing server from the Select MCP Server dropdown or Add new resource with a name and server URL. The server is created as a Retool resource, reusable across agents.
The fine print that shapes your gateway choice, all from the same docs page:
- Transports: Streamable HTTP and SSE, remote only. “Local
stdio-based MCP servers are not directly supported and must be exposed via an HTTP gateway.” - Auth: OAuth 2.0 (Authorization Code with PKCE by default, plus Client Credentials), Basic auth, and Bearer tokens — OAuth 2.0 for MCP tools shipped September 9, 2025.
- Tool discovery: Retool fetches the server’s dynamic tool list whenever it connects (5-second listing timeout). Picking a subset of a connected server’s tools isn’t documented — Retool’s 2025 MCP guide describes selecting “all the tools available as part of your MCP server.”
- Hard caps, per the tools documentation: 20 MCP servers per agent, a 2-minute tool-execution timeout, and a 1 MB tool-output cap — with guidance that “LLMs typically perform best with 1-10 tools.”
Who can wire this up: agent permissions run Use / Edit / Own, and editing an agent’s configuration requires Edit on the MCP resource — builder/admin work, after an org admin enables the Settings > AI toggles. End users with Use access invoke whatever the builder wired in: “Tools are not independently permissioned, they are implicitly permissioned based on the agent that contains the tools.”
Retool as an MCP server — not what it sounds like
The separate Retool MCP Server (https://<your-instance>/mcp, public beta announced March 21, 2026, cloud customers only as of the May 2026 blog post) is an admin and management surface: build and edit apps, write queries against resources, investigate audit logs, and manage users from clients like Claude, Cursor, and ChatGPT. What it does not do is expose your workflows or queries as MCP tools for external agents — that capability is an open feature request Retool staff have confirmed is on the AI roadmap, per the company-run community forum as of June 2026. So for Retool buyers today, the MCP story runs one way: external servers in, through Connect to MCP Server.
What Retool’s native controls don’t cover
Retool’s governance plane is real — folder-level agent permissions, org-wide AI toggles, Spaces for tenant isolation on Enterprise, and a Monitor view that streams live tool calls per run. These gaps sit behind it, at the MCP layer:
- Credentials belong to the resource, not the user. The builder runs Authenticate MCP Server once at resource creation, and every agent reusing that resource acts as that same downstream identity. Per-user OAuth exists for Retool’s app resources, but per-end-user auth for agent MCP tool calls isn’t documented as of June 2026 — so every end user with Use access acts through the shared credential.
- Audit logs don’t cover agent tool calls. Retool’s audit logs record user actions — query runs, password resets — with Business/Enterprise download and Enterprise-only Datadog/Splunk streaming. As of June 2026 the audit-log docs make no mention of agents or MCP traffic; agent telemetry lives in the separate Monitor view — live observability per run, not a queryable compliance trail of what agents did in which downstream systems.
- No documented tool curation within a server. Retool ingests a connected server’s full dynamic tool list, recommends 1–10 tools per agent, and caps 20 servers per agent — so one uncurated server can blow the guidance on its own, and the trimming has to happen at the source.
- The catalog is query-shaped, not action-shaped. Retool’s integrations page organizes resources into database, API, CRM, messaging, and similar categories — you write SQL or API queries against them. There are no HRIS, ITSM, or ERP categories on the page as of June 2026; reaching Workday- or ServiceNow-class systems means hand-building REST queries or workflows per tool.
- Remote-only transport. Internal or stdio MCP servers need an HTTP gateway in front of them before Retool can connect at all.
What to look for in an MCP gateway for Retool
| Criterion | Why it matters for Retool specifically |
|---|---|
| Remote Streamable HTTP/SSE server with OAuth 2.0 | What Connect to MCP Server actually speaks — OAuth supported since September 2025, no stdio. |
| Curated tool surface | Retool fetches a server’s full tool list with no documented per-tool subsetting, against 1–10-tools guidance — curation has to happen behind the URL. |
| Many systems behind one URL | The 20-servers-per-agent cap makes one gateway URL covering many systems worth more than twenty point connections. |
| Per-user credentials | MCP resources are builder-authenticated and shared; end-user account linking gives each user their own downstream identity instead of the agent’s. |
| Provider-level, cross-agent audit | Audit logs don’t document agent tool calls; the Monitor view is per-run telemetry, not a compliance trail. |
| Depth in HRIS/ITSM/ERP | Retool’s catalog has no HRIS/ITSM/ERP categories — the systems-of-record gap a gateway’s pre-built actions fill. |
The best MCP gateways for Retool, compared
Facts below are from each vendor’s public documentation as of June 2026, carried over from our full comparison. The baseline row is Retool’s native tooling alone — connectivity without a gateway.
| Platform | How Retool consumes it | Account linking | Tool-call audit | Catalog | Pricing |
|---|---|---|---|---|---|
| Retool native (baseline) | Connect to MCP Server tool, any remote URL | Resource credential; the builder links once and agents share it | Monitor view per run; audit logs don’t cover agent tool calls | Query-shaped resources + 40+ core tools | Included; ~20 free agent hours/mo |
| StackOne | One remote MCP URL + OAuth 2.0 credential | OAuth 2.1 self-serve; each end user links their own accounts | Request logs to provider level; Datadog/Grafana export; SOC 2, HIPAA | 310+ connectors / 20,000+ agent-optimized actions | Free plan (full catalog) |
| Composio | Remote MCP URL per toolkit | Hosted Connect Link; each end user links their own accounts | Observability; audit detail light; SOC 2, ISO 27001 | ~1,000 toolkits | Free tier; from $29/mo |
| Zapier MCP | Remote MCP URL | Existing Zapier connections; the Zapier account owner links | History log, allowlists, approvals; SOC 2 | 9,000+ apps (automation-shaped) | Included; 2 tasks per call |
| Merge Agent Handler | Remote managed tool-call path | Guided linking flow; each end user links, with SCIM provisioning | DLP scanning, guardrails, audit logs; SOC 2 | ”Thousands of tools” | Free tier; Pro $1,000/mo |
| Workato Enterprise MCP | Remote MCP via the Workato platform | Verified User Access; the authenticated platform user’s identity is inherited | RBAC, searchable audit logs; SOC 2 | Workato connector library | Not published |
1. StackOne
StackOne is the enterprise layer for AI agents to safely act on any application — one governed entry point in front of 310+ managed connectors exposing 20,000+ agent-optimized actions across HRIS, ITSM, CRM, and ERP. Against the Retool criteria:
- One URL, one server slot. A single remote MCP endpoint covers the whole catalog over the OAuth 2.0 flow Retool’s MCP tool expects — one entry against the 20-server cap, instead of one resource per system.
- Per-user identity behind the agent. StackOne ships an OAuth 2.1 flow where the end user authorizes the MCP client themselves and opts in their own linked accounts — so agent tool calls carry the user’s downstream identity rather than the builder’s shared resource credential.
- Curation that fits the 1–10 guidance. Tools are curated, context-optimized actions rather than raw API wrappers, and agents can run on two meta-tools, search and execute — small, trimmed tool surfaces inside Retool’s 2-minute timeout and 1 MB output cap.
- The audit trail Retool’s logs don’t keep. Admins scope which actions each project and linked account exposes; request logs capture every call down to the underlying provider requests, exportable to Datadog or Grafana; and StackOne Defender scans tool responses for prompt injection before they reach the agent (89.0% detection accuracy in our published evaluation).
Depth is verifiable per system — exactly where Retool’s catalog is thinnest: Workday has 128 actions, ServiceNow 77 actions, SAP SuccessFactors 111 actions.
Limitation: the catalog focuses on business systems, not consumer applications — for the consumer-app long tail, Zapier’s catalog is far bigger. When a system isn’t in the catalog, the AI Connector Builder builds or extends a connector on the same engine that powers the pre-built ones, so coverage isn’t capped at what ships out of the box.
Best for: ops and engineering teams whose Retool agents act on business systems of record, under one URL and one audit trail.
2. Composio
Composio markets 1,000+ toolkits and 20,000+ tools via MCP or direct APIs, with published pricing (free tier, from $29/month) and per-user connected accounts where end users authorize via a hosted Connect Link — see the full profile in the main comparison. For Retool it’s the natural developer-first alternative: remote MCP endpoints per toolkit that paste straight into Connect to MCP Server. The Retool-specific watch-out is the same one its public docs leave open as of June 2026 — org-level policy enforcement and approval workflows — which is the whole question once agents with Use access are acting for a workforce.
Best for: developers wiring tools into agent prototypes on Retool, before organizational governance becomes the question.
3. Zapier MCP
Zapier MCP includes the largest catalog in this comparison — 9,000+ apps and 30,000+ pre-built actions — behind a remote MCP endpoint, covering the consumer-app long tail the other catalogs don’t (full profile in the main comparison). For Retool’s Team-tier buyers it’s the lowest-friction breadth play. Two caveats: each MCP tool call consumes two tasks from your plan quota, and a Retool agent loops — the task model was priced for workflows, not tool-calling agents. And actions are automation-shaped, broad rather than deep: fine for “post to Slack,” thinner for “run this filtered Workday report.”
Best for: breadth-first Retool pilots by teams already paying for Zapier, at modest call volumes.
4. Merge Agent Handler
Merge’s Agent Handler includes runtime security controls: DLP scanning on tool-call inputs and outputs, guardrails that block, redact, or mask sensitive data, audit logs on all plans, and SCIM provisioning (full profile in the main comparison). The catalog is summarized as “thousands of tools”, and while Merge documents per-integration coverage for its Unified API product, the Agent Handler docs don’t publish an equivalent per-system tool catalog — you discover tools through the dashboard or at runtime, which matters when Retool gives you no per-tool subsetting after connection. Pricing is credit-metered: free tier, Pro $1,000/month for 25,000 credits.
Best for: teams that want DLP-style redaction bundled into a managed tool-call path — verify per-system tool coverage on your systems first.
5. Workato Enterprise MCP
Workato’s Enterprise MCP extends the automation platform Fortune 500 IT already runs, and its Verified User Access model — agent actions inherit the authenticated user’s identity, with RBAC and audit applying automatically — answers the shared-credential gap from inside an existing Workato estate (full profile in the main comparison). The dependency is the flip side: this is a feature of the Workato platform, not a standalone product, and pricing isn’t published — adopting an enterprise automation platform to get an MCP endpoint for Retool is a big lift if you’re not already a Workato shop.
Best for: existing Workato enterprises whose Retool agents should inherit identities and policies they’ve already built.
How to connect StackOne to Retool
- Admin, once: create a StackOne project, enable the connectors your team needs, and copy the MCP server URL — the MCP quickstart shows where it lives. In Retool, an org admin enables agents under Settings > AI if they haven’t already.
- Builder, in the agent: open the agent’s Configuration tab → Add new tool → Connect to MCP Server → Add new resource. Enter a name and the StackOne MCP URL, choose OAuth 2.0, and select Create resource. The resource is reusable across agents from the Select MCP Server dropdown.
- Authenticate: follow the Authenticate MCP Server prompt into StackOne’s OAuth 2.1 end-user flow — sign in through SSO, approve a co-branded consent screen, and opt in the specific linked accounts the agent may use. Each user gets their own downstream identity; no shared service credential.
- Approve the tools: Retool discovers StackOne’s curated actions — or the two search-and-execute meta-tools — and prompts you to approve them. The curation happened at the gateway, so the agent stays inside Retool’s 1–10-tools guidance without burning server slots.
- Govern: admins scope which actions each project and linked account exposes via connector profiles, and every call lands in request logs down to the provider request — the trail Retool’s audit logs don’t keep.
When you don’t need a gateway for Retool
- One builder, a handful of servers, technical users. Direct Connect to MCP Server connections are simple and included on every tier — well inside the 20-server cap.
- Your agents only touch data Retool already reaches. If the work lives in your databases and APIs-as-resources, Retool’s query tools and workflows with scoped resource credentials may be enough.
- You’re still proving the use case. Connect a single managed MCP server directly, prove value in the ~20 free agent hours, then graduate when agent count makes credential sharing and the audit gap real.
The trigger points: the first security review asking what an agent did in a downstream system and finding the Monitor view but no audit log entry, the first shared MCP resource credential nobody can attribute an action to, and the first agent that needs Workday or ServiceNow and finds neither on Retool’s integrations page.
StackOne is the governed layer between AI agents and 310+ enterprise systems with 20,000+ agent-optimized actions — over MCP, A2A, API, and SDKs — with end-user OAuth linking, connectors you can extend, and built-in prompt-injection defense. See the full MCP gateway comparison, StackOne MCP, or connector-level detail for Workday, ServiceNow, and SAP SuccessFactors. See pricing or book a demo.
More MCP gateway guides
Every guide in this series applies the same disclosed criteria to a different AI client. Start with the full comparison, or jump to yours: