The Best MCP Gateways in 2026, Compared

What is an MCP gateway?

An MCP gateway is an infrastructure layer that sits between AI agents and one or more Model Context Protocol servers, providing a single governed entry point — one place to authenticate, route, restrict, and audit every tool call an agent makes. If MCP servers are how agents reach individual systems, the gateway is how an organization stays in control when there are fifty of them and a thousand users.

This guide compares twelve options across the dimensions that decide enterprise deployments — who links the accounts, how tenants are isolated, what gets audited, and what it costs — so you can pick the best MCP gateway for how your organization deploys AI.

Most AI deployments stop at chat

Enterprises have rolled out Copilot, Claude, Gemini Enterprise, Glean. Employees ask questions, draft documents, summarize meetings. Then someone asks the obvious next question — can it update the record in Salesforce? File the ticket in ServiceNow? Pull the report from Workday? — and the rollout hits a wall built from three problems:

1. Connectors don’t exist or don’t go deep enough. The application landscape is fragmented — ERP, CRM, ITSM, HRIS — and most systems’ official MCP servers cover a fraction of what teams need (we’ve documented the gaps in our Notion MCP deep dive).
2. Governance blocks what connectors would allow. Security teams won’t sign off on agents acting on systems of record without scoped permissions, PII controls, and an audit trail.
3. Users can’t self-serve. If every account connection requires IT to provision credentials, adoption dies in the ticket queue.

How we compared

We evaluated each option on capability facts from public documentation, linked per entry — not on marketing adjectives, and not on performance. Measured reliability, speed, and cost per task deserve their own methodology; we’re publishing that benchmark separately. The dimensions:

• Auth model — OAuth support, token auth, headless operation
• Account linking — does a developer configure credentials, or can end users connect their own accounts?
• Multi-tenancy — are users’ credentials and data isolated, and how?
• Tool curation — can admins restrict which tools which agents see, and is the catalog built for agents or copied from APIs?
• Governance — audit logs, policy enforcement, permissions
• Catalog — does the gateway include managed connectors, or do you bring your own servers?
• Deployment — managed cloud, self-hosted, or open source
• Pricing — published, or “contact sales”

We’ve kept every claim checkable against the linked sources, and we’ve put real limitations in our own entry — judge the criteria, not the author.

MCP gateway vs. proxy, router, hub, and aggregator

The category is young and the vocabulary is muddy. Quick definitions:

• MCP gateway — the full governed entry point: auth, routing, policy, audit. The subject of this post.
• MCP proxy — a narrower pass-through that forwards MCP traffic, usually adding transport translation or logging, without policy or identity features.
• MCP router — the traffic-direction component inside a gateway: which call goes to which server.
• MCP hub / MCP aggregator — combines many MCP servers behind one endpoint so an agent sees a single tool list. Gateways include this; not every aggregator adds governance.
• Agent gateway — an umbrella term some vendors use for the same layer; when the protocol it governs is MCP, an agent gateway is an MCP gateway.
• MCP registry — a catalog of available servers (like the official MCP registry, a community-driven project under the modelcontextprotocol org) — a directory, not a runtime.

An MCP gateway is also not an AI gateway or LLM gateway (Kong AI Gateway, Portkey): those manage traffic to model providers; an MCP gateway manages what agents do in your systems.

MCP gateway comparison table (June 2026)

Two groups, because two different architectures compete for the enterprise MCP gateway decision:

• Managed gateways with connector catalogs — the gateway and the MCP servers behind it, operated for you: StackOne, Workato, Zapier, Merge, Arcade, Composio, Pipedream.
• Self-hosted infrastructure gateways — routing, security, and lifecycle for MCP servers you build and operate: Microsoft, Docker, Kong, TrueFoundry, Lunar.

Sources: vendor documentation, product pages, and trust/security pages linked in each entry below. Compliance reflects what each vendor publishes for its hosted product; for self-hosted open-source gateways, compliance posture is your deployment’s.

Managed gateways with connector catalogs

StackOne

StackOne is the enterprise layer for AI agents to safely act on any application — one governed entry point in front of 310+ managed connectors exposing 20,000+ agent-optimized actions across the systems of record: HRIS, ERP, CRM, ITSM, and the long tail behind them. Depth is the point, and it’s verifiable per system: Salesforce has 380 actions, Jira 147 actions, Workday 128 actions — and every connector page publishes its full action list.

Four things separate it from the rest of this list:

• A catalog built for agents, extensible without owning the maintenance. StackOne’s tools aren’t direct wrappers over API endpoints: they’re curated, context-optimized actions designed for how agents reason. When the catalog doesn’t cover something, the StackOne Agent builds or extends connectors on the same engine that powers the pre-built ones, and connector versioning pins each profile to a semver version so provider API changes never break agents mid-quarter. Scale doesn’t degrade it either: agents get two meta-tools, search and execute, instead of thousands of definitions in their context window, so context stays constant whether an integration has ten actions or ten thousand (a 460× reduction versus loading every definition).
• One governed surface — more than MCP. Custom agents use SDKs, applications hit APIs, and agent-to-agent workflows are emerging. StackOne routes direct API, TypeScript/Python SDKs, MCP, and A2A through the same engine: same connectors, same permissions, same audit trail, whichever surface the agent calls from.
• End-user account linking. Most gateways assume a developer with a config file or an admin pre-provisioning credentials. StackOne ships an OAuth 2.1 flow where the end user authorizes an MCP client themselves: paste the MCP URL into the client, sign in through SSO, approve a co-branded consent screen, and opt in the specific linked accounts the client may use. Least-privilege by default, no ticket per user.
• Governance and security for IT sign-off. Admins scope which actions each project and linked account exposes; for compliance, you can go deeper and define a custom version of an action that never returns non-compliant fields — an employee-record lookup with SSN and salary excluded — since custom connectors take precedence over built-in ones. The Permissions Check API answers “can this user access this resource?” across connected systems before an agent acts — a pre-action, cross-system permission lookup we haven’t seen an equivalent of in the other vendors’ public docs (if we’ve missed one, tell us and we’ll update). Request logs capture every call down to the underlying provider requests, exportable to Datadog or Grafana. And StackOne Defender scans tool responses for prompt injection before they reach the agent (89.0% detection accuracy in our published evaluation, across three public benchmark datasets). SOC 2 Type II, GDPR, HIPAA; EU/US data residency.

Limitations: the catalog focuses on business systems, not consumer applications — for the consumer-app long tail, Zapier’s catalog is far bigger. When a system isn’t in the catalog, the AI Connector Builder builds or extends a connector on the same engine that powers the pre-built ones, so coverage isn’t capped at what ships out of the box.

Best for: enterprises deploying agents — bought copilots or internally built — that need governed, deep, low-maintenance actions on systems of record.

Workato Enterprise MCP

Workato’s Enterprise MCP extends the automation platform Fortune 500 IT already runs. Its distinctive idea is Verified User Access: agent actions inherit the authenticated user’s identity, so role-based access control and audit trails apply automatically — a clean answer to “who did the agent act as?” Governance runs through a single console, and the connector library is the mature Workato one.

The flip side: this is a feature of the Workato platform, not a standalone product. If you’re not a Workato shop, adopting an enterprise automation platform to get an MCP gateway is a big dependency, and pricing isn’t published.

Best for: existing Workato enterprises that want agent actions inheriting identities and policies they’ve already built.

Zapier MCP

Zapier MCP brings the largest catalog in this comparison — 9,000+ apps and 30,000+ pre-built actions — to any MCP client, riding on auth infrastructure refined over 13+ years. Your existing Zapier connections appear automatically; setup is no-terminal. Governance is workable for pilots: app allowlists, action approval, a history log, account-level restrictions with workspace scoping.

Three structural caveats. Cost: each MCP tool call consumes two tasks from your plan quota — agents are chatty, and a task-metered model was priced for workflows, not tool-calling loops. Depth: actions are built for automation triggers, broad rather than deep — fine for “post to Slack,” thinner for “run this filtered Workday report.” And customization is per-action, not per-connector: you can build custom actions one API call at a time with Zapier’s copilot, but you can’t reshape how an app’s whole action set is curated, or have that curation maintained for you.

Best for: breadth-first pilots by teams already paying for Zapier, at modest call volumes.

Merge Agent Handler

Merge’s Agent Handler includes runtime security controls: DLP scanning on tool-call inputs and outputs, guardrails that block, redact, or mask sensitive data, audit logs on all plans, SCIM provisioning, SOC 2. What’s missing is published depth on the agent side: the catalog is summarized as “thousands of tools”, and while Merge documents per-integration coverage for its Unified API, the Agent Handler docs don’t publish an equivalent per-system tool catalog — you discover tools through the dashboard or at runtime. The agent offering is also newer than the brand, and pricing is credit-metered (free tier; Pro $1,000/month for 25,000 credits; Enterprise custom, including on-prem).

Best for: teams that want DLP-style redaction bundled into a managed tool-call path — verify per-system tool coverage on your specific systems before committing.

Arcade

Arcade calls itself an MCP runtime, and its deployment flexibility stands out: cloud, your VPC, on-premises, or fully air-gapped. It integrates with your existing OAuth and IdP flows so multi-user agents act with user-specific permissions rather than service accounts, plus agent lifecycle governance. Its registry lists ~150 MCP servers — an order of magnitude fewer systems than the larger catalogs here — and pricing is published: free Hobby tier, Growth at $25/month plus usage.

Best for: teams building multi-user agents with hard infrastructure-control requirements and a contained set of target systems.

Composio

Composio markets 1,000+ toolkits and 20,000+ tools via MCP or direct APIs, and it’s genuinely developer-loved: good SDKs, fast setup, published developer-friendly pricing (free tier, then from $29/month), and per-user connected accounts where end users authorize via a hosted Connect Link.

Whether it’s a gateway is a fair question. Composio is an integration toolkit that speaks MCP — excellent at getting a developer’s agent many tools quickly. What we couldn’t find in its public docs as of June 9, 2026 is the org-level control plane: central policy enforcement and approval workflows. For a solo developer that’s irrelevant; for an IT-led review it’s the entire question.

Best for: developers building agent products who want toolkit breadth and SDK speed, ahead of organizational governance.

Pipedream Connect MCP

Pipedream’s MCP is built for developers embedding integrations into their own AI products: your users connect their accounts through Pipedream’s managed auth, isolated per external_user_id, across 3,000+ APIs. It’s available remote-hosted or self-hosted, which is rare in the managed group, and pricing is published: usage-based on API calls plus unique end users, with a free tier.

It’s a developer primitive, not an IT product — governance beyond logging isn’t detailed in the docs, and the buyer it serves is the engineering team shipping an app, not the IT team deploying agents to a workforce.

Best for: developers embedding user-authorized integrations into their own AI product.

Self-hosted and open-source MCP gateways

A different deal: full control of the gateway layer, and full responsibility for every MCP server behind it. None of these include a managed connector catalog — coverage is yours to build and maintain, which is the line item that quietly dominates the total cost.

Microsoft MCP Gateway

Microsoft’s mcp-gateway (MIT, ~680 stars) is a Kubernetes-native reverse proxy with session-aware stateful routing, a control plane for server lifecycle, and Entra ID auth with role-based authorization in cloud mode. It’s serious plumbing for platform teams on AKS. Note the preview edges: agent/session execution is single-replica preview, and built-in tools run without production sandboxing.

Best for: platform teams on Kubernetes/Azure who want open-source routing infrastructure and will build and operate their own MCP servers.

Docker MCP Gateway

Docker’s MCP Gateway runs MCP servers as isolated containers with restricted privileges, injects credentials centrally, and provides call tracing — a clean local-first security model. It’s the right answer for a developer’s machine, not an org: multi-tenancy isn’t addressed, and the trust boundary is one Docker environment.

Best for: individual developers who want isolated, credential-managed MCP servers locally, for free.

Kong AI Gateway (Enterprise MCP Gateway)

Kong’s Enterprise MCP Gateway is a capability set inside Kong AI Gateway (via Kong Gateway Enterprise and Konnect): reverse proxy protection, an OAuth 2.1 MCP auth policy aligned with the June 2025 spec, routing, a dynamic tool registry, and MCP-specific observability. Its standout trick: auto-generating MCP servers from REST APIs Kong already manages — zero code.

Mind what auto-generation hands you, though: out of the box, tool names and descriptions come straight from your OpenAPI specs. The agent-shaping work (choosing which operations to expose, tuning descriptions agents select on) is yours to do per API, and it compounds as agents reason over hundreds of endpoints.

Best for: API-platform teams already running Kong who want MCP governance over internal APIs with the skills and infrastructure they have.

TrueFoundry

TrueFoundry’s MCP Gateway is a control plane for access, discovery, and orchestration of MCP servers with the strongest sovereignty story in this group: VPC, on-prem, air-gapped, multi-cloud — “no data leaves your domain” — with Okta/Azure AD federation, per-server RBAC, tracing, and SOC 2/HIPAA/GDPR posture. It governs servers; it doesn’t supply the connectors behind them, and it arrives as part of a broader ML platform — more platform than most teams want for a gateway alone.

Best for: regulated enterprises where data sovereignty is the first requirement — and engineering capacity to build connectors is not the constraint.

Lunar.dev MCPX

Lunar’s MCPX is a policy gateway: a unified entry point for tool invocations with RBAC per agent and user, approval workflows, DLP redaction, and an immutable audit trail. Open-source edition for local use, enterprise in your cloud (currently gated by a beta request). It governs servers you already run — it doesn’t reduce the work of having servers to run.

Best for: security teams adding policy and audit over MCP servers their organization has already built.

Which MCP gateway supports multi-tenant deployments?

StackOne, Pipedream, Composio, Microsoft, and Arcade all support multi-tenant deployment (through three different mechanisms), and Workato approximates it through per-user identity inheritance. Docker’s gateway does not attempt it, and TrueFoundry doesn’t document tenant isolation publicly. The real question is whose credentials the agent uses, and who keeps tenants apart:

1. Platform-level tenant isolation — StackOne (organizations → projects → per-user linked accounts, with end users opting specific accounts into specific MCP clients), Pipedream (external_user_id isolation), and Composio (per-user user_id connected accounts) build tenancy into the data model. This is what workforce deployment needs: 500 users means 500 isolated credential sets, not one service account.
2. Identity-inheritance — Workato’s Verified User Access and Arcade’s IdP-integrated permissions make the agent act as the authenticated user, which gives per-user audit but depends on the platform’s reach into each system.
3. Session/infrastructure isolation — Microsoft (session-aware routing + Entra ID roles) and Kong isolate at the routing layer; whether credentials are tenant-isolated depends on the servers you wrote.

Which should you choose?

If you’re in that last row, you may not need a gateway at all yet.

The best MCP gateways, by AI client

Each MCP client constrains the choice differently — admin models, transports, auth requirements, tool budgets. We’ve applied this comparison’s criteria to each major client in a dedicated guide:

When you don’t need an MCP gateway

Skip the gateway if:

• One agent, a handful of systems, technical users. Direct MCP server connections are simpler and free. A gateway adds a hop and a bill you don’t need yet.
• Everything you connect lives in one vendor’s walled garden. If agents only touch Microsoft 365 through Copilot’s native plumbing, Microsoft’s own governance may be enough until you cross ecosystems.
• You’re still proving the use case. Connect a single managed MCP server directly, prove value, then graduate to gateway controls when user count makes credential sprawl real.

The trigger points: the first security review of agent actions, the first “which tools can the finance team’s agent see?” conversation, and the first time a user asks IT to connect an account for them. Most enterprises we talk to hit all three within a quarter of rollout.

Where this market is going

Three predictions we’re confident enough to publish. First, the gateway and the connectors collapse into one buying decision — “we’ll route to servers we build” undercounts what 50 deep, maintained connectors actually cost (it’s why agents broke the old integration paradigm in the first place). Kong’s API auto-generation and the managed-catalog platforms are converging on the same insight from opposite directions. Second, end-user account linking becomes table stakes: agent adoption is bottoms-up, and any gateway that requires an IT ticket per connected account will lose to one where users self-serve under policy. Third, governance spreads beyond MCP: agents already reach tools over APIs, SDKs, and A2A, and a gateway that only sees MCP traffic governs a shrinking share of agent activity. The winning layer will police every surface with one policy and one audit trail.

StackOne is the governed layer between AI agents and 310+ enterprise systems with 20,000+ agent-optimized actions — over MCP, A2A, API, and SDKs — with end-user OAuth linking, connectors you can extend, and built-in prompt-injection defense. See pricing or book a demo.