From Stdio to Enterprise: The MCP Gateway Pattern

November 22, 2025 · 8 min read
blog

As-of note: MCP evolves quickly. This article references the MCP spec revision 2025-11-25. Validate details against the current spec before shipping changes. [1][2][3]

Why this matters

Local MCP servers over stdio are an amazing developer experience: you install a tool server, the host (Claude Desktop / Claude Code / an agent runtime) launches it, and you’re productive in minutes. [2]

But as soon as MCP becomes shared infrastructure - multiple clients, multiple users, multiple environments - the “local tool server” model runs into the same constraints every integration layer hits:

  • Who is allowed to call what tool?
  • How do you prevent one noisy user from melting shared dependencies?
  • How do you audit tool side effects?
  • How do you roll out tool changes without breaking clients?
  • How do you keep secrets out of prompts, logs, and screenshots?

This is where the MCP Gateway Pattern shows up.

A gateway is not “another service.” It’s a capability boundary: the place where you enforce policy, budgets, and observability for tool use at scale.

TL;DR

  • Stdio is great for local, single-user, low-blast-radius setups.
  • HTTP transports (Streamable HTTP) enable multi-client servers - but they also require real auth and multi-tenant safety. [2][3]
  • An MCP gateway sits between clients and tool servers to provide:
  • authentication & authorization
  • tenant isolation
  • rate limits / concurrency / cost budgets
  • consistent tool schemas + safety gates
  • audit logs and observability
  • routing, versioning, rollout controls
  • Build the gateway to be boring: small surface area, strict validation, explicit policies, great telemetry.

Contents

When stdio stops being enough

MCP supports multiple transports; stdio is common for local servers. [2] In that model, the host controls process lifetime and secrets typically come from the environment on the local machine.

Stdio starts to strain when you need:

  • multi-client concurrency
  • shared tenancy
  • central policy enforcement
  • centralized audit
  • fleet-level rollout controls

At that point, you’re effectively building a platform. The platform needs a stable ingress point with consistent security and operational behavior.

MCP’s HTTP-based transports (like Streamable HTTP) are designed for servers that can handle multiple connections and enable streaming/notifications. [2] MCP also defines an authorization flow for HTTP-based transports. [3]

That’s the entry point for a gateway.

The MCP Gateway Pattern

Definition: An MCP gateway is an MCP server (or MCP-adjacent ingress layer) that:

  1. authenticates and authorizes the client
  2. routes requests to one or more downstream MCP servers (or tool backends)
  3. enforces budgets and safety gates
  4. emits consistent telemetry and audit records

It looks like an API gateway, but the payload is “tool capability” not “REST endpoints.”

Responsibilities of a gateway

1) Authentication and authorization

If you expose MCP servers over HTTP, you need strong auth. MCP includes an authorization framework at the transport layer for HTTP-based transports. [3]

Practical gateway rules:

  • Authenticate every client (bearer tokens, mTLS, OAuth-derived access tokens).
  • Authorize per tool, not per server.
  • Prefer least privilege scopes:
  • calendar.read
  • calendar.write
  • email.read
  • email.send
  • k8s.readonly
  • k8s.apply
  • For high-impact tools: require explicit confirmation tokens and/or multi-party approval.

2) Tool contract enforcement

MCP tools are invoked by an LLM-driven client. That means tool arguments are untrusted.

The gateway is the ideal place to enforce:

  • schema validation
  • payload size caps
  • allowlists and blocklists
  • “danger gates” (preview/apply, confirmations)
  • “semantic validation” (not just types - e.g., limits required, date ranges bounded)

MCP’s spec is grounded in structured schemas; treat those schemas as contracts. [1]

3) Budgets and backpressure

Agents can trigger bursty tool calls. Without backpressure you get the classic cascade:

  • upstream rate limits
  • DB pool exhaustion
  • thread/goroutine explosion
  • timeouts everywhere

At the gateway you can enforce:

  • per-tenant rate limits
  • per-tool concurrency limits
  • timeouts and deadline propagation
  • queue depth caps (bounded memory)
  • circuit breakers for flaky dependencies

This is where you keep “one user spamming tools” from becoming “everyone is down.”

4) Secret handling and redaction

Gateways are a natural place to centralize:

  • secret injection (short-lived tokens per tenant)
  • output redaction (strip tokens, emails, PII fields)
  • logging policies (never log raw tool payloads by default)

For agent systems, OWASP highlights risks like prompt injection and sensitive info disclosure as major categories. [7]

Your gateway should assume that anything returned by a tool could be coerced into exfiltration if you’re careless.

5) Observability and audit

Operationally, the gateway is your best place to emit consistent:

  • request logs
  • tool call metrics
  • traces across tool chains
  • audit events for side effects

OpenTelemetry is the de facto standard for collecting and exporting telemetry. [5] W3C Trace Context defines headers like traceparent/tracestate for trace propagation across services. [6]

If you want an enterprise to trust agents, you need the forensic trail.

6) Routing and discovery at scale

The gateway becomes:

  • the routing table (“tool X lives in cluster Y”)
  • the discovery system (“list tools available for tenant Z”)
  • the version broker (“tool schema v3 for client A, v4 for client B”)

This is also where you can implement “tool quality” policies:

  • quarantine tools with high error rates
  • fallback to read-only alternatives
  • degrade gracefully under partial outages

Reference architecture

Here’s a simple, effective gateway architecture:

--------------------------------
- Agent host / IDE / runtime -
- (MCP client) -
--------------------------------
 - Streamable HTTP / JSON-RPC [2][4]
 v
------------------------------------------------
- MCP Gateway -
- - AuthN/Z [3] -
- - Schema + safety gates -
- - Budgets (rate, concurrency, cost) -
- - Audit + telemetry (OTel) [5][6] -
- - Routing + tool registry -
------------------------------------------------
 -
 ------------------------
 v v
----------------- ------------------
- MCP Server A - - MCP Server B -
- (calendar) - - (k8s, github...)-
------------------ ------------------
 v v
 Upstream APIs Upstream APIs

Key design decision: the gateway should not contain business logic. It enforces policy and routes tool calls. Tool semantics live in tool servers.

Policy patterns that actually work

Pattern: Read vs write tool classes

Classify tools into tiers:

  • Read-only: listing, searching, fetching
  • Write-safe: creates/updates that are naturally reversible
  • Dangerous: deletes, bulk updates, destructive actions, privileged ops

Then enforce different rules per tier:

  • Read-only: wide availability, higher concurrency
  • Write-safe: lower concurrency, stronger audit, idempotency keys
  • Dangerous: preview/apply, explicit confirmations, restricted scopes

Pattern: Preview -> Apply

For any tool that can cause harm:

  1. plan_* returns a plan + summary + plan_id
  2. apply_* requires plan_id (and optionally a user confirmation token)

This is the “terraform plan/apply” mental model applied to tools.

Pattern: Allowlisted egress (SSRF containment)

If tools can fetch URLs or call arbitrary endpoints, treat it as SSRF risk. OWASP’s SSRF prevention guidance is a useful baseline. [8]

At the gateway, enforce:

  • allowlisted domains
  • IP/CIDR blocks for internal metadata ranges
  • redirect re-validation

Pattern: Tenant-bound tokens

Instead of giving tool servers “global” credentials, mint tenant-scoped tokens and inject them for each call.

  • reduces blast radius
  • makes audit meaningful
  • enables “kill switch” revocation per tenant

Scaling and isolation strategies

A gateway is where multi-tenancy becomes real. Choose an isolation model:

Option A: Process isolation per tool server (simple, strong isolation)

  • each integration is its own process/container
  • faults stay contained
  • rollouts per integration are easy

Tradeoff: more processes to manage.

Option B: Shared server with strong tenant sandboxing

  • single multi-tenant server handles many clients
  • cheaper to run
  • requires rigorous isolation inside the process

Tradeoff: higher risk if a bug leaks across tenants.

Option C: Hybrid

  • “sensitive” integrations are isolated
  • “low-risk” read-only tools can be multi-tenant

Most enterprises end up here.

Observability and audit

What to emit (minimum viable)

Metrics

  • tool_calls_total{tool, tenant, status}
  • tool_latency_ms{tool}
  • rate_limited_total{tenant}
  • budget_exceeded_total{tenant, budget_type}

Traces

  • request span (client -> gateway)
  • tool execution span (gateway -> server)
  • downstream spans (server -> upstream API)

Audit events

  • who (tenant/user/client)
  • what (tool + summarized parameters)
  • when
  • result (success/failure)
  • side effect IDs (resource IDs, plan_id, idempotency_key)

OpenTelemetry’s Go docs are a good reference for instrumentation patterns. [5]

Rollouts and versioning

Tool contracts drift. Clients upgrade at different times. Gateways can reduce pain by:

  • pinning tool schema versions per client
  • supporting additive changes first (new fields optional)
  • allowing parallel tool versions for a period
  • enabling canary rollouts per tenant

If you do nothing else: never deploy a breaking tool change to 100% of tenants at once.

A production checklist

Security

  • AuthN required for all HTTP-based access. [3]
  • AuthZ enforced per tool (least privilege).
  • Tool inputs validated and bounded.
  • Dangerous tools require preview/apply and explicit confirmations.
  • Egress allowlists exist for URL/network tools. [8]

Reliability

  • Per-tenant rate limiting and per-tool concurrency caps.
  • Timeouts everywhere; deadlines propagate.
  • Bounded queues (no unbounded memory growth).
  • Circuit breakers for flaky dependencies.

Operability

  • Traces propagate end-to-end (W3C Trace Context). [6]
  • Metrics and logs are consistent and redacted.
  • Audit events exist for side effects.

Delivery

  • Tool schemas versioned; canary rollouts supported.
  • Quarantine and fallback policies exist for failing tools.

References

[1] Model Context Protocol (MCP) - Specification (Protocol Revision 2025-11-25): https://modelcontextprotocol.io/specification/2025-11-25 [2] MCP - Transports (including Streamable HTTP): https://modelcontextprotocol.io/specification/2025-03-26/basic/transports [3] MCP - Authorization (HTTP-based transports): https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization [4] JSON-RPC 2.0 Specification: https://www.jsonrpc.org/specification [5] OpenTelemetry Go - Instrumentation docs: https://opentelemetry.io/docs/languages/go/instrumentation/ [6] W3C - Trace Context: https://www.w3.org/TR/trace-context/ [7] OWASP - Top 10 for Large Language Model Applications: https://owasp.org/www-project-top-10-for-large-language-model-applications/ [8] OWASP - SSRF Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html

MCP Agents Go Security SRE Platform-Engineering
Authors
Roy Gabriel
DevOps Architect · Applied AI Engineer
I’ve spent 20 years building systems across embedded systems, micro-controllers, PLCS, security platforms, fintech, SRE, and platform architecture. Today I focus on production AI systems in Go: multi-agent orchestration, MCP server ecosystems, and the DevOps platforms that keep them running. I care about systems that work under pressure: observable, recoverable, and built to last.