Copied to Clipboard
Because evaluation happens before the call is forwarded, the decision is deterministic. The model can reason around a prompt. It cannot reason around an action that physically never reaches the server. That is the core of MCP policy enforcement, and the reason the control belongs at the transport layer.
Gateway vs the alternatives
| Approach |
Strength |
Limitation |
| Per-server config |
Native to each server |
No server ships scoping; nothing is consistent across servers |
| Client-side rules |
Close to the agent |
Trivially bypassed; every client reimplements it |
| Prompt guardrails |
No infrastructure |
Not enforcement; defeated by injection |
| MCP gateway |
One deterministic control point across every server |
You route traffic through it |
The gateway is the only option that holds regardless of which server you call, which client the agent runs in, or what the agent was prompted to do.
How it works
A normal tool call is a JSON-RPC request. The agent asks the server to run a tool with arguments:
{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"create_refund","arguments":{"charge_id":"ch_105","amount":500000}}}
Routed through a gateway, that request is evaluated against policy first. If a rule caps refunds, the call is blocked before it reaches Stripe, and the agent receives a tool result marked isError — a failed tool call it can reason about and adapt to, not a transport crash:
{"jsonrpc":"2.0","id":1,"result":{"content":[{"type":"text","text":"[POLICY DENIED] Refund exceeds the policy limit."}],"isError":true}}
Pointing a client at the gateway is a config change, not a code change. You swap the upstream server URL for your gateway endpoint and attach a scoped token:
{"mcpServers":{"stripe":{"url":"https://proxy.policylayer.com/mcp/<server-uuid>/","headers":{"Authorization":"Bearer <grant-token>"}}}}
The agent still sees an MCP server. It just sees one with a policy in front of it.
When you need one
A gateway earns its place the moment any of these is true:
- You run agents against more than one MCP server.
- More than one person uses those agents and you need to know who did what.
- Agents touch anything that costs money, deletes data, or sends messages.
- You answer to a compliance regime that expects an audit trail.
A single developer poking at one read-only server does not need a gateway. A team running production agents against Stripe, GitHub, Postgres, and a stack of third-party servers does, and the need is not optional. It is the difference between hoping the agent behaves and knowing what it is allowed to do.
Related reading
Control what your agents can do through MCP.
Get started now →. The product is live.
Browse the policy library →. Pre-classified tools across thousands of MCP servers.
Read the MCP security reference →. What the boundary looks like.