Skip to main content

Overview

Access in the MCP Gateway is built on two concepts:
  • Grants: records that specify a set of tools and the users or agents allowed to call them. No grant, no access.
  • Membership: users, robots, and API keys that can be attached to grants. Robots and API keys extend access to automated pipelines and agents.
When an agent calls a tool, the gateway checks whether a grant exists for that caller on that tool, and either forwards the call or rejects it. Access is deny-by-default. No implicit access is inherited.
Account Owner or Admin permission is required to manage grants and add or manage users and robots. Any user can create their own API key.

Grants

Create and manage grants to scope tool access per user or agent.

Membership

Set up robots and API keys for non-human callers.