> ## Documentation Index
> Fetch the complete documentation index at: https://www.aptible.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Access Control

> Control who can call which tools using grants and membership.

## Overview

Access in the MCP Gateway is built on two concepts:

* **[Grants](/mcp-gateway/grants):** records that specify a set of tools and the users or agents allowed to call them. No grant, no access.
* **[Membership](/mcp-gateway/membership):** users, robots, and API keys that can be attached to grants. Robots and API keys extend access to automated pipelines and agents.

When an agent calls a tool, the gateway checks whether a grant exists for that caller on that tool, and either forwards the call or rejects it. Access is deny-by-default. No implicit access is inherited.

<Info>
  Account Owner or Admin permission is required to manage grants and add or manage users and robots. Any user can create their own API key.
</Info>

<CardGroup cols={2}>
  <Card title="Grants" href="/mcp-gateway/grants">
    Create and manage grants to scope tool access per user or agent.
  </Card>

  <Card title="Membership" href="/mcp-gateway/membership">
    Set up robots and API keys for non-human callers.
  </Card>
</CardGroup>
