Skip to content
CTRL K
    Docs Standalone Kubernetes Models Blog Enterprise Community Get Started GitHub
    🎯 New workshop: Govern AI Costs in Real Time — Hands-On with agentgateway agentgateway has joined the Agentic AI FoundationLearn more

    For the complete documentation index, see llms.txt. Markdown versions of all docs pages are available by appending .md to any docs URL.

    Page as Markdown
    MCP authorization
    
Verified
Code examples on this page have been automatically tested and verified.
    Define authorization rules for MCP method invocations using CEL expressions.
    Attaches to: 
    Backend
    (MCP Backends only)
    Agentgateway supports more than one configuration style. Where a feature can also be configured in the simplified llm or mcp modes, the examples on this page show each option in tabs. For more information, see Routing-based configuration.
    The MCP authorizationAuthorization (AuthZ)The process of determining what actions an authenticated user or service is allowed to perform. Agentgateway supports HTTP authorization, MCP authorization, and external authorization services. policy works similarly to HTTP authorization, but runs in the context of an MCP request.
    Note
    This policy works only for MCP traffic. Note that all standard HTTP policies also apply to MCP traffic.
    Instead of running against an HTTP request, MCP authorization policies run against specific MCP method invocations such as list_tools and call_tools.
    If a tool or other resource is not allowed, the gateway automatically filters it from the list response.
    # yaml-language-server: $schema=https://agentgateway.dev/schema/config
mcp:
  port: 3000
  targets:
  - name: everything
    stdio:
      cmd: npx
      args: ["@modelcontextprotocol/server-everything"]
    policies:
      mcpAuthorization:
        rules:
        # Allow anyone to call 'echo'
        - 'mcp.tool.name == "echo"'
        # Only the test-user can call 'add'
        - 'jwt.sub == "test-user" && mcp.tool.name == "add"'
        # Any authenticated user with the claim `nested.key == value` can access 'printEnv'
        - 'mcp.tool.name == "printEnv" && jwt.nested.key == "value"'
    Try out CEL expressions in the built-in CEL playground in the agentgateway admin UI before using them in your configuration.
    CEL variables

    The following MCP-specific CEL variables are available in authorization rules:
    VariableTypeAvailabilityDescription
    mcp.tool.namestringRequest-timeThe name of the tool being called.
    mcp.tool.targetstringRequest-timeThe target backend handling the tool call.
    mcp.tool.argumentsmapRequest-timeThe JSON arguments passed to the tool call.
    mcp.tool.resultanyPost-requestThe tool call result payload (access logs only).
    mcp.tool.erroranyPost-requestThe tool call error payload (access logs only).
    mcp.prompt.namestringRequest-timeThe name of the prompt being accessed.
    mcp.resource.namestringRequest-timeThe name of the resource being accessed.
    mcp.methodNamestringPost-requestThe MCP JSON-RPC method name, such as tools/call.
    mcp.sessionIdstringPost-requestThe MCP session ID.
    Request-time variables are available during authorization and can be used in mcpAuthorization rules. Post-request variables are available in access log CEL expressions.
    Authorize based on tool arguments

    You can use tool arguments in authorization rules to enforce fine-grained access control. For example, restrict which URLs a fetch tool can access:
    mcpAuthorization:
  rules:
  - 'mcp.tool.name == "fetch" && mcp.tool.arguments.url.startsWith("https://internal.")'
    Refer to the CEL reference for additional variables.
    MCP authenticationOIDC browser authentication
    Was this page helpful?
    

    
Agentgateway assistant
    


    Ask me anything about agentgateway configuration, features, or usage.
    Note: AI-generated content might contain errors; please verify and test all returned information.
    Tip: one topic per conversation gives the best results. Use the + button in the chat header to start a new conversation.
    Switching topics? Starting a new conversation improves accuracy.

    ↑↓ navigate
 select
esc dismiss
    

    

    What could be improved?
    Your feedback helps us improve assistant answers and identify docs gaps we should fix.
    Need more help? Join us on Discord:
https://discord.gg/y9efgEmppm
    Want to use your own agent? Add the Solo MCP server to query our docs directly. Get started here:
https://search.solo.io/.