Shane Deconinck

Explainer

AgentGateway

The control point for securing agent-to-tool and agent-to-agent traffic

The Problem

Why Agent Gateways?

You've deployed MCP servers for your tools and A2A agents for orchestration. Now you have a new problem: governance.

πŸ”“
Who can access what?
Each MCP server has its own auth. No central policy. No unified audit trail.
πŸ”
What's happening?
Agents call tools, tools call agents. No single place to observe the traffic.
🌐
Third-party connections?
External MCP servers use external IdPs. Your enterprise IdP isn't in the loop.

Traditional API gateways don't help: they handle stateless HTTP, not stateful JSON-RPC sessions with long-lived connections.

What AgentGateway Solves

The Control Point

AgentGateway is an open-source gateway built specifically for agentic AI. Solo.io contributed it to the Linux Foundation in 2025. It sits between your agents and the tools/agents they connect to.

Single control point for all agent traffic Agent A (Claude) Agent B (Custom) AgentGateway Auth | RBAC | Audit MCP | A2A | LLM OpenTelemetry Cedar Policies MCP Server (CRM) MCP Server (GitHub) A2A Agent (Specialist)
Three Gateway Modes
πŸ”§
MCP Gateway
Federate multiple MCP servers
πŸ€–
A2A Gateway
Route agent-to-agent traffic
🧠
LLM Gateway
Unified access to AI providers

Key Capabilities

MCP Federation

Expose multiple MCP servers through a single endpoint. Clients see one unified tool catalog. Gateway handles routing.

Centralized Auth

Implement MCP Authorization spec once at the gateway. Supports Keycloak, Auth0, and other OAuth providers with automatic spec compliance.

Cedar Policies

Fine-grained RBAC using Cedar (Amazon's policy language). Control which users can access which tools at the tool level.

Observability

OpenTelemetry integration for metrics, logs, and distributed tracing across all agent traffic. See what's happening.

MCP Federation

The Problem It Solves

Without a gateway, each MCP client must:

  • Know about every MCP server endpoint
  • Handle auth separately for each server
  • Manage connections to multiple servers

With MCP federation, clients connect to one gateway endpoint. The gateway:

  • Aggregates tools from multiple backend MCP servers
  • Routes requests to the right server based on tool name
  • Applies policies before forwarding
  • Handles sessions for stateful MCP connections
Client sees unified catalog
{
  "tools": [
    { "name": "crm_search" },      // β†’ CRM MCP server
    { "name": "github_list_prs" }, // β†’ GitHub MCP server
    { "name": "slack_send" }       // β†’ Slack MCP server
  ]
}

Auth Portals for External Servers

The harder problem: third-party MCP servers that use their own IdPs.

The challenge:

  • External MCP server (e.g., Salesforce) has its own OAuth
  • Your enterprise IdP isn't involved
  • No central control over who can connect

AgentGateway's auth portal feature manages these external connections:

  1. User authenticates to your enterprise IdP first
  2. Gateway checks if user is allowed to connect to the external server
  3. Gateway manages the OAuth flow to the external IdP
  4. Tokens stored securely, refreshed automatically

Result: single enforcement point for both internal and external MCP connections.

Authorization with Cedar

Why Cedar?

Cedar is a policy language created by Amazon for fine-grained authorization. It's designed for RBAC (role-based), ABAC (attribute-based), and ReBAC (relationship-based) access control.

AgentGateway uses Cedar to express policies like:

Cedar Policy Example
permit (
  principal in Role::"analyst",
  action == Action::"tools/call",
  resource == Tool::"crm_search"
);

forbid (
principal in Role::“analyst”,
action == Action::“tools/call”,
resource == Tool::“crm_delete”
);

Analysts can search the CRM, but can't delete records. Policy is declarative, auditable, and separate from code.

Tool-Level Access Control

Cedar policies in AgentGateway can control access at multiple levels:

πŸ”§
Per Tool
Who can call crm_delete?
πŸ“¦
Per Server
Who can access GitHub MCP?
πŸ‘€
Per User
What can Alice's agent do?
πŸ€–
Per Agent
What can the sales bot do?

Combined with OBO tokens that identify both user and agent, you get full accountability.

See It In Action

Gateway Policy Enforcement

Gateway Policy Flow
πŸ€–Agent πŸšͺGateway πŸ“‹Cedar πŸ”§MCP Server tools/call: crm_search evaluate policy ALLOW forward request result: John Smith result tools/call: crm_delete evaluate policy DENY 403 Forbidden Click Start to begin
Request
-
Response / Policy
-

LLM Gateway

Unified Provider Access

AgentGateway also acts as an LLM gateway, providing a single endpoint for multiple AI providers:

OpenAI Anthropic Google (Gemini) Amazon Bedrock Azure OpenAI Self-hosted

All exposed via an OpenAI-compatible API. Benefits:

  • Unified auth: One API key, gateway handles provider auth
  • Cost tracking: Centralized usage metrics across providers
  • Inference routing: Route based on model, cost, latency, availability
  • Prompt guards: Regex filters, webhook validation before requests hit providers

Deployment

Built for Production

AgentGateway is written in Rust for performance at scale. Deployment options:

πŸ“¦
Binary
Single executable for VMs, bare metal
🐳
Docker
Container image for any orchestrator
☸️
Kubernetes
Gateway API conformance (HTTPRoute, GRPCRoute, TCPRoute, TLSRoute)

Configuration via YAML with xDS for dynamic updates without downtime.

What's Still Missing

Early in the Journey

AgentGateway is powerful, but honest assessment:

⚠ Maturity

Early in its Linux Foundation lifecycle. Validate performance, protocol coverage, and RBAC maturity for your environment.

⚠ Outbound auth complexity

Auth portals help, but managing OAuth flows to dozens of external IdPs is operationally complex.

βœ— Cross-org trust

Same gap as MCP and A2A: no verification of capability claims, no delegation chain tracking across organizations.

AgentGateway is governance for your trust domain. The cross-org trust layer (DIDs, VCs) is still the missing piece.

Alternatives

Other MCP Gateways

AgentGateway isn't the only option. The space is evolving:

AgentGateway's differentiator: A2A support and Cedar policies. Others focus primarily on MCP.

Learn More

EXPLAINER MCP (Model Context Protocol)
How agents connect to tools
EXPLAINER A2A (Agent-to-Agent Protocol)
How agents talk to each other
EXPLAINER OBO (OAuth On-Behalf-Of)
How agents act on behalf of users
 AgentGateway Documentation
Official docs and guides
 GitHub Repository
Source code and issues