MCP gateway security checklist
Evaluate MCP gateways for AI vendor security reviews, customer questionnaires, and agent governance. Focus on authentication, RBAC, token passthrough, tool approval, audit logs, tenant isolation, secrets, and prompt injection.
Security review lens20 point score
MCP gateway vs MCP proxyRBAC and tool allowlistsToken passthrough reviewTool approval and audit logsTenant isolation evidencePrompt injection controls
MCP gateway vs MCP proxy
Use this distinction before treating a routing layer as customer-ready security evidence.
MCP gateway security checklist
Score each item 0, 1, or 2 based on whether the control is missing, partial, or reviewable.
| Area | Security check | Evidence to keep |
|---|---|---|
| Authentication | Require explicit user or workload identity before a client can reach gateway-controlled MCP tools. | Identity provider config, allowed client list, token lifetime, and revocation path. |
| RBAC | Map teams, agents, tools, environments, and data classes to least-privilege access policies. | Role matrix, tool allowlist, deny rules, and exception owner. |
| Token passthrough | Document whether the gateway forwards end-user tokens, exchanges tokens, or uses service credentials. | Token flow diagram, scopes, storage rules, and rotation process. |
| Tool approval | Require approval before high-impact tools can export data, write records, change admin settings, or call external systems. | Approval policy, reviewer role, sample approval log, and emergency disable process. |
| Audit logs | Log tool calls, denied actions, policy decisions, config changes, token use, and gateway errors. | SIEM destination, retention period, event schema, and incident-response runbook. |
| Tenant isolation | Prevent cross-tenant tool discovery, data access, log leakage, prompt context sharing, and policy inheritance mistakes. | Tenant boundary design, test results, and isolation controls. |
| Secret handling | Keep API keys out of prompts, tool descriptions, local config, logs, and agent-visible context. | Secrets manager policy, redaction rules, and access review. |
| Prompt injection | Treat retrieved content and tool output as untrusted input before the gateway allows sensitive follow-up actions. | Filtering rules, action gating, allowlists, and human review path. |
| Tool poisoning | Review tool names, descriptions, schemas, package provenance, and server updates before they are exposed through the gateway. | Change review, package source, version pinning, and rollback plan. |
| Fail closed | Define what happens when policy lookup, logging, identity verification, or approval services are unavailable. | Failure-mode test, default deny rule, alert path, and business exception process. |
Risk scoring
The score is a triage tool for vendor review and internal approval, not a compliance certification.
0-8: Do not approve
The gateway is routing traffic, but the reviewable controls are missing or mostly assumed.
9-15: Limited pilot
Some evidence exists, but sensitive tools or customer data should stay restricted until gaps close.
16-20: Production candidate
Core controls are documented, owned, monitored, and ready for customer security review.
Questionnaire items
Turn gateway review into reusable answer-library questions instead of one-off AI security claims.
| Customer question | Answer should include |
|---|---|
| How do you authenticate AI agents and users before they can access MCP tools? | Describe identity provider integration, token lifetime, client registration, and revocation. |
| How are MCP tool permissions approved and enforced? | Explain RBAC, tool allowlists, high-impact action approval, and default-deny behavior. |
| Do you pass end-user tokens through the MCP gateway? | State whether tokens are passed through, exchanged, scoped, stored, rotated, and logged. |
| How do you prevent prompt injection from triggering unsafe tool calls? | Describe untrusted content handling, policy checks, sensitive action gating, and human approval. |
| What audit logs are available for MCP gateway activity? | List tool calls, denied actions, policy decisions, config changes, retention, and SIEM destination. |
| How do you maintain tenant isolation across MCP clients and servers? | Document data boundaries, log separation, tool discovery limits, and testing evidence. |
Evidence and source trail
These official MCP references support the security review areas above.
MCP authorization specification
Official MCP sourceThe official MCP authorization specification describes authorization responsibilities for HTTP-based MCP servers and OAuth-based flows.
MCP security best practices
Official MCP sourceThe official guidance covers consent, authorization, confused-deputy risks, token passthrough, and session hijacking considerations.
MCP client security
Official MCP sourceClient guidance reinforces explicit user consent, tool-call authorization, and clear control over what agents can access.
MCP gateway security FAQ
Short answers for teams adding gateway review to AI security questionnaires.
What is an MCP gateway?
An MCP gateway is a control layer that can sit between MCP clients and MCP servers to centralize policy, routing, approvals, logging, and enforcement for agent-to-tool access.
Is an MCP gateway the same as an MCP proxy?
Not always. A proxy may primarily forward traffic, while a security-oriented gateway should provide reviewable controls such as identity, RBAC, approval rules, tenant isolation, and audit logs.
Why does MCP gateway security belong in vendor questionnaires?
Customers reviewing AI-enabled vendors need evidence for how agents access tools, what credentials are used, how sensitive actions are approved, and whether logs exist for incident review.
Should teams buy an MCP gateway before writing answers?
No. Start by documenting current tool access, identity, approvals, logs, and risks. That evidence will show whether a gateway is needed and which controls it must provide.
Need a shortlist for your workflow?
Send the formats you receive, your current answer-library setup, and whether you need portal support. We will use those signals to prioritize the next comparison updates.