This post was originally published on mcpproxy.app/blog.
The Cambrian Explosion of MCP Gateways
Eighteen months ago, "MCP gateway" was barely a category. Today, the awesome-mcp-gateways list on GitHub tracks 42 projects -- 19 open-source and 23 commercial -- and the number keeps climbing. Microsoft, IBM, Docker, Kong, Traefik, and AWS have all shipped MCP gateway solutions. At least eight new open-source gateways appeared in the last six weeks alone.
What happened? The Model Context Protocol, introduced by Anthropic in late 2024, crossed a critical adoption threshold when OpenAI, Google, and Microsoft all added MCP support. Suddenly every AI agent could talk to any tool using a standard protocol -- and every organization needed something sitting between those agents and tools to enforce auth, control access, scan for threats, and log what happened.
That "something" is an MCP gateway. But the term now covers everything from a Kubernetes-native reverse proxy to a desktop-first developer tool to a commercial SaaS with 500+ managed integrations. Understanding the landscape requires separating these architectures, identifying which problems each solves, and recognizing which capabilities actually matter for your use case.
This post maps the territory, compares the major players, and explains where MCPProxy fits in.
Three Architectures, Three Philosophies
The 42 MCP gateways on the market fall into three broad architectural categories. Choosing between them is the first decision that matters.
Cloud-Native Gateways
These run in Kubernetes, scale horizontally, and assume your MCP servers are deployed as pods or remote services. They excel at multi-tenant environments where platform teams need to govern tool access across dozens of agent deployments.
Microsoft MCP Gateway is the canonical example: a C# reverse proxy with StatefulSet-based session affinity, Azure Entra ID authentication, RBAC, and a Tool Gateway Router that dynamically routes tool calls to registered servers. It is Kubernetes-native to its core -- there is no standalone binary, no desktop mode.
IBM ContextForge (3.4K GitHub stars) takes the broadest approach. It federates MCP, A2A, REST, and gRPC APIs behind a single endpoint with 40+ plugins, OpenTelemetry tracing, Redis-backed caching, and multi-cluster federation via mDNS auto-discovery.
Kong AI Gateway extends Kong's established API gateway with MCP proxy plugins, OAuth 2.1, and an MCP Registry for tool governance.
Desktop-First Gateways
These run locally, optimize for individual developers or small teams, and focus on the workflow between your editor (VS Code, Cursor, Claude Code) and your MCP servers.
Docker MCP Gateway (1.3K stars) is a Docker CLI plugin that runs MCP servers as isolated containers, manages secrets through Docker Desktop, and provides dynamic tool discovery.
MCPProxy occupies this space too, but with a different emphasis -- more on that below.
Managed Platforms
Services like Composio (500+ managed integrations), MintMCP (SOC 2/HIPAA audit logs), and Unified Context Layer (1,000+ tools) provide hosted MCP endpoints with pre-built connectors, managed auth, and pay-per-use pricing.
The Feature Map
| Capability | MCPProxy | IBM ContextForge | Microsoft MCP GW | Docker MCP GW | Kong AI GW | Bifrost |
|---|---|---|---|---|---|---|
| Tool Discovery | BM25 ranking | Registry + mDNS | Dynamic routing | Auto-discovery | MCP Registry | OpenAI-compat |
| Auth | OAuth config | OAuth, API keys | Azure Entra ID | OAuth + secrets | OAuth 2.1, ABAC | SSO, Vault |
| Security | Quarantine + SDD | Guardrails plugins | RBAC policies | Interceptors | ACLs, guardrails | Guardrails |
| Isolation | Docker containers | K8s namespaces | K8s pods | Docker containers | — | — |
| Protocol | MCP (stdio + SSE) | MCP, A2A, REST, gRPC | MCP | MCP | MCP + REST | MCP + LLM |
| Observability | Web UI, logs | OpenTelemetry | Azure Monitor | Logging, tracing | Prometheus | Audit logs |
| Deployment | Single binary | Docker/K8s/PyPI | K8s only | Docker CLI plugin | K8s + Konnect | Docker, NPX |
Where MCPProxy Is Different
MCPProxy does two things that no other gateway in this landscape does: BM25 tool discovery and schema quarantine.
The Tool Discovery Problem
When an agent connects to 15 MCP servers exposing 200+ tools, the LLM's context window fills with tool definitions. Most gateways treat this as a configuration problem -- you manually curate which tools each agent can see. MCPProxy treats it as a search problem.
MCPProxy's BM25 engine ranks available tools by relevance to the agent's current task. The agent sees 3-5 highly relevant tools instead of 200 noisy ones. No other MCP gateway offers automated relevance-based tool filtering.
The Quarantine Problem
When you connect a new MCP server, how do you know its tool definitions are safe? Tool poisoning -- hiding malicious instructions in tool descriptions -- is the number one MCP attack vector. MCPProxy's quarantine system holds new tool schemas in a staging area where they are analyzed for known attack patterns before being released to the agent.
Where Competitors Excel
Observability: IBM ContextForge. Full OpenTelemetry integration with Phoenix, Jaeger, and Zipkin backends.
Performance: Bifrost. Eleven microseconds of overhead at 5,000 RPS.
Multi-Protocol: IBM ContextForge. MCP, A2A, REST, and gRPC behind one gateway.
Enterprise Integration: Kong AI Gateway. Existing customer base and compliance certifications.
Managed Ease of Use: Composio. 500 pre-built integrations with managed auth.
Market Trajectory
Three patterns are shaping where the MCP gateway market goes:
Consolidation is coming. 42 gateways is not sustainable. The market will consolidate around 5-8 major players within 12-18 months.
Platform vendors will absorb the category. AWS has already added MCP proxy support to API Gateway. Azure has MCP support in API Management.
Security becomes the differentiator. As basic gateway functionality commoditizes, the security layer becomes the primary differentiator.
Where MCPProxy Goes from Here
Near-term (Q2 2026): OpenTelemetry export, expanded quarantine rules covering the full OWASP MCP Top 10, improved BM25 ranking.
Medium-term (H2 2026): OS-level sandboxing via Linux Landlock, expanded sensitive data detection, public benchmark suite.
Ongoing: Staying lean. MCPProxy will remain a single binary that you can download and run in 30 seconds.
MCPProxy is open source at github.com/smart-mcp-proxy/mcpproxy-go. Star the repo, file issues, or try it with mcpproxy serve.
Originally published at mcpproxy.app/blog.
Top comments (0)