This week at API Days Paris 2025, I sat through fascinating talks about MCP (Model Context Protocol), quantum-enhanced security, and API reliability patterns. The conversations kept circling back to one question: how do we actually implement these concepts in production?
So I built MCP Secure Gateway to answer that question.
What is MCP Secure Gateway?
It's a production-ready API gateway that demonstrates:
- Quantum Random Number Generation (QRNG) for cryptographically secure tokens
- MCP Protocol implementation for AI agent interactions
- Enterprise-grade authentication, rate limiting, and monitoring
- API Drift Detection through contract testing
Built with FastAPI, it serves as both a working reference implementation and a learning resource.
The Quantum Security Angle
Traditional random number generators use pseudo-random algorithms. They're deterministic—given the same seed, you get the same sequence. For JWT token IDs and cryptographic operations, that's a potential vulnerability.
Enter QRNG
Quantum Random Number Generators leverage quantum mechanics (like vacuum state fluctuations) to produce truly random numbers. MCP Secure Gateway integrates three providers:
1. ANU (Australian National University)
- Free, public quantum RNG
- Perfect for development and testing
- Uses vacuum fluctuations in a quantum beam splitter
2. Quantinuum (Enterprise)
- Commercial quantum computing platform
- High throughput, API-based access
- Requires API key
3. ID Quantique (Hardware-based)
- Physical quantum RNG devices
- Banking-grade security
- Requires API key
The Implementation
class QRNGService:
async def get_random_bytes(self, length: int = 32) -> bytes:
"""Get cryptographically secure random bytes"""
try:
if self.current_provider == QRNGProvider.ANU:
return await self._get_anu_bytes(length)
elif self.current_provider == QRNGProvider.QUANTINUUM:
return await self._get_quantinuum_bytes(length)
elif self.current_provider == QRNGProvider.IDQ:
return await self._get_idq_bytes(length)
except Exception as e:
# Graceful fallback to classical cryptography
if settings.QRNG_FALLBACK_ENABLED:
return secrets.token_bytes(length)
raise
Key design decision: Automatic fallback to secrets.token_bytes() ensures the system never fails due to quantum provider unavailability. Security degrades gracefully rather than catastrophically.
JWT with Quantum-Backed Token IDs
Every JWT gets a unique jti (JWT Token ID) generated from quantum randomness:
async def create_token(self, user_id: str, token_type: str = "access") -> str:
# Generate quantum-backed JWT ID
jti = await qrng_service.generate_token_id()
payload = {
"sub": user_id,
"jti": jti, # Quantum-backed unique identifier
"exp": expire,
"iat": now,
"type": token_type
}
return jwt.encode(payload, self.private_key, algorithm=self.algorithm)
This makes token prediction and collision attacks exponentially harder.
MCP Protocol Integration
MCP (Model Context Protocol) is becoming the standard for AI agent communication. The gateway implements core MCP patterns:
Tool Discovery
@router.get("/mcp/tools")
async def list_tools():
"""List available MCP tools"""
return [
{
"name": "get_weather",
"description": "Get current weather for a location",
"parameters": {
"type": "object",
"properties": {
"location": {"type": "string"}
}
}
},
# ... more tools
]
Tool Execution
@router.post("/mcp/execute")
async def execute_tool(tool_call: MCPToolCall):
"""Execute an MCP tool"""
if tool_call.tool == "get_weather":
return MCPResponse(
success=True,
result={
"location": tool_call.arguments["location"],
"temperature": 22,
"condition": "Sunny"
}
)
This pattern allows AI agents to discover and use tools dynamically, with proper authentication and rate limiting.
Production-Ready Features
1. Structured Logging
Every request gets a correlation ID for tracing:
@app.middleware("http")
async def log_requests(request: Request, call_next):
correlation_id = request.headers.get(
"X-Correlation-ID",
f"req-{int(time.time() * 1000)}"
)
logger.info(
"request_started",
method=request.method,
path=request.url.path,
correlation_id=correlation_id
)
response = await call_next(request)
response.headers["X-Correlation-ID"] = correlation_id
return response
2. Health Checks
Kubernetes-ready liveness and readiness probes:
@router.get("/health")
async def health_check():
return {
"status": "healthy",
"version": "1.0.0",
"qrng": qrng_service.get_provider_status(),
"features": {
"quantum_auth": True,
"mcp_streaming": True,
"rate_limiting": True
}
}
3. Docker Compose Stack
Full observability stack included:
services:
gateway:
build: .
ports:
- "8000:8000"
depends_on:
- redis
- prometheus
redis:
image: redis:7-alpine
prometheus:
image: prom/prometheus
grafana:
image: grafana/grafana
Lessons from API Days Paris 2025
Three key insights shaped this project:
1. "Don't Overfit Your Problem"
From Cyrille Martraire's talk on API migration with AI. I kept the architecture simple:
- No over-engineered microservices
- Straightforward FastAPI structure
- Clear separation of concerns
- Easy to understand and extend
2. "If You Have a Terrible API, You'll End Up with a Terrible MCP"
MCP doesn't fix bad API design. The gateway focuses on:
- Clear, RESTful endpoints
- Consistent error handling
- Proper HTTP status codes
- Comprehensive documentation
3. API Drift is Real
Contract testing catches breaking changes:
def test_auth_endpoint_contract():
"""Ensure auth endpoint maintains contract"""
response = client.post(
"/auth/login",
json={"username": "demo", "password": "demo123"}
)
assert response.status_code == 200
data = response.json()
# Contract assertions
assert "access_token" in data
assert "refresh_token" in data
assert "token_type" in data
assert data["token_type"] == "bearer"
Getting Started
# Clone the repository
git clone https://github.com/YOUR_USERNAME/mcp-secure-gateway.git
cd mcp-secure-gateway
# Setup environment
python -m venv venv
source venv/bin/activate
pip install -r requirements.txt
# Configure
cp .env.example .env
# Run with Docker
docker-compose up -d
# Or run locally
uvicorn app.main:app --reload
Visit http://localhost:8000/docs for interactive API documentation.
Testing
# Run all tests
pytest
# With coverage
pytest --cov=app --cov-report=html
# Contract tests only
pytest tests/contract/ -v
Current test coverage: 95%+
What's Next?
This is v1.0 - a foundation. I'm considering:
- Rate limiting with Redis - Token bucket algorithm
- Token revocation list - Redis-backed JWT blacklist
- API key management - Multi-tenant support
- More MCP tools - File operations, database queries
- Grafana dashboards - Pre-configured monitoring
Why Build This?
As a Solutions Architect, I've seen too many "production-ready" examples that are anything but. They skip error handling, ignore observability, and assume perfect network conditions.
MCP Secure Gateway is what I wish existed when I started learning these patterns: a complete, tested, documented reference implementation that you can actually deploy.
Resources
Let's Connect
Building something similar? Have questions about quantum security or MCP? Find me on:
GitHub
LinkedIn
Built with ❤️ in Paris | Inspired by API Days 2025
Tags: #api #security #quantum #python #fastapi #mcp #devops #architecture
Top comments (0)