Docs / MCP Gateway
Developers · Integration

MCP Gateway

AGENT CONTROL PLANE · POLICY AT THE TOOL BOUNDARY

The MCP Gateway is a checkpoint that sits between your agent and the tools it calls.

Your agent's tool calls — MCP servers, APIs, and functions — pass through the gateway. There, SANSAR evaluates policy and identity, renders a verdict, and stamps a signed record. Only then is the call allowed to run. No changes to your agent's reasoning code are required; you point its MCP client at the gateway instead of directly at your tools.

Where it sits

agent ──▶ SANSAR MCP Gateway ──▶ your tools / MCP servers
                │
                ├─ policy check      (allow · block · escalate)
                ├─ identity check    (which agent, which principal)
                └─ signed stamp      (Ed25519 · chained into evidence)

What it enforces

Deployment modes

AIR-GAP READY ZERO EGRESS CUSTOMER-HELD KEYS ED25519 · HSM-SIGNED

The gateway can run entirely inside your environment. Evidence stays verifiable without disclosing the underlying business data, and sovereign deployments hold their own signing keys.

Getting started

  1. Deploy the gateway alongside your agent runtime.
  2. Point your agent's MCP client at the gateway endpoint.
  3. Start in read-only mode to observe and stamp; switch to active enforcement when your policies are tuned.
Prefer to enforce in-process instead of through a gateway? See the SDK. Endpoint details and keys are provided during onboarding — email info@sansarai.ai or explore the live demo.