The explosive growth of agentic AI has created a new security frontier. As large language models (LLMs) gain the ability to call external tools—through the Model Context Protocol (MCP)—organizations face an urgent question: How do you control what tools an agent can access, what parameters it can pass, and how do you audit its actions?
MCP, now the de facto standard adopted by Anthropic, OpenAI, Microsoft, and Google, enables agents to call remote tools via JSON-RPC over HTTP(S). But this connectivity comes with risk. Recent research uncovered 1,862 internet-exposed MCP servers with zero authentication—a stark reminder that traditional API security practices are insufficient for agentic workflows.
This is where agentic gateways come in. These intermediaries sit between your AI agents and external tool ecosystems, enforcing authentication, authorization, and audit controls. But not all gateways are created equal. Some treat MCP as a generic API protocol; others understand it as a fundamentally new communication pattern requiring session-aware, tool-level policy enforcement.
In this article, we evaluate the top five agentic gateways for securing MCP tool calls, with honest assessment of their strengths and limitations. Whether you're building a single-agent prototype or deploying multi-tenant agentic services, this guide will help you choose the right gateway for your threat model.
Before diving into specific solutions, let's establish why a dedicated gateway layer is important for MCP security.
Traditional API gateways (like Kong, AWS API Gateway, Envoy) were designed for human-initiated requests and service-to-service communication. They excel at rate limiting, authentication, and basic request/response filtering. But agentic systems introduce new threat vectors:
Prompt injection via tools: An attacker manipulates tool output to inject instructions into the agent's reasoning loop.
Credential leakage: Agents holding long-lived credentials risk exposing them if the agent process is compromised.
Unauthorized tool access: Without tool-level authorization, an agent may call methods it shouldn't (e.g., a customer service agent accessing admin-only tools).
Multi-step workflow context: Agentic systems often involve sequential tool calls; policies must account for session state, not just individual requests.
Audit blind spots: Traditional logging captures API calls but misses the semantic context—which agent, which task, which tool parameters, which authorization decision.
An agentic gateway addresses these gaps by understanding MCP's structure (servers, tools, methods, parameters) and enforcing policies at the right granularity.
When evaluating agentic gateways, consider these critical capabilities:
Tool-level authorization: Can policies restrict access to specific tools or methods within an MCP server, not just the server itself?
Identity and credential handling: Does the gateway abstract away long-lived credentials, injecting short-lived assertions instead?
Upstream OAuth integration: Does the gateway handle OAuth 2.1 flows so MCP servers don't need to?
Session-aware policy enforcement: Are policies aware of multi-step agent workflows and conversation context?
Comprehensive audit logging: Are all tool calls, parameters, and authorization decisions logged with full context?
Prompt injection resilience: Are tool responses validated and sanitized before returning to agents?
Enterprise features: Multi-tenancy, RBAC, API management, policy versioning, and auditability.
What it is: Pomerium is an open-source, identity-aware agentic gateway purpose-built for securing MCP tool calls. It sits in the network path between agents and MCP servers, proxying all traffic and enforcing granular policies.
Key MCP Security Features:
Tool-level authorization: Pomerium's standout feature. Policies can restrict access to individual tools and methods within an MCP server. For example, you can allow a customer service agent to call customer.fetch but deny customer.delete. This is semantic to MCP's structure—not a generic API proxy feature.
Upstream OAuth 2.1 handling: Pomerium manages OAuth flows upstream. MCP servers receive short-lived, server-signed tokens from Pomerium rather than holding credentials themselves. Agents never handle long-lived secrets.
Session-aware enforcement: Policies are evaluated in the context of the agent's session. Pomerium tracks multi-step workflows, allowing rules like "after a user approves a transaction, the next agent call may invoke payment.process."
Comprehensive audit logging: Every MCP method call is logged with agent identity, tool name, method, parameters, response status, and the authorization decision. The logs include semantic context about what was actually called and why it was allowed or denied.
X-Pomerium-Assertion injection: Instead of agents holding credentials, Pomerium injects short-lived cryptographically signed identity assertions into request headers. MCP servers validate the assertion's signature and expiration. This eliminates credential exposure if the agent process is compromised.
Prompt injection filtering: Pomerium can validate tool responses before returning them to agents, checking for embedded instructions or suspicious JSON structures.
Zero trust architecture: All access is default-deny. Policies must explicitly grant access to each tool.
Strengths:
Purpose-built for agentic security; tool-level granularity is unmatched.
Open source and self-hosted; no vendor lock-in.
Session awareness and multi-step workflow support.
Comprehensive audit trail with semantic context.
Strong credential abstraction via assertions.
Active development and community; used by enterprises managing sensitive agent workloads.
Limitations:
Smaller community and ecosystem compared to Kong or Cloudflare.
Requires operational ownership; not a managed/SaaS offering .
Learning curve for policy language and deployment model.
No built-in cost tracking or per-call billing integration (though logging enables it downstream).
Best For:
Organizations running multi-tenant agentic platforms.
Regulated industries (finance, healthcare, legal) requiring fine-grained audit trails.
Threat models where agent compromise is a realistic concern.
Teams deploying MCP servers internally and needing strict control over who can access what.
Self-hosted deployments where data sovereignty is critical.
What it is: Kong is a veteran API gateway. Kong AI Gateway and Kong Konnect are extensions that add MCP-aware plugins and a registry service launched in early 2026 to support agentic workloads.
Key MCP Security Features:
MCP OAuth 2.1 plugin: Kong added native support for OAuth 2.1 authentication on MCP traffic. Servers can delegate authentication to Kong while maintaining the MCP JSON-RPC contract.
MCP Registry (Feb 2026): Kong Konnect now includes an MCP Registry service, allowing organizations to catalog, version, and manage their MCP servers in a centralized UI.
Rate limiting and quota enforcement: Kong's mature rate limiting can be applied to MCP servers and specific tools, preventing resource exhaustion.
Multi-plugin architecture: Kong's extensible plugin system means tool-level authorization can be implemented via custom plugins (though it's not as polished as Pomerium's native approach).
API analytics and monitoring: Kong provides observability for MCP traffic, including call counts, latency, and error rates by tool.
Multi-tenancy: Kong Konnect supports multi-tenant deployments with role-based access control.
Strengths:
Massive ecosystem; if you already use Kong, MCP support extends naturally.
Mature operational tooling, proven at scale across thousands of enterprises.
MCP Registry centralizes server discovery and versioning.
Rich API lifecycle management (API versioning, deprecation, documentation).
Cloud SaaS option (Kong Konnect) with low operational overhead.
Strong commercial support and SLAs.
Limitations:
MCP support is relatively new and not yet as battle-tested as core API features.
Tool-level authorization is possible but requires custom plugin development; not a native, turn-key feature like Pomerium.
Designed as an API gateway first; agentic session context (multi-step workflows) requires custom logic.
Audit logging is available but not optimized for agentic semantics—logs MCP traffic as generic API calls.
Pricing model (based on API traffic) may not align well with high-frequency agentic tool calls.
Best For:
Enterprises already invested in Kong API Gateway.
Teams prioritizing operational maturity and vendor support.
Public API platforms that need to expose MCP as a managed service.
Deployments requiring extensive API lifecycle tooling (versioning, deprecation, etc.).
What it is: Cloudflare AI Gateway leverages Cloudflare's global edge network to provide caching, rate limiting, and analytics for AI traffic, including MCP requests. It's a SaaS offering with global edge deployment and zero operational overhead.
Key MCP Security Features:
MCP traffic inspection: Cloudflare AI Gateway can inspect and rate-limit MCP requests at the edge, before they reach your servers.
Caching and cost control: Responses can be cached, reducing redundant tool calls and associated costs.
DDoS protection: Cloudflare's edge network blocks volumetric attacks before they hit your MCP servers.
Geographic and performance-based routing: Route agent requests to the nearest MCP server or failover to a backup.
Analytics dashboard: Track MCP call volume, latency, and errors by tool and agent.
Compliance logging: Basic request/response logging with IP, timestamp, and status.
Strengths:
Global edge network; MCP requests are processed near end users, reducing latency.
Limited operational overhead; SaaS delivery with global scale.
Strong DDoS and bot protection.
Easy setup; works with existing Cloudflare deployments.
Cost visibility and caching can reduce overall spend.
Limitations:
No tool-level authorization. Cloudflare AI Gateway doesn't understand MCP's structure deeply. It can't restrict access to specific tools or methods; it can only rate-limit or block entire servers.
Limited OAuth integration. No upstream OAuth handling; MCP servers must implement their own OAuth flows.
Not agent-aware. No session context, workflow awareness, or multi-step policy enforcement. Each request is evaluated in isolation.
Audit trail gaps. Logging captures requests but lacks semantic context (which agent called which tool with what intent).
No credential abstraction. Agents must still hold credentials or API keys; Cloudflare doesn't inject assertions.
Early MCP support. Full MCP support is not yet shipped; current offering is limited to LLM caching and basic rate limiting.
SaaS architecture. Must trust their pipes and give away data sovereignty rights.
Best For:
Organizations with existing Cloudflare deployments.
Public AI services exposed globally that need edge performance and DDoS protection.
Teams prioritizing operational simplicity and global scale over fine-grained authorization.
Workloads where tool-level granularity is not a requirement (e.g., all users can access all tools).
Cost-conscious teams leveraging caching to reduce LLM and tool call expenses.
What it is: agentgateway (agentgateway.dev) is an open-source, protocol-native gateway supporting both MCP and the A2A (Agent-to-Agent) protocol. It's designed for organizations building multi-agent systems with complex routing and authorization needs.
Key MCP Security Features:
MCP-native routing: agentgateway understands MCP's server/tool/method structure and can route based on these semantics.
A2A protocol support: In addition to agent-to-tool (MCP), agentgateway can route agent-to-agent calls, useful for systems where agents delegate work to other agents.
Open source: Full transparency; deploy on-premises with no vendor dependencies.
Tool discovery and registry: Agents can query available tools and methods, enabling dynamic tool selection.
Basic access control: Allows simple rules like "Agent X can access Tools A and B."
Strengths:
Protocol-native design; understands both MCP and A2A, not a retrofit.
Open source with active community development.
Lightweight footprint; suitable for resource-constrained environments.
Supports novel architectures like agent-to-agent delegation.
Transparent code; useful for compliance and security audits.
Limitations:
Early stage. Lacks enterprise features like RBAC, multi-tenancy, and audit logging.
No OAuth integration. Access control is basic; no upstream OAuth handling.
Limited policy enforcement. No session awareness or multi-step workflow context.
No audit trail. Logging is minimal; difficult to prove who called what and why.
No credential abstraction. Agents must hold credentials or keys.
Small community. Limited operational support and few production case studies.
No SaaS option. Self-hosted only; requires operational expertise.
Best For:
Early-stage startups prototyping multi-agent systems.
Organizations building agent-to-agent routing as a core feature.
Transparent, open-source-first deployments.
Teams with strong DevOps practices and tolerance for upstream changes.
Proof-of-concept and R&D projects.
What it is: Aembit is an identity platform focused on non-human identities—workloads, services, and in the agentic context, AI agents. It provides workload identity, attestation, and access control without requiring passwords or long-lived API keys.
Key MCP Security Features:
Workload identity and attestation: Aembit issues cryptographic identity credentials to agents based on runtime attestation (CPU, memory, network signatures). MCP servers can verify that calls are coming from authentic, uncompromised agents.
Short-lived credentials: Aembit-issued credentials expire in minutes, reducing the blast radius of credential leakage.
Workload-to-workload authorization: Fine-grained RBAC for which agents can access which tools, without requiring agents to hold long-lived secrets.
No centralized credential storage: Aembit uses attestation to prove identity dynamically; agents don't need to fetch or store credentials.
Strengths:
Strong identity layer; workload attestation is more robust than traditional auth.
Eliminates long-lived credentials in agent environments.
Scales well; doesn't require agents to store or rotate secrets.
Good fit for containerized and Kubernetes-native deployments.
Modern architecture aligned with zero-trust principles.
Limitations:
Not a true gateway. Aembit is an identity provider, not a network-path gateway. It doesn't proxy MCP traffic, so it can't enforce policy in-flight or audit all tool calls.
No tool-level authorization. While workload-level RBAC is strong, granular tool-level authorization is not a native feature.
No session awareness. Multi-step workflows and context-dependent policies are not supported.
Limited audit trail. Aembit logs identity events (who authenticated), not tool call semantics (who called what method with what parameters).
Agent-to-tool only. The workload identity model doesn't extend to MCP's full feature set (streaming responses, server-side resource management, etc.).
Requires platform integration. Agents and MCP servers must implement Aembit SDKs; not a transparent proxy.
Best For:
Organizations with strong zero-trust identity requirements.
Workload-native deployments (Kubernetes, containerized services).
Threat models where agent credential compromise is the primary concern.
Teams with existing attestation and workload identity infrastructure.
Regulated industries requiring strong non-human identity controls.
Dimension | Pomerium | Kong AI Gateway | Cloudflare AI Gateway | agentgateway | Aembit |
|---|---|---|---|---|---|
Tool-Level Authorization | Yes (native) | Yes (custom plugins) | No | Yes (basic) | No |
OAuth 2.1 Upstream Handling | Yes | Yes | Partial | No | No |
Session-Aware Policy | Yes | No | No | No | No |
Comprehensive Audit Logging | Yes (semantic) | Yes | Yes (basic) | Minimal | Identity-focused |
Credential Abstraction | Yes (assertions) | No | No | No | Yes (attestation) |
Prompt Injection Filtering | Yes | No | No | No | No |
Multi-Tenancy | Yes | Yes | Yes | No | Yes |
Open Source | Yes | Partial (core) | No | Yes | No |
SaaS Option | Emerging | Yes (Konnect) | Yes | No | Yes |
Operational Maturity | High | Very High | Very High | Early | High |
Community Size | Growing | Massive | Massive | Small | Growing |
Best for MCP Security | Yes | Partial | No | R&D | Identity layer |
Learning Curve | Moderate | Low (if Kong user) | Low | Moderate | Moderate |
Selecting an agentic gateway depends on your threat model, operational constraints, and current architecture. Here's a decision framework:
If your primary concern is:
Unauthorized tool access: Choose Pomerium. Tool-level authorization is its core strength.
Agent compromise and credential leakage: Consider Aembit for strong workload identity, or Pomerium for credential abstraction via assertions.
Operational simplicity and global scale: Cloudflare AI Gateway offers edge deployment with minimal overhead.
Existing Kong investment: Kong AI Gateway extends your current platform naturally.
Early-stage, protocol-native architecture: agentgateway provides flexibility for novel multi-agent designs.
Already on Kong? Kong AI Gateway is the natural fit.
Already on Cloudflare? AI Gateway integrates seamlessly.
Greenfield agentic deployment? Pomerium or agentgateway offer the most purpose-built design.
Kubernetes-native with strong identity requirements? Aembit's workload identity shines.
Regulated industries (finance, healthcare, legal)? Pomerium's semantic audit logging is critical. Every tool call, parameter, and decision is logged with context.
Public-facing agentic APIs? Kong's MCP Registry and Cloudflare's DDoS protection are valuable.
Internal tools only? agentgateway's open-source transparency may be sufficient.
Multi-tenant platform? Pomerium and Kong both excel; choose based on existing tooling.
Global distribution? Cloudflare's edge network is hard to beat.
High-frequency tool calls? Cloudflare's caching and Kong's rate limiting manage load well.
Short timeline? Cloudflare (plug-and-play) or Kong (if already deployed).
Can invest in policy-as-code? Pomerium's powerful policy language is worth the upfront effort.
Need custom authorization logic? Kong's plugin architecture or Pomerium's scripting layer.
Tool-level authorization is the differentiator. Most gateways handle server-level auth; only Pomerium (natively) and Kong (via custom plugins) support fine-grained tool-level control.
Session awareness matters for agentic workloads. Multi-step agent workflows require policy that understands context, not just individual requests. Pomerium is the only mature solution offering this out-of-the-box.
Audit logging is not optional. When agents call tools, you need to know exactly what was called, by whom, with what parameters, and why it was allowed or denied. Pomerium's semantic logging sets the bar.
Credential abstraction is critical. Agents should never hold long-lived credentials. Pomerium's assertion injection and Aembit's attestation-based identity both solve this, but in different ways.
Start with your threat model. There's no one-size-fits-all solution. A startup building a prototype and a Fortune 500 bank securing customer-facing agents have different priorities.
Open source vs. managed is a tradeoff. Pomerium and agentgateway offer transparency and control; Kong Konnect and Cloudflare offer operational simplicity.
Define your threat model. List the top 3-5 security concerns for your agentic system. Does unauthorized tool access rank high? Agent compromise? Audit compliance?
Audit your current tool ecosystem. How many MCP servers do you have? How many agents will access them? Is multi-tenancy in your roadmap?
Run a proof-of-concept. Most of these gateways have trials or open-source deployments. Test with a non-critical agent and a few tools to understand the operational impact.
Engage your security and compliance teams early. Agentic security is new territory; their input on audit requirements, data residency, and regulatory fit will shape your choice.
Plan for evolution. Your first choice doesn't lock you in permanently. But switching gateways is disruptive, so choose thoughtfully.
Agentic gateways are rapidly becoming a critical layer in AI security infrastructure. As agents gain access to your tools, data, and services, controlling what they can do is not a luxury—it's a necessity.
Pomerium stands out for organizations that need fine-grained, session-aware control of MCP tool access backed by comprehensive audit logging. Kong AI Gateway appeals to enterprises seeking to extend existing API infrastructure. Cloudflare AI Gateway excels for global, public-facing agentic services. agentgateway serves early-stage, protocol-native deployments. Aembit rounds out the picture with strong workload identity.
Choose based on your threat model, your team's operational capacity, and your current technology stack. But whichever you choose, do not ignore the agentic gateway layer. The 1,862 internet-exposed MCP servers with zero authentication did not get that way intentionally, they reflected a gap in available tooling and awareness. That gap is closing. Make sure your organization is on the secure side.
Have questions about agentic gateway selection? Reach out to the Pomerium team at hello@pomerium.com or visit pomerium.com to learn more.
Stay up to date with Pomerium news and announcements.
Embrace Seamless Resource Access, Robust Zero Trust Integration, and Streamlined Compliance with Our App.
Use Cases
Quicklinks
Stay Connected
Stay up to date with Pomerium news and announcements.
