The Best Open Source MCP Gateways in 2026

In this blog, I will compare the top open source MCP gateways on the market in 2026: MCPX (Lunar.dev), Docker MCP Gateway, Microsoft MCP Gateway, IBM ContextForge, and MCPJungle. I will explain why an MCP gateway matters, what criteria actually matter for enterprise teams, and how each option stacks up. Use this guide to choose the right open source MCP gateway for your organization.

A lot has changed since we published our 2025 MCP gateway comparison. The protocol has crossed 97 million monthly downloads.Every major AI vendor has adopted it. At RSA Conference 2026, Cisco announced dedicated MCP security tooling. When Cisco builds for a protocol at RSA, the "this is just a dev tool" phase is over. MCP gateways have moved from something teams evaluate to something teams need. This post is the 2026 update.

What to look for in an open source MCP gateway

An MCP gateway sits between your AI agents and the MCP servers they access. It centralizes authentication, enforces access control, logs every tool invocation, and provides a single point of policy enforcement. Without one, every agent manages its own connections and credentials: fragmented, unauditable, and insecure at scale.

Most tools in this space started as general-purpose API proxies or developer conveniences and added MCP support later. Every production MCP gateway should be evaluated against these criteria:

• Access control depth: Agents running over-privileged compared to the humans initiating tasks is one of the most common governance failures.Does the gateway enforce permissions at the server level, the tool level, the parameter level, or not at all?
• Audit trails: The accountability gap is unsolvable without immutable, full-chain logs. There is no reliable way to answer who used which agent, which tool, and what data was accessed without them.Does the gateway attribute each action to both the agent that executed it and the user it acted on behalf of? If an autonomous agent initiated the action, is there a clear owner or accountable identity on record? Are these logs built in, or do you assemble them yourself?
• Secrets management: Credentials inline in config files are how breaches start. Are they isolated from end users and config files, or not?
• Deployment complexity: How much effort does it take to go from evaluation to production, and to keep it running there? Consider infrastructure prerequisites, team size required, and ongoing maintenance.
• Ecosystem integration: Does it connect with your existing identity provider, observability stack, or LLM gateway?

Only one tool on this list was designed to answer all five of these questions out of the box. The rest require varying degrees of assembly.

The candidates

1. MCPX by Lunar.dev

Quick snapshot

Best for: AI builders and engineering teams who want production-ready MCP gateway tooling today, with a clear path to enterprise governance when they need it.
‍Latency: ~4ms p99 (per MCPX metrics docs)
‍License: Open source (MIT license)
‍Deployment: Low to medium complexity

What it is: MCPX is Lunar.dev's open source MCP gateway and AI control plane for enterprise teams. It provides a single governed entry point for all agent-to-tool interactions, enforcing access control, auditability, and policy across every MCP server in your organization.

Key capabilities:

Open source features:

• Easy onboarding: Up and running with Docker in minutes. See the MCPX quick start guide for step-by-step instructions
• Local and remote MCP server support: Connect servers over STDIO or HTTP, managed from a single config
• Wide agent support: Works with Cursor, Claude Desktop, Claude Code, VS Code, Copilot, n8n, and any MCP-compatible client
• Tool Groups: Curate subsets of tools per team, workflow, or agent so each identity sees only what it needs
• Tool customization: Rewrite tool descriptions or lock parameters to steer agent behavior without modifying the underlying server
• Agent access control: Basic API key authorization and per-agent tool restrictions
• Real-time metrics: Prometheus-compatible, with labels for tool name, error state, calling agent, and model
• Audit logs: Basic invocation logging included in the open source version
• OAuth support: Authentication to MCP servers out of the box

Enterprise tier adds:

• Tool-level RBAC at global, service, and individual tool levels, with access control lists defined per agent, team, or workflow
• Immutable audit trails across the full User > Agent > MCP > Tool chain
• Credential isolation: secrets managed by reference only, never exposed to end users or config files
• Policy gating: runtime access control based on identity, environment, or workload
• Automated risk scoring: every MCP server analyzed before users can connect
• Integration with Lunar's AI Gateway for end-to-end visibility across LLM calls, MCP tool invocations, and API traffic
  ‍

Why MCPX leads: MCPX is the only tool on this list purpose-built for the organizational reality of AI adoption: multiple teams, shared infrastructure, and compliance obligations. The open source version ships with Tool Groups, tool customization, local and remote MCP server authentication, and broad agent support out of the box. A team can access the same MCP server as another team but see a completely different subset of tools, closing the over-privileged agent problem at the infrastructure layer. By connecting MCPX, teams get a single audit trail spanning the entire agent workflow: prompt in, LLM decision, tool call, API response. No other tool on this list provides this chain natively.

Lunar.dev is recognized by Gartner as a Representative Vendor in the MCP Gateways category and is SOC 2 certified at the Enterprise tier. Fortune 200 enterprises have deployed MCPX to govern AI adoption across engineering teams, and it is embraced by the developer community as the open-source foundation for production MCP infrastructure.

"MCPX gave us the identity-based governance we needed to approve MCP usage, without turning security into a blocker."- HiBob (read the full customer story)

MCPX is open source at github.com/TheLunarCompany/lunar. The Enterprise tier adds hosted deployment, automated risk scoring, and additional governance capabilities. See the full MCPX documentation for deployment requirements.

Best for: Platform and security teams at enterprises managing multiple agent deployments, where auditability and access control are non-negotiable, and engineering teams that want enterprise-grade governance without sacrificing developer experience or ease of adoption.

Not the right fit if: Your requirements include IDP integration or automated MCP vulnerability scanning, and your budget does not extend to the Enterprise tier. Both are paid features. The open source version covers access control, audit trails, and credential isolation, but teams that need identity provider connectivity or built-in risk scoring for MCP servers will need the Enterprise license to get there.

Ready to evaluate MCPX? Book a demo or explore the MCPX product page.

2. Docker MCP Gateway

Quick snapshot

Best for: Container-native teams comfortable building their own governance, audit, and identity stack on top
‍Latency: Higher than purpose-built gateways
‍License: Open source
‍Deployment: Low complexity
‍Key limitation: No built-in access control, audit trails, or secrets management

Docker's MCP Gateway runs each MCP server in its own container with defined resource limits and cryptographically signed images. Security comes from isolation rather than policy enforcement at the gateway layer.

• Container-per-server isolation with defined resource limits
• Cryptographically signed images for supply chain integrity
• Familiar Docker and Kubernetes workflows

Container isolation is a security model, not a governance model. It tells you nothing about who called what tool, with what permissions, or whether they should have. There are no audit trails, no tool-level access control, and no identity-aware policy enforcement. Teams that need those capabilities will build them from scratch.

Best for: Teams with strong container expertise who want security through isolation and are comfortable assembling their own governance stack.

Not the right fit if: You need centralized access control, audit trails, or enterprise governance out of the box.

3. Microsoft MCP Gateway

Quick snapshot

Best for: Teams fully committed to Azure with no multi-cloud plans
‍Latency: Azure APIM dependent
‍License: Open source
‍Deployment: Low to medium complexity
‍Key limitation: Governance depth is limited to what Azure APIM provides; no tool-level RBAC or agent-identity attribution built in

Microsoft's open source reverse proxy for MCP servers provides session-aware routing and lifecycle management for Kubernetes, with an optional path to Azure API Management.

• Session-aware stateful routing via Kubernetes StatefulSets
• Native Azure Entra ID authentication
• Azure Monitor and App Insights telemetry integration
• Azure API Management integration for policy enforcement
• Compliance inheritance from Azure certifications (SOC 2, HIPAA BAA, ISO 27001)

The governance model is only as deep as APIM's policy engine, which is entirely rule-based. What Microsoft calls "intelligent routing" refers to operational load balancing and circuit breaking, not intent-aware access control. Compliance inheritance is useful, but only if your entire stack lives in Azure. Tool-level RBAC and agent-identity attribution require building on top of APIM.

Best for: Azure-exclusive platform teams that want MCP governance integrated with their existing Entra ID, Azure Monitor, and APIM investments.

Not the right fit if: Your infrastructure is multi-cloud or on-premises, or you need tool-level access control or agent-identity attribution.

4. IBM ContextForge

Quick snapshot

Best for: Large enterprises with dedicated platform teams and months to deploy
‍Latency: Cluster dependent
‍License: MIT
‍Deployment: High complexity
‍Key limitation: Enterprise governance features are less documented than the federation capabilities; access control model is partial

ContextForge is IBM's open source AI gateway framework that federates tools, agents, models, and APIs into a single MCP-compliant endpoint across multi-cluster Kubernetes environments.

• Multi-protocol support: MCP, A2A, REST-to-MCP, and gRPC-to-MCP
• Multi-cluster federation with automatic tool registry discovery
• OpenTelemetry tracing with support for Phoenix, Jaeger, Zipkin, and OTLP backends
• 40+ plugins for additional transports and integrations

The architecture delegates intent classification and prompt filtering to a separate AI layer upstream. The Cedar RBAC plugin added in 1.0 RC2 is rule-based. Configuration complexity is high, and governance features including vault-backed key storage are less documented than the federation capabilities. You get broad protocol reach in exchange for governance depth.

Best for: Global enterprises with multi-region infrastructure and a large platform team that can absorb the Kubernetes complexity.

Not the right fit if: You need something running in weeks, your team lacks deep Kubernetes expertise, or governance is a primary requirement.

5. MCPJungle

Quick snapshot

Best for: Prototyping and early-stage deployments you expect to outgrow
‍Latency: Low
‍License: Open source
‍Deployment: Single binary or Docker Compose
‍Key limitation: No credential isolation, no compliance-ready audit trails, and RBAC is basic even in enterprise mode

MCPJungle is a lightweight open source MCP gateway and registry in one deployable package.

• Single binary or Docker Compose deployment
• Built-in registry for MCP server and tool discovery
• STDIO and Streamable HTTP transport support
• RBAC and access control in enterprise mode
• OpenTelemetry metrics integration

Credential isolation, compliance-ready audit trails, and tool-level customization are not the focus. The RBAC in enterprise mode is basic compared to what regulated teams require.

Best for: Teams that want lightweight deployment with baseline features and minimal infrastructure dependencies.

Not the right fit if: You need deep enterprise governance, a compliance story for a regulated industry, or a platform you will not have to replace in 12 months.

Side-by-side comparison

Conclusion

The open-source MCP gateway market has matured fast, but the governance gap between tools has widened. Most options handle routing. Some handle authentication. Very few handle the full accountability chain: who initiated the task, which agent acted on it, which tool was called, and what data was accessed.

MCPX is the only tool on this list built to close that gap from the ground up. Granular access control, identity-aligned attribution, credential isolation, and end-to-end visibility across the entire agentic stack through Lunar's AI Gateway.

The teams that invest in the right governance layer now will have the infrastructure in place when their agent deployments scale. The teams that do not will be rebuilding under pressure.

If you are evaluating MCPX for enterprise deployment, book a demo or explore the MCPX product page.

FAQ

What is an open source MCP gateway, and why do I need one? It sits between your AI agents and the MCP servers they access, centralizing authentication, access control, and audit logging. Without one, every agent manages its own connections and credentials, which is unmanageable and insecure at scale.

What is the difference between an MCP gateway and an AI gateway? An MCP gateway governs tool access: which agents can call which tools, with what permissions. An AI gateway governs LLM traffic: routing, cost control, rate limiting. MCPX connects with Lunar's AI Gateway so teams can manage both from one place.

Which open source MCP gateway is best for enterprise security teams? MCPX. It is the only tool on this list built as an AI control plane rather than a proxy with MCP support added. Tool-level access control, identity-aligned attribution, immutable audit trails, and credential isolation ship out of the box. Lunar.dev is recognized by Gartner as a Representative Vendor in the MCP Gateways category.

Can I use an MCP gateway with any AI agent or model? Yes. MCPX works with Cursor, Claude Desktop, Claude Code, VSCode, Copilot, n8n, and custom agents built on agentic platforms like CrewAI or LangChain, or any other MCP-compatible client.

How do I deploy MCPX? Locally with Docker. Nothing leaves your infrastructure.

Is MCPX really open source? What does Enterprise add? Yes. The core is open source at github.com/TheLunarCompany/lunar. The Enterprise tier adds identity provider integration (Okta, Azure AD), automated MCP server risk scoring, hosted deployment, and expanded governance controls.

Is Cisco DefenseClaw an MCP gateway? No. DefenseClaw is a security scanning framework. It scans MCP servers for vulnerabilities and monitors agents at runtime. Think of it as a layer that sits on top of a gateway, not a replacement for one.

How does an MCP gateway handle secrets and credentials? It should hold them, not expose them. In MCPX, credentials are stored securely and forwarded to MCP servers at runtime, never exposed to end users or config files.

Learn more

• MCP Official Specification :The protocol standard maintained by the Agentic AI Foundation under the Linux Foundation.
• **Cisco DefenseClaw:** The open source security scanning framework for MCP servers and AI agents.The MCP Scanner sub-project
• The State of MCP (Zuplo): Independent report on MCP adoption, security, and production readiness.
• Best MCP Gateways of 2025: Our previous comparison and how the market has evolved.
• MCP Risk Analysis: Attack Vectors, OWASP Guidance and Lunar's AI-Driven Risk Assessment: The MCP threat landscape and how Lunar's risk scoring addresses it.
• LiteLLM Was Compromised. Here Is What You Need to Know.: What the LiteLLM supply chain attack revealed about credential exposure in AI gateway architectures.
• Your MCP Server Is Ready. Your Organization Isn't.: Why the deployment bottleneck in enterprise MCP adoption is organizational, not technical.

If you are evaluating MCPX for enterprise deployment, book a demo or explore the MCPX product page.

‍

‍