Every major platform has opened its doors to AI agents — each with its own rules, its own meter, and little inspection of what walks out. Homegrown MCP servers are worse: a service account’s credentials in an environment variable and no answer to “which fields, for whom, and who audits it?” MCP Gateway is the one governed doorway: your policies, your field rules, your audit trail — applied uniformly across every system you connect, and owned by you rather than by the platform being accessed.
MCP GATEWAY.
Agents at the door.
One governed way in.
Point Velgent at your platforms and get back a scoped MCP endpoint any agent host can call — Claude, Copilot, Cursor, or your own. Every tool call is policy-checked before it runs, redacted before it returns, and audited after it lands. One set of rules across every system.
MCP Gateway is in development, not a generally available product. This page describes what we’re building and the design it follows. The governance plane underneath it — policy evaluation, PII redaction, audit trail, usage metering, time-boxed access — is the same one already running in production behind Triage, Policy Engine and Data Extractor.
Not whether — on whose terms
What happens on every single call
A gateway is only as trustworthy as its hot path. Three stages, none optional, none bypassable — the same envelope every Velgent product runs on.
Who is asking, as whom
The agent host connects over standard MCP with OAuth. The gateway resolves the human behind the agent and maps them to their identity in the downstream system — no shared super-user, no credentials in the agent’s hands.
A policy verdict before execution
Your rules run in the call path: allow, deny, or pause and ask the agent’s user to confirm. Mandatory row filters and rate caps are appended server-side, so a chatty agent can’t degrade your instance.
Redact, wrap, audit, meter
Excluded fields are stripped at the source API — they never egress at all. Free text passes PII redaction and is wrapped as untrusted content against prompt injection. Every call lands in one audit trail with what was returned, filtered and masked.
What makes it a doorway, not a wrapper
Compiled from your schema, not a template
The gateway reads each platform’s data dictionary — tables, custom fields, choice lists — and generates typed tools that speak your instance’s vocabulary. Agents never compose raw queries, and tool quality tracks your real configuration, not a vendor’s demo instance.
What agents shouldn’t see never leaves
Field allowlists are enforced in the request to the source system, so excluded fields don’t egress at all — redaction you can prove, not scrubbing after the fact. Free text gets PII redaction; known-shape fields get deterministic masks.
A policy verdict on every call
Policy Engine rules gate every tool call — allow, deny, or escalate to the agent’s user for confirmation before anything sensitive runs. Time-boxed elevated access for the exceptions, back to least privilege when the clock runs out.
Audit that answers the auditor
Every call: who asked, as whom, through which agent, what was returned, what was filtered, what was masked, what the policy decided. Neutral, exportable, and outside the platform being audited — one trail across every connected system.
Where it stands today
The design is locked and the build is under way, starting read-only: query, lookup and aggregate tools with the full governed call path, then per-user downstream identity, then write actions behind confirmation and time-boxed access. ServiceNow is the first connector; Jira and Confluence follow — same doorway, same rules, growing list of rooms. If you want to shape the first release, talk to us about being a design partner.
Composes with the rest of the engine
Policy Engine
The rules that gate every tool call — authored in plain English, evaluated deterministically in the gateway’s hot path.
Triage
Lands behind the same doorway: agents will call Triage as an MCP tool — one-line pinpoints and intent signals from any MCP-capable runtime.
Data Extractor
Same story — structured, confidence-scored extraction exposed as a tool, so any agent can use it without an SDK integration.