Mcp Vs. Api Gateways: They’re Not Interchangeable

The organizations I activity pinch are quickly adopting nan Model Context Protocol (MCP) to link their services and information to AI models done AI agents, but they’re moving into acquainted challenges: securing entree to MCP servers and devices while providing routing, complaint limiting, observability and developer portals.

The early days of API take taught america achy lessons astir information breaches, capacity disasters and operational chaos erstwhile services were exposed without due gateway controls.

If you’re building and exposing MCP servers successful your enterprise, you’re astir apt asking nan mobility I perceive each nan time: “Can we conscionable usage our existing API gateway for MCP?”

The short reply is “maybe,” but nan existent mobility is should you? API gateways were not built for nan MCP usage cases. In fact, yet astir API gateway vendors will build dedicated MCP gateways.

Let’s research nan basal paradigm quality betwixt APIs and MCP and why nan existing infrastructure (API gateway) must evolve.

APIs Are Stateless, MCP Is Stateful

Before we excavation into what nan infrastructure should do, we request to understand nan evident differences betwixt these 2 approaches. APIs are “stateless” services that run connected each petition individually successful isolation. REST APIs heavy usage nan underlying carrier (HTTP) for nan semantics of nan protocol. What this means, practically, is that each nan accusation needed to route, authorize and enforce argumentation successful an API gateway lives successful nan HTTP headers and URL structure.

Your API gateway tin make intelligent decisions by examining:

• Method (GET, POST, PUT, DELETE)
• Path (/users/123/orders)
• Headers (Authorization: Bearer xyz, Content-Type)
• Query parameters (?limit=10&offset=50)

The API gateway seldom operates connected nan petition body. If it does, it’s to do immoderate insignificant transformations aliases propulsion pieces retired into headers aliases metadata that tin beryllium utilized for routing. The assemblage typically follows a predictable schema (such arsenic Open API Spec) that tin beryllium validated and transformed utilizing straightforward mapping rules erstwhile needed. Most importantly, each petition stands alone. There’s nary convention authorities to support betwixt calls.

Remote MCP servers flip this exemplary wholly connected its head. First, an MCP customer will connect to an MCP server pinch an “initialize” connection and discuss various protocol settings. Second, nan server assigns a convention ID (like Mcp-Session-Id) that tin beryllium utilized to coordinate each consequent interactions for that client. This convention maintains captious context/state, including:

• Protocol capabilities negotiated betwixt customer and server (which optional features are available).
• Tool result/context from erstwhile instrumentality calls and responses.
• Asynchronous instrumentality telephone state; streaming updates/notifications.
• State astir requested accusation from nan server to nan client.

Unlike REST APIs, wherever each petition carries complete discourse successful headers, MCP requests incorporate minimal routing accusation successful nan HTTP layer. The full protocol is successful nan assemblage of nan HTTP request. A emblematic MCP petition looks for illustration this:

Everything meaningful lives successful nan JSON-RPC body: nan method type, nan circumstantial instrumentality being called and nan parameters. The HTTP furniture is conscionable a “dumb” transport.

Even much challenging, MCP servers tin initiate connection backmost to clients done Server-Sent Events (SSE), sending advancement updates, streaming results aliases moreover caller requests (elicitations, sampling, etc.). This bidirectional, session-aware connection shape is fundamentally different from nan request-response exemplary that API gateways were designed around.

Can You Use Your API Gateway arsenic an MCP Gateway?

As we tin see, location are basal differences betwixt nan 2 models. But location are similarities, right? They’re some complete HTTP. We tin use JWT/token/OAuth-style security. And it’s not a agelong that API gateways tin run connected a petition body. So, tin you usage your API gateway to govern your MCP services?

Here’s a nonexhaustive database of what you MAY request your API gateway to do:

• Parse petition assemblage and responses (JSON-RPC), instrumentality protocol semantics.
• Inject argumentation decisions (allow/deny) connected pieces of nan assemblage (tool lists, instrumentality calls, assets requests, etc.).
• A azygous HTTP POST from an MCP customer tin consequence successful aggregate responses, streamed backmost (SSE).
• Need a measurement to inject argumentation enforcement successful nan stream.
• Once nan watercourse is established, proxy requests from MCP server to MCP client.
• Broker differences betwixt MCP clients and MCP servers.
• Present a azygous logical MCP server to an MCP customer (virtual MCP server), which whitethorn beryllium aggregate MCP servers successful nan backend.

An API gateway tin do immoderate of this, truthful let’s look astatine nan communal MCP gateway patterns from elemental to much complex:

• Simple passthrough proxy
• Partial protocol understanding
• MCP brokering
• MCP multiplexing

Simple Passthrough Proxy

At nan astir basal level, your API gateway tin enactment arsenic a passthrough proxy for MCP traffic. In this scenario, nan gateway treats MCP requests for illustration immoderate different HTTP POST pinch a JSON payload. It doesn’t understand nan JSON-RPC building aliases MCP semantics, but it tin still supply immoderate value:

What Works Well:

• HTTP-level authentication (API keys, OAuth tokens)
• Basic complaint limiting per customer aliases IP
• Transport Layer Security (TLS) termination and certificate management
• Request/response logging and metrics

For example, you whitethorn want to cheque that a JWT is included successful nan HTTP Authorization header and validate nan JWT against a trusted IdP. This is basal HTTP handling, and immoderate API gateway tin do this. What happens if nan consequence is an SSE stream? Luckily, astir modern API gateways tin besides return a watercourse of events. If we want to instrumentality immoderate argumentation connected nan consequence (for example, what devices a customer tin see), past we request to understand nan SSE events. A elemental passthrough proxy attack wouldn’t let america to do that.

Gateway Limitations With SSE:

• No streaming argumentation enforcement: The gateway can’t inspect aliases select individual SSE events.
• Limited observability: Can’t way progress, observe errors aliases measurement per-event latency.
• No midstream authorization: Can’t revoke entree aliases use policies arsenic nan watercourse progresses.
• Session discourse lost: Multiple SSE events are portion of 1 logical MCP operation, but nan gateway sees them arsenic independent chunks.

Think of it for illustration putting a generic reverse proxy successful beforehand of a database. You get relationship pooling and basal monitoring, but nary query-level insights aliases policies. The infinitesimal you request to understand what’s flowing done nan proxy, you’ve outgrown this approach.

Partial Protocol Support

Here’s wherever things get absorbing (and complex). With capable civilization development, you tin thatch your API gateway to parse MCP JSON-RPC payloads and extract meaningful accusation for argumentation decisions. Most API gateways support civilization assemblage parsing done JavaScript/Lua/template policies aliases akin scripting mechanisms. For example, in Apigee, you tin telephone retired to a JavaScript hold argumentation to instrumentality civilization parsing and policy.

What Becomes Possible:

• Better knowing of JSON-RPC requests.
• Apply tool-level authorization (“marketing users can’t telephone database_query”).
• Basic petition translator and validation.

The achy reality: This attack quickly becomes brittle and costly to maintain:

• Dynamic parsing complexity: MCP instrumentality lists person arbitrary instrumentality lengths. Your JSONPath expressions go progressively analyzable and fragile.
• Performance overhead: JavaScript policies are slower than autochthonal gateway policies.
• Maintenance burden: Every caller MCP instrumentality whitethorn require updating gateway policies. Your infrastructure squad becomes coupled to your MCP server development.
• Limited streaming support: While immoderate gateways support SSEs, applying argumentation midstream becomes exponentially much complex.

What happens successful believe is you extremity up building a gateway connected apical of an existing gateway and conflict to effort and instrumentality caller features aliases compression retired capacity improvements.

MCP Brokering

MCP brokering involves nan gateway actively participating successful nan MCP protocol conversation, not conscionable proxying requests, but perchance modifying, filtering aliases enhancing them based connected argumentation decisions. For example, an MCP customer tin link to nan MCP gateway pinch 1 type of nan MCP protocol, and nan MCP gateway tin mediate/broker to a different version. A capacity for illustration this is captious successful endeavor environments wherever it whitethorn beryllium intolerable to make updates to each MCP clients each astatine erstwhile once an MCP server updates to a caller type of nan protocol.

Additional brokering usage cases build connected nan erstwhile pattern:

• Version shielding: Shielding an MCP customer from breaking changes erstwhile performing an MCP server upgrade.
• Request filtering: Remove devices from find responses based connected backward compatibility requirements.
• Response sanitization: Strip delicate information from instrumentality responses based connected personification clearance levels.
• Context injection: Add endeavor discourse (user ID, tenant info) to instrumentality calls.
• Error handling: Convert MCP protocol errors into enterprise-compliant audit events.

Traditional API gateways struggle pinch this because they deficiency autochthonal JSON-RPC knowing and session-aware argumentation engines.

MCP Multiplexing

This is wherever accepted API gateways deed a wall. MCP multiplexing involves aggregating aggregate backend MCP servers into a azygous logical endpoint, which we telephone “virtual MCP.”

For example, a customer connects to 1 MCP endpoint but really gets entree to devices from aggregate backend servers:

• Weather devices from weather-service.internal
• Database devices from analytics-service.internal
• Email devices from notification-service.internal

Instead of AI agents needing to cognize astir and link to dozens of different MCP servers, they link to 1 virtualized endpoint that provides a unified interface to each endeavor tools.

The complexity explosion: Implementing this requires capabilities that accepted API gateways simply don’t have:

1. Session fan-out: When a customer sends “tools/list,” nan gateway must query each backend servers and merge results.
2. Request routing: Tool calls must beryllium routed to nan correct backend based connected nan instrumentality name.
3. Response multiplexing: Streaming responses from aggregate backends must beryllium merged into a azygous SSE stream.
4. State coordination: Session IDs and protocol negotiations must beryllium managed crossed aggregate backend connections.
5. Error handling: Failures successful 1 backend shouldn’t break nan full virtual session.

This level of protocol-aware aggregation and virtualization is beyond what accepted API gateways were designed to handle. You’d fundamentally request to rewrite nan gateway’s halfway request/response handling logic to support MCP convention semantics.

Agentgateway: Built for MCP From nan Ground Up

Agentgateway, an unfastened root Linux Foundation project, was purpose-built successful Rust for AI supplier protocols for illustration MCP, drafting connected lessons learned from building API gateways. Unlike accepted API gateways optimized for stateless REST interactions, agentgateway natively understands JSON-RPC connection structures, maintains stateful convention mappings and handles nan bidirectional connection patterns inherent to MCP.

This heavy protocol consciousness allows it to decently multiplex and demultiplex MCP sessions, instrumentality retired customer requests crossed aggregate backend MCP servers, aggregate instrumentality lists and support nan captious two-way convention mapping needed erstwhile servers initiate messages backmost to clients. Rather than fighting against an architecture designed for request-response APIs, agentgateway’s instauration aligns perfectly pinch MCP’s session-oriented, streaming connection model.

Building connected this foundation, agentgateway serves arsenic a autochthonal MCP gateway, ample connection exemplary (LLM) gateway and agent-to-agent (A2A) proxy, providing nan security, observability and governance capabilities that accepted API gateways cannot deliver.

It supports MCP multiplexing to federate devices from aggregate backend servers, applies fine-grained authorization policies to power which devices clients tin entree and handles some stdio and HTTP Streamable transports seamlessly.

And erstwhile integrated pinch nan Cloud Native Computing Foundation (CNCF) task kgateway arsenic a power plane, agentgateway becomes Kubernetes native, enabling teams to negociate MCP services utilizing modular gateway API resources while nan proxy takes attraction of nan protocol-specific complexities.

This purpose-built attack delivers nan performance, information and operational simplicity enterprises request for accumulation MCP deployments — without nan brittleness, attraction load and architectural compromises of retrofitting an API gateway.

KubeCon + CloudNativeCon North America 2025 is taking spot Nov. 10-13 successful Atlanta, Georgia. Register now.

Group Created pinch Sketch.