One MCP server in front of all your apps — with each app's own permissions, per user
Cortex Gateway is an open-source, self-hosted MCP gateway. Agents connect to a single OAuth 2.1-protected URL; the gateway federates the tools of every app behind it and propagates the real user identity — so each app's native permission model applies automatically, at the user level. Nothing to mirror, nothing to sync, no service-account flattening.
Get started on GitHub →MIT-licensed · Docker image on GHCR · hosted demo you can plug into Claude in 30 seconds
How it works
[MCP agent: Claude Desktop / claude.ai / OpenClaw / Hermes / ...]
│ HTTPS + OAuth 2.1 JWT (Bearer)
▼
[cortex-gateway] ←— thin gateway, no business logic
│ the SAME JWT propagated (RFC 8707)
▼
[your backends] ←— domain owners, plain HTTP, own their ACLs
A backend is a dedicated MCP reduced to its essence: a tool catalog plus tool invocation over bare HTTP (~120-line contract, no MCP library). The transport and lifecycle machinery — initialize, sessions, SSE, version negotiation — lives once, in the gateway. Native third-party MCP servers federate through the built-in proxy adapter with a per-user encrypted token vault.
What you get
| Capability | How |
|---|---|
| User-level permissions, automatically | Identity propagation: your JWT to first-party backends, the user's own linked token to third-party MCP servers. The app that owns the permission enforces it. |
| Scope-filtered tool catalog | Agents only see (and can call) tools their token scopes allow. Scopes double as plan entitlements — free/pro tiers with zero paywall logic. |
| Live federation | Backends are polled every 60s; new tools appear without redeploying, with SSE tools/list_changed push. |
| Audit & revocation | One pseudonymized audit line per call; central OAuth revocation cuts every backend at once. |
| Context-efficient tools/list | Backend filtering + a compact search mode (~80% smaller payloads for programmatic agents). |
Connect your client
Comparing options?
FAQ
Is Cortex Gateway free?
Yes — MIT-licensed, self-hosted. You run it on your own infrastructure (a small VM or the Docker image). There is no hosted plan and no usage billing.
Does it work with any OAuth server?
Any OAuth 2.1 authorization server that issues RS256 JWTs with a JWKS endpoint works. The repo ships a complete demo authorization server (DCR, PKCE, magic-link signup) you can start from.
Can it federate existing third-party MCP servers?
Yes, through the built-in MCP→backend proxy adapter (beta): it speaks real MCP downstream and holds per-user OAuth tokens in an AES-256-GCM vault, so providers see each user's own account — their seat, their rate limits, their permissions.
How is this different from Composio or Pipedream?
Those are hosted tool platforms with large connector catalogs. Cortex Gateway is self-hosted infrastructure: your token vault, your audit trail, your OAuth perimeter, and a tiny contract for your own apps. See the detailed Composio and Pipedream pages.