MCP Gateway / Governed Ingress

Your agents' tools, behind the boundary.

Point any MCP-compatible agent at the Gateway and every tool call enters governed execution: identity bound at ingress, authorized by Runtime before it runs, returned with receipts. No side doors.

Trace the execution boundaryPlatform map
What It Does

Proof-oriented capabilities.

  • Accepts existing MCP clients and returns Runtime-emitted, receipt-backed responses in a governed envelope.
  • Binds tenant_id and actor_id through JWT or API-key identity before execution proceeds.
  • Routes every tool call through Decide before Execute so authorization precedes effects — the policy decision is owned by Runtime.
  • Records durable ingress lineage and returns the Runtime-emitted decision, execution, and outcome receipts in a governed envelope.
What It Is Not

Boundary protected.

  • MCP Gateway is not a separate authority system.
  • MCP Gateway does not let tools execute around Runtime.
  • MCP Gateway does not make MCP compatibility equivalent to governance.
Boundary Definition

Compatibility enters here. Authority still lives in Runtime.

The gateway is the governed ingress surface for MCP. It intercepts tool calls, injects identity and policy context, invokes Runtime, and returns receipt-backed structured content.

System Connections

Receives, outputs, never.

Receives from
MCP clients
tool calls from compatible agents and applications
Identity providers
tenant, actor, and scope claims
Runtime
policy decisions and execution authorization
Outputs to
Runtime
governed tool intents for Decide and Execute
Cortex
ingress receipts and causal lineage when persisted
MCP clients
structured content containing governance envelope and proof artifacts
Never does
executes directlydrops identitycreates side channels
Surface contract

What this surface owns.

Purpose

Use MCP Gateway when existing agents need governed ingress for tool calls without side doors.

Primary question

How does a tool call enter Keon without creating a bypass?

Allowed
  • MCP compatibility
  • tenant and actor binding
  • Decide then Execute (via Runtime)
  • ingress lineage records
Forbidden
  • direct tool side channels
  • standalone execution boundary
  • identity-free calls
  • policy evaluation, authorization, or receipt emission, which belong to Runtime
Next Action

Continue through the correct surface.

Trace the execution boundary