🎉   v0.0.1 — now open source

Secure MCP access for
every team, every tool

Reflow Gateway solves the MCP authentication segregation problem. Each user, group, and role gets exactly the credentials they're allowed — and nothing more.

See how it works → View on GitHub
$ curl -fsSL https://raw.githubusercontent.com/JulianPedro/reflow-gateway/main/install.sh | bash
✓ Checking prerequisites
✓ Cloning repository
✓ Generating secrets
✓ Starting services
✓ Gateway is healthy

Gateway UI: http://localhost:3001
Gateway API: http://localhost:3000
API Docs: http://localhost:3000/docs
Grafana: http://localhost:3002


Architecture

One endpoint, many servers

The gateway sits between your AI clients and all your MCP servers. It handles auth, routes requests, and injects credentials — automatically.

Claude Desktop
Cursor
Windsurf
Any MCP Client
JWT Bearer
tools/call
Reflow Gateway
JWT Auth Policy Eval Cred Inject
token-A
token-B
k8s pod
GitHub MCP
Jira MCP
Slack MCP
Custom MCP
3,241
Requests / hr
12ms
Avg Latency
0.2%
Error Rate
18
Active Sessions
Live activity
00:01 alice · tools/call github · 200 · 8ms
00:02 bob · tools/call jira · 200 · 14ms
00:03 charlie · tools/list slack · 200 · 5ms
The Problem

MCP has an authentication
segregation problem

When multiple users share AI agents connected to the same MCP servers, credentials and permissions bleed across users — or every user needs their own server.

😤 Without a gateway

  • One shared API token for all users — everyone sees everything
  • Each user needs a separate MCP server instance to isolate creds
  • No way to say "Alice gets GitHub access but not Jira"
  • No audit trail — you don't know who called what tool
  • No default-deny — every tool is accessible by default
  • Credential sprawl: tokens scattered across env files and config

✅ With Reflow Gateway

  • Per-user, per-group, per-role credential injection — automatically
  • One gateway handles all users with isolated credential contexts
  • Fine-grained policies: target, tool, resource, and prompt level
  • Every MCP call audited with user identity, method, and duration
  • Default-deny: no access without an explicit allow policy
  • Credentials stored encrypted with AES-256-GCM, never in logs
Identities
alice (developer)
bob (qa-team)
charlie (admin)
Bearer JWT →
Gateway resolves
alice → GitHub token A
bob → Jira token (qa-team)
charlie → all tokens
user > group > role > default
Upstream sees
GitHub ← alice's PAT
Jira ← qa-team token
Slack ← admin token
client never sees these
👤
Per-user isolation
Alice's GitHub PAT is used when Alice calls tools. Bob gets his own token. No shared credentials, no permission bleed.
👥
Per-group & role scoping
DevTeam shares a Jira service account. QA has read-only access. Ops gets production. All driven by JWT claims.
🚫
Default-deny policies
Nothing is accessible without an explicit allow. Policies target servers, tools, resources, and prompts independently.
Features

Everything you need,
nothing you don't

Built for teams that need auditability and fine-grained control over AI agent access.

🔀

MCP Multiplexing

Aggregate tools, resources, and prompts from multiple MCP servers into one endpoint. Prefixed automatically when needed.

🛡️

Default-deny Authorization

Fine-grained policies at target, tool, resource, and prompt level. No access without an explicit allow.

🔑

Credential Injection

Gateway resolves credentials per user, group, or role — and injects them upstream. Clients never see downstream secrets.

🚀

Four Transports

Streamable HTTP, SSE, STDIO processes, and Kubernetes pods. Auto-detect between Streamable HTTP and SSE.

🔒

Encryption at Rest

All stored credentials encrypted with AES-256-GCM. Keys never appear in logs or API responses.

📋

Audit Logging

Every MCP request logged with user identity, method, target, response status, and duration.

📡

OpenTelemetry

Distributed traces and metrics via OTLP. Grafana + Loki + Tempo stack included in Docker Compose.

♻️

Session Recycle

Auto-detects JWT claim changes on every request and refreshes sessions without client intervention.

🐳

Docker & Helm Ready

One-command Docker Compose setup. Production-grade Helm chart with checksum-triggered rollouts.



Transports

Meet your MCP servers where they are

Remote HTTP services, local CLI tools, or Kubernetes workloads — the gateway handles it.

streamable-http

Streamable HTTP

For remote MCP servers. Auto-detects between Streamable HTTP and legacy SSE transports.

sse

Server-Sent Events

For legacy MCP servers using the SSE transport. Maintains persistent connection.

stdio

STDIO Processes

Spawn local processes (npx, python…) with isolated credentials per user, group, or role.

kubernetes

Kubernetes Pods

Create isolated pods via MCPInstance CRDs. Operator manages lifecycle, GC, and secrets.

Quick Start

Up and running in minutes


Docker Compose
Helm
From source
# One-line install
curl -fsSL https://raw.githubusercontent.com/JulianPedro/reflow-gateway/main/install.sh | bash

# Or manually:
git clone https://github.com/JulianPedro/reflow-gateway.git && cd gateway
cp .env.example .env && cp config.yaml.example config.yaml
# Edit .env with your secrets
docker compose up -d

# Register the first admin user
curl -X POST http://localhost:3000/api/auth/register \
  -H "Content-Type: application/json" \
  -d '{"email":"admin@example.com","password":"secure123"}'
# Install with Helm (external PostgreSQL required)
helm install reflow-gateway ./chart \
  --set secrets.jwtSecret="$(openssl rand -hex 32)" \
  --set secrets.encryptionKey="$(openssl rand -base64 24 | cut -c1-32)" \
  --set secrets.dbPassword="$(openssl rand -hex 16)" \
  --set config.database.host=my-postgres.default.svc

# Port-forward to test
kubectl port-forward svc/reflow-gateway 3000:3000
git clone https://github.com/JulianPedro/reflow-gateway.git && cd gateway

# Start only PostgreSQL
docker compose up -d postgres

# Run the backend
export DB_PASSWORD=dev JWT_SECRET=dev-secret ENCRYPTION_KEY=12345678901234567890123456789012
cd backend && go run cmd/server/main.go -config ../config.yaml

# Run the frontend (optional)
cd frontend && npm install && npm run dev

Stop sharing credentials.
Start enforcing access.

One gateway, all your MCP servers, fully under your control.

Read the docs → View on GitHub