Skip to main content
aegress
Work
OverviewAccess MapAppsFindingsRemediationEvidence
MoreGateway
PoliciesExtensionGatewayLogbookExposure
Settings
aegress
AD
AccountAD
OverviewAccessAppsFindingsGateway
Gateway

MCP Gateway

Scoped tools, tenant binding, and per-call audit.
Review toolsDeploy path
Tenant-bound execution/0 allowed/0 blocked/0 audit events
Policy gate
0
0 allowed / 0 denied
Tenant bind
OAuth-bound
tenant consent
Evidence
0
sealed requests
Clients
0
0 active clients
Deployment
Aegress managed
recommended
One team endpoint, per-tenant policy, per-principal evidence.
Review deploy path
Gateway sectionDeploySwitch
ToolsControlsAuditPoliciesClientsDeploy
ToolsControlsAudit
Policies
Clients
Deploy
MCP execution proof
Tenant-bound before any tool runs
recommended
01Actor
Signed user
principal mapped
02Tenant
Bound request
no shared customer context
03Policy
Tool verdict
allow, review, or block
04Tool
Scoped call
selected action only
05Evidence
Sealed audit
exportable trace
SaaS hosting model
One endpoint. Isolated customer context. Per-principal evidence.
Runtime secretAegress-held
SegregationPer tenant
EvidencePer call
Recommended path
Aegress managed
Gateway URL
https://mcp-gateway.aegress.com/mcp
Customer action
MCP URL + consent
Tenant config
OAuth-bound
Paths
5
Recommended
1
Clients
4

Deployment paths

Aegress managed

Aegress-operated SaaS pilots and client rollouts.

recommended
Runtime
Aegress-operated
Tenant
Tenant consent
Client
Streamable HTTP
Recipe
Boundary
Tenant consent, OAuth tokens, and tool policy stay scoped per customer.

Tunnel inventory

Configure MCP_TUNNEL_PROVIDER, MCP_TUNNEL_ID, MCP_TUNNEL_WORKSPACE, and MCP_TUNNEL_OWNER to show live tunnel routes.

MCP client setup

Claude Code

~/.claude.json or project .mcp.json
available
Command and config
Command
claude mcp add --transport http --scope user aegress https://mcp-gateway.aegress.com/mcp --header "Authorization: Bearer $AEGRESS_MCP_GATEWAY_TOKEN" --header "X-Aegress-Tenant-Id: $AEGRESS_TENANT_ID" --header "X-Aegress-Actor-Id: $AEGRESS_ACTOR_ID"
Config
{
  "mcpServers": {
    "aegress": {
      "headers": {
        "Authorization": "Bearer ${AEGRESS_MCP_GATEWAY_TOKEN}",
        "X-Aegress-Actor-Id": "${AEGRESS_ACTOR_ID}",
        "X-Aegress-Tenant-Id": "${AEGRESS_TENANT_ID}"
      },
      "type": "http",
      "url": "https://mcp-gateway.aegress.com/mcp"
    }
  }
}
Use /mcp in Claude Code to confirm the server is connected.Run the CLI from a shell where tenant, actor, and token env vars are set.

Reference docs

MCP Streamable HTTP transportClaude Code remote HTTP MCPCodex MCP setupOpenAI Secure MCP TunnelAegress-managed SaaS runbook
Aegress-held secrets
Managed by Aegress
  1. 1Create the customer tenant in the Aegress control plane.
  2. 2Apply tenant policy for origins, tools, and destructive actions.
  3. 3Connect Microsoft 365 through the Aegress multi-tenant Entra app.
  4. 4Add the team MCP URL to the client and complete tenant-bound consent.
docs/operations/aegress-managed-saas.mdAegress-managed gateway URLMCP OAuth consent flow

Azure Container Apps

Regulated customers that want the worker in their Azure tenant.

guided
Runtime
Customer-hosted
Tenant
Tenant env bind
Client
Streamable HTTP
Recipe
Boundary
Customer tenant hosts the gateway container; Aegress control plane receives audit events only.
Runtime secrets
DATABASE_URLREDIS_URLMCP_GATEWAY_TOKEN+35
  1. 1Deploy the gateway image into the customer Azure subscription.
  2. 2Store secrets in Container App secrets or Key Vault references.
  3. 3Expose /mcp, /health, /.well-known/*, and /oauth/* through HTTPS.
deploy/azure/gateway-container-app.bicep

Private MCP tunnel

Customers that cannot expose inbound MCP but can run an outbound tunnel client beside Aegress.

guided
Runtime
Customer-hosted
Tenant
Tenant env bind
Client
Outbound tunnel
Recipe
Boundary
Aegress stays inside the customer trust boundary; vendor tunnels carry MCP traffic while Aegress enforces tenant, actor, tool, and audit policy.
Runtime secrets
MCP_INGRESS_MODEMCP_TUNNEL_PROVIDERMCP_TUNNEL_ID+34
  1. 1Run Aegress gateway on a private host or service reachable by the tunnel client.
  2. 2Create the vendor tunnel in the OpenAI or Anthropic organization workspace.
  3. 3Point the tunnel client at the private Aegress /mcp target, not at Microsoft Graph or another provider directly.
  4. 4Keep MCP_AUTH_MODE=oauth for SaaS or bearer with static tenant and actor binding for customer-hosted pilots.
  5. 5Verify tunnel health and then confirm every tool call appears in Aegress audit evidence.
docs/operations/mcp-private-tunnels.mdOpenAI tunnel-client profileClaude organization tunnel settings

Docker container

Local proof, private VM, or customer-managed Kubernetes ingress.

available
Runtime
Customer-hosted
Tenant
Tenant env bind
Client
Streamable HTTP
Recipe
Boundary
Gateway stays inside the customer network and calls the approved provider APIs from there.
Runtime secrets
DATABASE_URLREDIS_URLMCP_GATEWAY_TOKEN+35
  1. 1Pull or build the gateway image.
  2. 2Point it at Postgres, Valkey/Redis, and the Aegress API/control plane.
  3. 3Terminate TLS at the reverse proxy.
deploy/docker/gateway.compose.yaml

AWS Lambda container

AWS customers who require a lightweight function deployment.

guided
Runtime
Customer-hosted
Tenant
Tenant env bind
Client
Short calls
Recipe
Boundary
Function runs in the customer AWS account; use only when the client flow does not require long-lived streaming.
Runtime secrets
DATABASE_URLREDIS_URLMCP_GATEWAY_TOKEN+34
  1. 1Build the Lambda-specific gateway image and push it to ECR.
  2. 2Validate the CloudFormation template and create a change set.
  3. 3Keep Streamable HTTP JSON responses enabled and avoid SSE-only clients.
  4. 4Move to ECS/App Runner if long-running streams are required.
services/gateway/Dockerfile.lambdadeploy/aws/gateway-lambda-container.template.jsondeploy/aws/gateway-lambda-container.md
Claude stores expanded HTTP headers; use a tenant-scoped token that can be revoked.
User scope keeps the gateway available across projects.

Codex

~/.codex/config.toml
available
Command and config
Command
codex mcp add aegress --url "https://mcp-gateway.aegress.com/mcp?tenantId=${AEGRESS_TENANT_ID}&actorId=${AEGRESS_ACTOR_ID}" --bearer-token-env-var AEGRESS_MCP_GATEWAY_TOKEN
Config
[mcp_servers.aegress]
url = "https://mcp-gateway.aegress.com/mcp?tenantId=${AEGRESS_TENANT_ID}&actorId=${AEGRESS_ACTOR_ID}"
bearer_token_env_var = "AEGRESS_MCP_GATEWAY_TOKEN"
enabled = true
tool_timeout_sec = 60
The Codex CLI and IDE extension share the same MCP configuration.Codex keeps the bearer token in an environment variable.Set the tenant and actor environment variables before adding the server.Keep the token in the environment, not in the TOML file.

Cursor

~/.cursor/mcp.json
available
Command and config
Command
test -n "$AEGRESS_MCP_GATEWAY_TOKEN" && test -n "$AEGRESS_TENANT_ID" && test -n "$AEGRESS_ACTOR_ID"
Config
{
  "mcpServers": {
    "aegress": {
      "headers": {
        "Authorization": "Bearer ${AEGRESS_MCP_GATEWAY_TOKEN}",
        "X-Aegress-Actor-Id": "${AEGRESS_ACTOR_ID}",
        "X-Aegress-Tenant-Id": "${AEGRESS_TENANT_ID}"
      },
      "url": "https://mcp-gateway.aegress.com/mcp"
    }
  }
}
Launch Cursor from an environment where tenant, actor, and token env vars are set.Restart Cursor after updating the MCP config.Keep write-capable tools blocked until approval workflows are enabled.

Generic Streamable HTTP

MCP client settings
available
Command and config
Command
curl -H "Authorization: Bearer $AEGRESS_MCP_GATEWAY_TOKEN" -H "X-Aegress-Tenant-Id: $AEGRESS_TENANT_ID" -H "X-Aegress-Actor-Id: $AEGRESS_ACTOR_ID" https://mcp-gateway.aegress.com/mcp
Config
{
  "headers": {
    "Authorization": "Bearer ${AEGRESS_MCP_GATEWAY_TOKEN}",
    "X-Aegress-Actor-Id": "${AEGRESS_ACTOR_ID}",
    "X-Aegress-Tenant-Id": "${AEGRESS_TENANT_ID}"
  },
  "name": "aegress",
  "transport": "streamable-http",
  "url": "https://mcp-gateway.aegress.com/mcp"
}
Use POST and GET on the same MCP endpoint.Prefer Streamable HTTP; SSE is only for older clients.