MCP Gateway

Transform Your AI Applications with Bifrost MCP Gateway

Transform Your AI Applications with Bifrost MCP Gateway

Build secure, production-grade AI agents with enterprise-level tool orchestration

As AI applications evolve beyond simple chat interfaces, developers face a critical challenge: how do you enable AI models to interact with external tools, databases, and APIs safely and efficiently? Bifrost's Model Context Protocol (MCP) Gateway solves this problem by providing a comprehensive, production-ready platform for AI tool orchestration.

What is the Model Context Protocol?

The Model Context Protocol is an open standard that enables AI models to seamlessly discover and execute external tools at runtime. Instead of limiting your AI to text generation, MCP allows models to interact with filesystems, search the web, query databases, and execute custom business logic through external MCP servers.

Bifrost takes MCP implementation to the next level by acting as both an MCP client (connecting to external tool servers) and an MCP server (exposing tools to external clients like Claude Desktop), creating a powerful middleware layer for AI tool management.

Security-First Architecture: Explicit Control Over Tool Execution

One of Bifrost's most important design principles is security by default. Unlike systems that automatically execute any tool an AI model suggests, Bifrost requires explicit approval for tool execution. This means:

  • Tool calls are suggestions only – When an LLM returns tool calls, Bifrost does NOT execute them automatically
  • Your application stays in control – You review tool calls, apply security rules, and get user approval before execution
  • Explicit execution required – Tools only run when you make a separate API call to /v1/mcp/tool/execute
  • Complete audit trail – Every tool operation is tracked and logged

This stateless design ensures no unintended API calls to external services, no accidental data modification or deletion, and full human oversight for sensitive operations. The explicit execution pattern follows this workflow:

  1. Send chat request → LLM returns tool call suggestions (not executed)
  2. Your app reviews the suggestions → Apply security rules and get user approval
  3. Execute approved tools → POST to /v1/mcp/tool/execute endpoint
  4. Continue conversation → Feed results back with full conversation history

Flexible Connection Options for Any Architecture

Bifrost supports three connection protocols for maximum flexibility:

STDIO Connections – Spawn local processes and communicate via standard input/output, perfect for local tools, CLI utilities, Python/Node.js MCP servers, and database tools with local credentials. Note for Docker users: when running Bifrost in Docker, STDIO connections require the necessary commands (like npx or python) to be installed in the container.

HTTP Connections – Communicate with remote MCP servers via HTTP requests, ideal for remote APIs, cloud-hosted services, microservice architectures, and third-party tool providers.

SSE Connections – Server-Sent Events provide persistent connections for real-time data, live system monitoring, and event-driven workflows.

Each connection type includes automatic health monitoring with periodic pings every 10 seconds, check timeout of 5 seconds per ping, and automatic disconnection after 5 consecutive failed pings with real-time state updates.

Code Mode: Slash Token Costs by 50% at Scale

When connecting multiple MCP servers (3 or more), Bifrost's Code Mode delivers transformative cost and performance improvements. The problem: connecting 8-10 MCP servers with 150+ tools means every request includes all tool definitions in context. The LLM spends most of its budget reading tool catalogs instead of doing actual work.

Code Mode's solution: Instead of exposing 150 tools directly, expose just three meta-tools that let the AI write TypeScript code to orchestrate everything else in a sandbox:

  • listToolFiles – Discover available MCP servers
  • readToolFile – Load TypeScript definitions on-demand
  • executeToolCode – Execute TypeScript with full tool bindings

The results are dramatic: A workflow across 5 MCP servers with 100 tools sees approximately 50% cost reduction and 30-40% faster execution. Classic MCP requires 6 LLM turns with 100 tools in context every turn. Code Mode needs just 3-4 turns with only 3 tools plus definitions loaded on-demand, with all intermediate results processed in the sandbox rather than flowing through the model.

Code Mode supports two binding levels: server-level binding (default) groups all tools from a server into one .d.ts file, while tool-level binding creates individual files per tool. Choose based on your server size and context efficiency needs.

Code Mode is available from v1.4.0-prerelease1 onwards and is part of the open source offering.

Agent Mode: Build Autonomous AI Workflows

Agent Mode enables autonomous tool execution with configurable auto-approval, transforming Bifrost from a simple gateway into an agent runtime. When enabled, the LLM returns tool calls, Bifrost automatically executes auto-executable tools, feeds results back to the LLM, and loops until completion or max depth is reached (default: 10 iterations).

Important limitation: Agent Mode is not compatible with streaming operations (chat_stream and responses_stream). The autonomous tool execution loop requires complete responses before proceeding to the next iteration.

Critical security feature: Agent Mode requires explicit configuration through tools_to_auto_execute. By default, no tools run automatically. A tool must be in both tools_to_execute (whitelist) and tools_to_auto_execute (auto-approval) to run autonomously.

Best practices dictate marking only safe operations for auto-execution like read operations (read_file, list_directory), search/query operations, and non-destructive information gathering. Operations requiring human approval include write operations, delete operations, execute operations, and operations with side effects like sending emails or making purchases.

Agent Mode is available from v1.4.0-prerelease1 onwards and is part of the open source offering.

Enterprise-Grade Tool Filtering and Governance

Bifrost provides three levels of tool filtering for granular access control:

Level 1: Client Configuration – Set baseline tools via tools_to_execute on each MCP client config. Use ["*"] for all tools, [] for none, or specify individual tool names.

Level 2: Request-Level Filtering – Filter tools dynamically per-request using HTTP headers (x-bf-mcp-include-clients, x-bf-mcp-include-tools) or SDK context values. Wildcard patterns like filesystem/* are supported.

Level 3: Virtual Key Filtering (Gateway deployment only) – Virtual Keys can have their own MCP configurations that take precedence over request-level headers, enabling per-team or per-user tool access control.

These filters combine as an intersection – a tool must pass all applicable filters to be available. This filtering capability is available in the open source version.

Tool Hosting: Zero-Latency In-Process Tools

For Go SDK users, Bifrost's Tool Hosting feature allows registering custom tools directly within your application. These tools run in-process with approximately 0.1ms latency (no network overhead), making them ideal for application-specific business logic, high-performance operations, testing and development, and tools needing direct access to application state.

Registered tools are automatically prefixed with bifrostInternal_ (e.g., calculator becomes bifrostInternal_calculator) to prevent naming conflicts with external MCP servers.

Tool Hosting is exclusively available when using Bifrost as a Go SDK, not in Gateway deployments, and is part of the open source offering.

MCP Gateway URL: Expose Tools to External Clients

Gateway deployments can act as an MCP server, exposing all connected MCP tools through a single endpoint at /mcp. This enables powerful aggregation patterns – connect Bifrost to multiple MCP servers (filesystem, web search, databases), then expose all those tools through one endpoint so external clients like Claude Desktop, Cursor, or custom applications can access the complete aggregated toolset.

The endpoint supports both JSON-RPC 2.0 (POST requests) and Server-Sent Events (GET requests) for persistent connections. Virtual Key authentication provides per-key tool access control, allowing different clients to see different tool subsets.

This feature is available from v1.4.0-prerelease1 onwards, only in Gateway deployments (not when using Bifrost as a Go SDK), and is part of the open source offering.

Open Source vs Enterprise: What's Included?

Open Source Features (v1.4.0-prerelease1+):

  • Complete MCP Gateway functionality
  • All connection types (STDIO, HTTP, SSE)
  • Tool execution with explicit control
  • Agent Mode with auto-execution
  • Code Mode for cost optimization
  • Tool filtering at all three levels (client, request, Virtual Key)
  • Tool Hosting for SDK users
  • MCP Gateway URL for external clients
  • Health monitoring and dynamic tool discovery

Enterprise-Only Features:

  • MCP with Federated Auth
  • Clustering for high availability
  • Advanced Governance with audit logs
  • Enterprise Observability dashboards
  • Guardrails for content filtering
  • Vault Support for secrets management
  • In-VPC Deployments
  • Custom Plugins
  • Log Exports

Real-World Impact: E-Commerce Assistant Example

Consider an e-commerce assistant with 10 MCP servers (product catalog, inventory, payments, shipping, analytics, etc.) averaging 15 tools per server for 150 total tools. A complex task like "Find matching products, check inventory, compare prices, get shipping estimate, create quote" shows dramatic differences:

Classic MCP: 8-10 LLM turns, ~2,400 tokens in tool definitions per turn, $3.20-4.00 total cost, 18-25 seconds latency.

Code Mode: 3-4 LLM turns, ~100-300 tokens in tool definitions per turn, $1.20-1.80 total cost, 8-12 seconds latency.

The benefit: the model writes one TypeScript script where all orchestration happens in the sandbox, returning only the compact result to the LLM.

Getting Started with Bifrost MCP

Bifrost offers flexible deployment options. Use it as a Gateway for centralized tool management accessible via HTTP APIs, or as a Go SDK embedded directly in your application for zero-latency tool execution.

The security-first architecture, combined with powerful features like Code Mode and Agent Mode, makes Bifrost the ideal choice for production AI applications that need safe, efficient tool orchestration at scale.

Whether you're building internal AI agents, customer-facing applications, or complex multi-tool workflows, Bifrost's MCP Gateway provides the foundation for reliable, secure, and cost-effective AI tool management.

Try Bifrost Enterprise free for 14 days or explore the open source version at github.com/maximhq/bifrost to start building production-ready AI agents today.