Gateway MCP surface
Before you begin
You need:
- an agent publication with a resolved public hostname
- an active Access Key or Gateway Key authorized for that publication
- an MCP client that supports remote streamable HTTP
First open https://<your-published-hostname>/mcp with the client configuration
below. A localhost gateway or an unpublished agent does not satisfy this
surface.
This is a separate surface from:
provider: mcpin gateway config, which routes gateway traffic to an external MCP backendtool_servers, which declares config-managed tool-server metadata for validation and discovery
Current connection shape
Use a published agent hostname in the form:
https://<publication-key>.<public_hostname_suffix>/mcp
Authenticate with your Access Key (or Gateway Key) as a bearer token. No special token minting is required. The gateway serves the MCP protocol and the LLM proxy on the same hostname, so the MCP URL and the bearer token are the setup surface you hand to the client.
Transport contract
The current hosted MCP surface uses streamable HTTP:
POST /mcpfor client-to-server JSON-RPC requests such asinitialize,tools/list,tools/call,resources/list,resources/read, andpingGET /mcpfor the server-sent events stream used for server-to-client notifications
The route is only valid on a published hostname. Requests that hit /mcp without publication context fail closed with a publication-required error.
Authentication
Authenticate with an active Access Key or Gateway Key as a bearer token. These are filtered views of the shared API-token system and are managed on the console's API Tokens page.
This is not a localhost or unpublished-gateway exercise. You can only complete the client setup against a real published hostname, and your bearer token must have access to that publication surface.
Current capability scope
The published gateway exposes a governed MCP bundle:
| Surface | Current behavior |
|---|---|
| History and audit | history_search, events_query, request_trace_get, history://sessions, and history://session/{id} expose traceable operational history |
| Discovery and guidance | docs_search, docs://index, docs://page/{id}, model and provider catalog tools, pricing, and telemetry resources help agents inspect the live gateway surface |
| Regions and gateway state | regions_list, region_get, gateway://effective-config, gateway://tool-servers, regions://catalog, and regions://organization expose locality and governed runtime state |
| Context fabric | session_init, context_search, context_share, context_recent, schema_lookup, plus context://team, context://branch/{name}, context://schema/{table}, and context://recent support shared engineering context |
| Governance | policy_lint, policy_test, tool_servers_list, tool_server_get, and tool_server_validate expose Keeptrusts-specific governance workflows |
tools/list and resources/list are authoritative for the capabilities
available on a particular published gateway version.
Boundary with gateway MCP routing
Do not confuse the hosted Keeptrusts MCP surface with the gateway's native MCP bridge config:
| Surface | Purpose |
|---|---|
Published hostname /mcp | Expose Keeptrusts itself as a gateway-hosted MCP surface |
providers.targets[].mcp | Route gateway traffic to an external MCP backend |
tool_servers | Declare config-managed tool-server metadata for validation and discovery |
Connection snippets
Every MCP client needs the same two ingredients: the gateway's published agent
hostname (for example your-agent.example.com) and your
Access Key as a bearer token. Replace <your-published-hostname> with the
resolved hostname and make KEEPTRUSTS_API_TOKEN available to your MCP client
environment.
Codex CLI
Register the streamable HTTP server and tell Codex which environment variable contains the bearer token:
codex mcp add keeptrusts \
--url "https://<your-published-hostname>/mcp" \
--bearer-token-env-var KEEPTRUSTS_API_TOKEN
Cursor
Add to .cursor/mcp.json in your project or global Cursor config:
{
"mcpServers": {
"keeptrusts": {
"url": "https://<your-published-hostname>/mcp",
"headers": {
"Authorization": "Bearer ${env:KEEPTRUSTS_API_TOKEN}"
}
}
}
}
Claude Code
Register via the CLI:
claude mcp add \
--transport http \
--header "Authorization: Bearer ${KEEPTRUSTS_API_TOKEN}" \
keeptrusts "https://<your-published-hostname>/mcp"
Optional repository installer
If you have a Keeptrusts repository checkout containing
scripts/install-mcp.sh, the script can configure detected Cursor, Claude Code,
Codex CLI, OpenCode, and VS Code clients. Preview its changes first:
export KEEPTRUSTS_API_TOKEN="kt_ak_..."
./scripts/install-mcp.sh \
--dry-run \
--hostname "<your-published-hostname>"
The script prints the MCP URL, credential environment variable, project directory, and per-assistant configuration summary.
After reviewing the target files and token-variable name, rerun without
--dry-run. The script is optional; normal customers can use the manual client
configuration without a repository checkout.