AI Gateway Enterprise: This plugin is only available as part of our AI Gateway Enterprise offering.
The AI MCP Proxy plugin lets you connect any Kong-managed Service to the Model Context Protocol (MCP). It acts as a protocol bridge, translating between MCP and HTTP so that MCP-compatible clients can either call existing APIs or interact with upstream MCP servers through Kong.
The plugin’s mode parameter controls whether it proxies MCP requests, converts RESTful APIs into MCP tools, or exposes grouped tools as an MCP server. This flexibility allows you to integrate existing HTTP APIs into MCP workflows, front third-party MCP servers with Kong’s policies, or expose multiple tool sets as a managed MCP server.
Because the plugin runs directly on Kong AI Gateway, MCP endpoints are provisioned dynamically on demand. You don’t need to host or scale them separately, and the Kong AI Gateway applies its authentication, traffic control, and observability features to MCP traffic at the same scale it delivers for traditional APIs.
Note: Unlike other available AI plugins, the AI MCP Proxy plugin is not invoked as part of an LLM request flow.
Instead, it’s part of an MCP request flow. It’s registered and executed as a regular plugin, between the MCP client and the MCP server, allowing it to capture MCP traffic independently of LLM request flow.
Do not configure the AI MCP Proxy plugin together with other AI plugins on the same Service or Route.
The AI MCP Proxy bridges the Kong plugin ecosystem with the MCP world, enabling you to bring all of Kong’s traffic management, security, and observability capabilities to MCP endpoints:
The AI MCP Proxy plugin handles MCP requests by converting them into standard HTTP calls and returning the responses in MCP format. The flow works as follows:
Accepts MCP protocol requests from a client.
Parses the MCP tool call and matches it to an OpenAPI operation.
Converts the operation into a standard HTTP request.
Sends the request to the upstream Service.
Wraps the HTTP response in MCP-compatible format and returns it.
sequenceDiagram
participant C as MCP Client
participant K as Kong (AI MCP Proxy plugin)
participant U as Upstream Service
C->>K: MCP request (tool invocation)
activate K
K->>K: Parse MCP payload
K->>K: Map to HTTP endpoint (OpenAPI schema)
K->>U: HTTP request
deactivate K
activate U
U-->>K: HTTP response
deactivate U
activate K
K->>K: Convert to MCP format
K-->>C: MCP response
deactivate K
Pings from your MCP client are included in the total request count for your Kong AI Gateway instance, in addition to the requests made to the MCP server.
The AI MCP Proxy plugin operates in four modes, controlled by the config.mode parameter. Each mode determines how Kong handles MCP requests and whether it converts RESTful APIs into MCP tools.
Listens for incoming MCP requests and proxies them to the upstream_url of the Gateway Service.
Generates MCP observability metrics for traffic, making it suitable for third-party MCP servers hosted by users.
Use when you already operate an MCP server and want Kong Gateway to act as an authenticated, observable entrypoint for it.
Useful for exposing a third-party or internally hosted MCP service through Kong Gateway.
Converts RESTful API paths into MCP tools and accepts incoming MCP requests on the Route path.
You can define tools directly in the plugin configuration and optionally set a server block.
v3.13+ The conversion-listener mode also supports adding session identifiers set by authentication services in the configuration parameters. See the cookie conversion example for details on handling cookie-based authentication.
Use when you want to make an existing REST API available to MCP clients directly through Kong Gateway.
Common for services that both define and handle their own tools.
Converts RESTful API paths into MCP tools but does not accept incoming MCP requests.
tags can be defined at the plugin level and are used by listener plugins to expose the tools. This mode does not define a server.
This mode must be used together with other AI MCP Proxy plugins configured with the listener mode.
Use when you want to define reusable tool specifications without serving them.
Suitable for teams that maintain a shared library of tool definitions for other listener plugins.
Similar to conversion-listener, but instead of defining its own tools, it binds multiple conversion-only tools using the config.server.tag property.
conversion-only plugins define tags at the plugin level, and the listener connects to them to expose the tools on a Route for incoming MCP requests.
This mode must be used together with other AI MCP Proxy plugins configured with the conversion-only mode.
Use when you need a single MCP endpoint that aggregates tools from multiple conversion-only plugins.
Typical in multi-service or multi-team environments that expose a unified MCP interface.
When exposing MCP servers through Kong Gateway, you may need granular control over which authenticated API consumers can discover and invoke specific tools. The AI MCP Proxy plugin’s ACL feature lets you define access rules at both the default level (applying to all tools) and per-tool level (for fine-grained exceptions)
This way, consumers only interact with tools appropriate to their role, while maintaining a complete audit trail of all access attempts. Authentication is handled by standard Kong AuthN plugins (for example, Key Auth or OIDC flows), and the resulting Consumer identity is used for ACL checks.
ACL in listener Mode
Listener mode does not support direct ACL configuration. Instead, it inherits ACL rules from tagged conversion-listener or conversion-only plugins.
The authenticated Consumer identity is matched against these identifiers. If the Consumer or any of their Consumer Groups match an ACL entry, the rule applies.
When configured, these rules replace the default ACL for that specific tool. The per-tool ACL doesn’t inherit or merge with default_acl—it is an all-or-nothing override.
If a tool defines its own ACL, the plugin ignores default_acl for that tool:
Tools with no ACL configuration inherit the default rules (both allow and deny lists)
Tools with an ACL must explicitly list all allowed subjects (even if they were already in default_acl)
Both default and per-tool ACLs use allow and deny lists. Evaluation follows this order:
Deny list configuration: If a deny list exists and the subject matches any deny entry, the request is rejected (INVALID_PARAMS -32602).
Allow list configuration: If an allow list exists, the subject must match at least one entry; otherwise, the request is denied (INVALID_PARAMS -32602).
No allow list configuration: If no allow list exists and the subject is not in deny, the request is allowed.
No ACL configuration: If neither list exists, the request is allowed.
All access attempts (allowed or denied) are written to the plugin’s audit log.
The table below summarizes the possible ACL configurations and their outcomes.
The AI MCP Proxy plugin evaluates ACLs for both tool discovery and tool invocation. These are two distinct operations with different behaviors:
Tool Discovery (List tools):
MCP client requests the list of available tools
Kong AuthN plugin validates the request and identifies the Consumer
AI MCP Proxy loads the Consumer’s group memberships
Plugin evaluates each tool against the default_acl
Plugin returns an HTTP 200 response with only the tools the Consumer is allowed to access
Plugin logs the discovery attempt
Tool invocation:
MCP client invokes a specific tool
Kong AuthN plugin validates the request and identifies the Consumer
AI MCP Proxy loads the Consumer’s group memberships
Plugin evaluates the tool-specific ACL if it exists, or the default ACL otherwise
Plugin logs the access attempt (allowed or denied)
Plugin returns INVALID_PARAMS -32602 if denied, or forwards the request to the upstream MCP server if allowed
sequenceDiagram
participant Client as MCP Client
participant Kong as Kong Gateway
participant Auth as AuthN Plugin
participant ACL as ai-mcp-proxy (ACL/Audit)
participant Up as Upstream MCP Server
participant Log as Audit Sink
%% ----- List Tools -----
rect
note over Client,Kong: List Tools (Default ACL Scope)
Client->>Kong: GET /tools
Kong->>Auth: Authenticate
Auth-->>Kong: Consumer identity
Kong->>ACL: Evaluate scoped default ACL
ACL-->>Log: Audit entry
alt Allowed
Kong-->>Client: Filtered tool list
else Denied
Kong-->>Client: INVALID_PARAMS -32602
end
end
%% ----- Tool Invocation -----
rect
note over Client,Up: Tool Invocation (Per-tool ACL)
Client->>Kong: POST /tools/{tool}
Kong->>Auth: Authenticate
Auth-->>Kong: Consumer identity
Kong->>ACL: Evaluate per-tool ACL
ACL-->>Log: Audit entry
alt Allowed
Kong->>Up: Forward request
Up-->>Kong: Response
Kong-->>Client: Response
else Denied
Kong-->>Client: INVALID_PARAMS -32602
end
end
The AI MCP Proxy plugin provides support for MCP operations and upstream interactions, while certain advanced features and non-HTTP protocols are not currently supported. The table below summarizes what is supported and what is outside the current scope.
Features
Description
Supported
Protocol
Handling latest streamable HTTP with HTTP and HTTPS upstreams
OpenAPI operations
Mapping MCP calls to upstream HTTP operations based on the OpenAPI schema
JSON format
Handling standard JSON request and response bodies
Form-encoded data
Handling application/x-www-form-urlencoded
SNI routing
Converting SNI-only routes
Form and XML data
Handling formats such as multipart/form-data or XML
Advanced MCP features
Handling structured output, active notifications on tool changes, and session sharing between instances
Non-HTTP protocols
Handling WebSocket and gRPC upstreams
AI Guardrails
Applying guardrails to MCP AI plugin requests and responses
