# MCP Gateway — connect your tools once > Point any MCP client at one URL and get AnyRouter's native tools plus every connected third-party MCP server, with auth managed for you. # MCP Gateway Point any MCP client at one URL, get AnyRouter's native tools **plus** every connected third-party MCP server — with auth managed for you. Every coding agent normally has to be wired up to each MCP server separately, and each server has its own login. **MCP Gateway flips that around:** connect a server **once** in the AnyRouter dashboard, and its tools show up at the AnyRouter MCP endpoint you already use — authenticated with the **same AnyRouter API key** you use for models. One endpoint. One key. Every tool. ``` https://anyrouter.dev/api/v1/mcp ``` ## How it works 1. **Connect a server.** In the dashboard, open **MCP Gateway**, click **Add server**, paste the server's URL, and authenticate (no auth, or an API key / token). 2. **AnyRouter discovers its tools** and stores your credential **encrypted** — it never leaves AnyRouter and never reaches your MCP client. 3. **Use it anywhere.** Point any MCP client at the AnyRouter endpoint with your key. The connected server's tools appear alongside AnyRouter's own, **namespaced** so names never collide: ``` linear__create_issue github__open_pr ``` 4. **Call a tool** and AnyRouter proxies it to the right upstream server using the credential it stored for you, then streams the result back. ## Connect a server 1. Go to **Dashboard → MCP Gateway**. 2. Click **Add server**. 3. Enter a **name** (used as the namespace prefix, e.g. `linear`) and the **server URL**. 4. Choose authentication: - **None** — for servers that don't require a credential. - **API key / token** — pasted once, stored encrypted, sent to the upstream as an `Authorization: Bearer …` header. 5. AnyRouter discovers the server's tools. Pick which ones to expose. The tools are available at your unified endpoint immediately — no per-client reconfiguration. ## Add from the catalog You don't have to know a server's URL by heart. Open **Add server** and pick from the **catalog** of popular MCP servers — each one is pre-filled with the right URL and the right way to sign in: - **Cloudflare** — manage Workers, KV, R2, D1, and observability. - **Firecrawl** — crawl and extract content from any website. - **GitHub** — open pull requests, search code, manage issues. - **Linear** — create and update issues, search your workspace. - **Notion** — read and write pages and databases. Select a server and authenticate the way it expects: - **OAuth** — click **Connect**, approve in the provider's window, and you're done. No keys to copy. - **API key** — paste the provider's key once; it's stored encrypted and never reaches your client. - **Nothing** — some servers are open and need no credential at all. Once connected, the server's tools appear at your unified endpoint, namespaced by connection — exactly like a server you added by URL. ## Managed Access (teams) For teams, connecting servers one person at a time doesn't scale. **Managed Access** lets an organization admin connect the company identity provider **once**, and every member gets the MCP Gateway automatically when they sign in with SSO — no manual keys, no per-person setup. - **Admin connects the IdP once.** Point Managed Access at your organization's identity provider and approve it a single time. - **Members just sign in.** When a member signs in through SSO, the gateway and its tools are ready for them immediately — there's nothing to copy or configure. - **Access follows your directory.** When someone joins or leaves, their access to the gateway follows their SSO account. > Managed Access is powered by the MCP Enterprise-Managed Authorization extension. ## Access log Every tool call through the gateway is recorded in your dashboard, so you always know what ran and when. Each entry shows the connection, the tool, who called it, and the result — useful for debugging an agent's behavior and for keeping an audit trail of what your tools did on your behalf. ## Choose which tools to expose Open a connection to see its discovered tools. Toggle any tool off to hide it from the unified endpoint; toggle it back on at any time. Use **Test a tool** to invoke one directly from the dashboard and confirm the connection works. ## Manage connections Each connection card shows its status: - **Connected** — tools are live at the endpoint. - **Needs re-auth** — the stored credential was rejected; use **Re-authorize** to update it. - **Error** — the server couldn't be reached. AnyRouter keeps serving the last known tool list and retries; a repeatedly failing server is paused automatically so it can't slow down the rest. From a connection's menu you can **Re-sync tools**, **Re-authorize**, or **Remove** it. ## Security - Upstream credentials are **encrypted at rest** and scoped to your workspace. - Your MCP client only ever sees your **AnyRouter key** — never the upstream credential. - Removing a connection deletes its stored credential. ## Use it Point any MCP client at the endpoint exactly as in the [MCP overview](/docs/mcp.md) — nothing changes in the client. Once a server is connected, its tools simply appear: ```bash claude mcp add --transport http anyrouter https://anyrouter.dev/api/v1/mcp ``` Ask your agent to list its tools and you'll see both AnyRouter's native tools and your connected servers', namespaced by connection.