MCP Gateway is available on Portkey Cloud. For the complete access control reference, see portkey.ai/docs/product/mcp-gateway.
Overview
Access control in the MCP Gateway lets you define policies that control:- Which users or teams can reach which MCP servers
- Which specific tools within a server a user or team can invoke
- What happens when no policy grants access (deny by default)
Policy model
The gateway uses a deny-by-default model. If no policy grants access to a requested server or tool, the request is rejected with a403 Forbidden response and the attempt is logged.
Access policies are configured in the Portkey dashboard under MCP Gateway → Access Control. Each policy specifies:
- Principals — who the policy applies to (users, teams, or roles)
- Resources — which servers and/or tools the principals can access
- Effect —
allowordeny
Example scenarios
Allow a team to access a server
Grant theengineering team access to all tools on the filesystem and github servers. All other servers are inaccessible to this team.
Restrict access to specific tools
Allow thedata-analysts team to call run_query and list_tables on the postgres server, but block destructive operations like drop_table.
Grant access by role
Users with theadmin role get access to all registered servers and all tools.
Revoke a user instantly
Disable a specific user’s API key or virtual key in the Portkey dashboard. All subsequent requests from that credential are rejected immediately — no server changes needed.Audit trail
Every access decision is logged:- Allowed requests — logged with the server, tool, user, team, and latency
- Denied requests — logged with the reason, which policy was evaluated, and the requesting principal