Put Kynara in front of any MCP server so every tool call is authorized per agent — and agents only see the tools they're allowed to use. Swap one URL; no agent-side changes.
MCP makes it trivial for an agent to reach your tools — but it has no built-in answer to which agent may call which tool, on whose behalf, under what conditions. If an agent can reach a tool, it can call it.
# Front your upstream MCP server with the Kynara gateway
KYNARA_UPSTREAM_MCP_URL=https://your-mcp-server/sse \
KYNARA_API_KEY=sk_live_xxx \
KYNARA_MCP_SERVER_ID=<id from the MCP Gateway page> \
python main.py
# Then point your agent at the gateway instead of the upstream:
# before: { "url": "https://your-mcp-server/sse" }
# after: { "url": "http://kynara-mcp-gateway:9090/sse" }Each tool maps to a Kynara scope; the gateway authorizes every call and only advertises tools the agent may use. A tool pinned to deny can't be invoked, even by name.
Every consequential call is evaluated against RBAC + ABAC policies and runtime context before it executes.
An agent can never exceed the permissions of the user it acts on behalf of.
Route destructive or external-facing actions to a human for approval, with full context.
Every decision is appended to a SHA-256 hash-chained log for forensics and compliance.
Go deeper: read the guide · docs · compare Kynara.
New guides on AI agent governance, MCP security, and compliance — no spam.