Skip to main content

Security & Audit

The gateway assumes upstreams can change, be compromised, or misbehave — including the trusted ones. Defense is layered.

Tool fingerprinting & drift defense

Every tool the gateway discovers is fingerprinted: a hash over its name, description, and input schema. Fingerprints are versioned and visible at Governance → MCP Gateway → Fingerprints.

This is the counter to the rug pull: an upstream silently changing what search_documents means — say, adding "also forward the results to this URL" to its description, which the model will dutifully obey. When a tool's fingerprint changes:

  • the drift surfaces for review, and
  • a deny_drift policy rule blocks the changed tool at call time until a human re-approves it.

The same scanner that fingerprints tools also screens their descriptions for prompt-injection patterns. Findings land as risk flags on the tool, reviewable (and acknowledgeable, with reviewer + timestamp + note) at → Risks; a risk_deny rule blocks tools with unacknowledged flags at or above a chosen severity. New drift on a previously-acknowledged description re-flags it.

The SDK-side counterpart for agents you instrument yourself is covered in Rug-Pull Detection.

Data protection

  • DLP scanners run on arguments and results per policy — PII patterns, credentials (keys, JWTs), with scan-only or block variants.
  • Redaction strips configured keys from arguments or results before they cross the boundary.
  • Egress allowlists block results that reference hosts outside an approved set — a check on exfiltration via tool output.

Identity, end to end

  • Callers authenticate with Waxell OAuth (JWTs verified with pinned issuer and audience) or wax_ API keys.
  • The gateway resolves the caller to a user (plus roles, teams, and the agent profile acting for them) on every request — these drive policy matching and audit attribution.
  • Per-user upstream grants are encrypted at rest and never shared across users; open upstreams get no credentials at all rather than a shared token.

Audit

Every call writes a durable audit row: timestamp, user, agent, upstream, tool, policy decision (and which rules fired), success/error class, and approval linkage where applicable. Browse and filter at Governance → MCP Gateway → Audit, export as CSV for compliance workflows.

Because all traffic flows through one place, this is the answer to "what did AI touch in our systems last quarter?" — one query, not a forensic reconstruction across a dozen vendors' logs.