Self-Hosting

The hosted gateway at mcp-gateway.waxell.dev is the default. For teams whose upstreams live inside a private network — internal MCP servers, databases reachable only in-VPC — the gateway also ships as a single-tenant, self-hosted deployment.

Shape

A Docker Compose bundle runs the gateway in your network:

The gateway container terminates MCP traffic from your clients and dispatches to upstreams inside your VPC — internal traffic never leaves.
It phones home to the Waxell controlplane for what the controlplane owns: identity resolution, policy rules (synced continuously), per-user OAuth grant lookups, approval decisions, and durable audit storage.
Stdio upstreams are first-class here: the self-hosted gateway can spawn local MCP servers as subprocesses (npx @modelcontextprotocol/server-*, internal binaries) alongside HTTP upstreams.

The trade: you operate the data plane; Waxell stays the control plane. Policies, approvals, and audit work identically to hosted.

When to choose it

Upstreams that are unreachable from the public internet
Data-residency requirements on tool-call payloads
Stdio/subprocess MCP servers you don't want to wrap in HTTP

Getting it

Self-hosting is available on enterprise plans — talk to us and we'll walk through the bundle (docker-compose + environment reference) against your network layout.

Shape​

When to choose it​

Getting it​

Shape

When to choose it

Getting it