Secure every API and MCP server behind one control plane.
GreenGateway is a self-hosted gateway for teams that need authentication, authorization, audit, traffic visibility, and visual firewall controls in front of internal APIs, agent tools, and MCP servers.
Data path
Clients and tools pass through policy before reaching APIs or MCP.
Control plane
Operators review traffic, build rules, and audit decisions.
Use one or all. Best-of-breed controls integrated as a gateway.
GreenGateway sits between callers and upstream systems, learns the traffic shape, and turns observed behavior into enforceable rules operators can review.
Identity first
Authentication
JWT, OIDC discovery, cookie-session validation, service tokens, and observe mode for rollout.
Policy as data
Authorization
Hot-reloadable RBAC and direct firewall rules with shadow enforcement before blocking traffic.
Tools governed
Native MCP
A gateway-owned MCP endpoint, dynamic tool registry, JSON Schema validation, and upstream MCP proxying.
Learn first
Traffic discovery
Endpoint inventory, schema mismatch detection, anomaly signals, and traffic-derived rule suggestions.
Evidence built in
Audit pipeline
Structured audit events, live event stream, SQLite query API, policy history, and rollback context.
Outbound control
Egress firewall
SSRF-hardened outbound HTTP with host allowlists, private-IP protections, and DNS rebinding controls.
Manage API and MCP policy without leaving the control plane.
The embedded admin UI includes traffic inventory, live tail, identity drill-downs, anomaly signals, a visual rule builder, policy history, and shadow-mode review. The goal is operational control without hand-editing policy JSON for every change.
Traffic inventory
Observed endpoints
Rule preview
Promote after evidence
Preview a deny, allow, or shadow rule against historical traffic before changing the live policy.
Start with a self-contained dev stack.
GreenGateway ships with a Docker Compose development profile, local JWKS fixtures, seeded RBAC policy, an echo upstream, and the embedded admin UI. It is pre-alpha, so the page is intentionally clear about evaluation status.
Designed for teams evaluating API and agent control-plane patterns.
GreenGateway is not presented as a production-ready managed product. It is useful today for technical review, local experimentation, architecture validation, and conversations about how API gateways, MCP servers, identity, policy, and audit should fit together before agent-accessible systems expand.
What to test first
Run the dev stack, send authenticated traffic through the proxy, inspect endpoint discovery, and preview a rule before enforcing it.
What to review
Look at auth provider setup, direct firewall rules, MCP tool validation, audit events, and how shadow decisions become evidence.
What to avoid
Do not treat the pre-alpha build as a finished security boundary for regulated production workloads without your own hardening review.
Built in public for inspection, contribution, and internal use.
GreenGateway is published by Greenhat-Security as a source-available community project under Apache 2.0 with Commons Clause terms. Teams can inspect the implementation, run it internally, and follow the roadmap as MCP and API governance patterns mature.
Open repositoryFor platform teams
Put one enforceable policy surface in front of internal APIs, service tools, and agent-accessible systems.
For security teams
Review traffic, inspect identities, promote shadow rules, and retain audit context around every decision.
For AI builders
Expose MCP tools through a gateway that understands auth, schema validation, discovery, and policy.
For operators
Start in observe and shadow modes before moving rules into blocking enforcement.
Put a policy gateway in front of the systems your agents and APIs can reach.
Use the repository to evaluate the project today, or talk with GreenHat Labs about gateway patterns for API, MCP, and agentic-system control planes.