GreenHat Labs / Product 04
Pre-alpha, self-hosted, source-available

Secure every API and MCP server behind one control plane.

GreenGateway is a self-hosted gateway for teams that need authentication, authorization, audit, traffic visibility, and visual firewall controls in front of internal APIs, agent tools, and MCP servers.

MCP
native endpoint
RBAC
hot reload
Audit
queryable trail
Animated GreenGateway architecture coverClients and developer tools flow through authentication, RBAC, and audit controls before reaching protected APIs and MCP servers. Blocked requests are denied at the gateway and logged.CLIcallerAgentcallerAdmin UIcallerAUTHRBACAUDITREST APIprotectedMCPprotectedTOOLSprotectedidentity verifiedleast privilege appliedaudit trail emitted

Data path

Clients and tools pass through policy before reaching APIs or MCP.

Control plane

Operators review traffic, build rules, and audit decisions.

Platform

Use one or all. Best-of-breed controls integrated as a gateway.

GreenGateway sits between callers and upstream systems, learns the traffic shape, and turns observed behavior into enforceable rules operators can review.

Identity first

Authentication

JWT, OIDC discovery, cookie-session validation, service tokens, and observe mode for rollout.

Policy as data

Authorization

Hot-reloadable RBAC and direct firewall rules with shadow enforcement before blocking traffic.

Tools governed

Native MCP

A gateway-owned MCP endpoint, dynamic tool registry, JSON Schema validation, and upstream MCP proxying.

Learn first

Traffic discovery

Endpoint inventory, schema mismatch detection, anomaly signals, and traffic-derived rule suggestions.

Evidence built in

Audit pipeline

Structured audit events, live event stream, SQLite query API, policy history, and rollback context.

Outbound control

Egress firewall

SSRF-hardened outbound HTTP with host allowlists, private-IP protections, and DNS rebinding controls.

Dashboard

Manage API and MCP policy without leaving the control plane.

The embedded admin UI includes traffic inventory, live tail, identity drill-downs, anomaly signals, a visual rule builder, policy history, and shadow-mode review. The goal is operational control without hand-editing policy JSON for every change.

/admin/discovery

Traffic inventory

Observed endpoints

live
GET/v1/admin/policyallowoperator.admin
POST/mcp/tools/callshadowagent.builder
GET/billing/{id}denysupport.viewer
PATCH/v1/users/{id}allowsecurity.admin

Rule preview

Promote after evidence

Preview a deny, allow, or shadow rule against historical traffic before changing the live policy.

match.path
/mcp/tools/call
would_affect
18 requests / 3 principals
Local first

Start with a self-contained dev stack.

GreenGateway ships with a Docker Compose development profile, local JWKS fixtures, seeded RBAC policy, an echo upstream, and the embedded admin UI. It is pre-alpha, so the page is intentionally clear about evaluation status.

quickstart.sh
$git clone https://github.com/Greenhat-Security/GreenGateway.git
$cd GreenGateway
$docker compose -f docker-compose.yml -f docker-compose.dev.yml up --build
>curl http://localhost:8080/health
{"status":"ok"}
Evaluation status

Designed for teams evaluating API and agent control-plane patterns.

GreenGateway is not presented as a production-ready managed product. It is useful today for technical review, local experimentation, architecture validation, and conversations about how API gateways, MCP servers, identity, policy, and audit should fit together before agent-accessible systems expand.

What to test first

Run the dev stack, send authenticated traffic through the proxy, inspect endpoint discovery, and preview a rule before enforcing it.

What to review

Look at auth provider setup, direct firewall rules, MCP tool validation, audit events, and how shadow decisions become evidence.

What to avoid

Do not treat the pre-alpha build as a finished security boundary for regulated production workloads without your own hardening review.

Source available

Built in public for inspection, contribution, and internal use.

GreenGateway is published by Greenhat-Security as a source-available community project under Apache 2.0 with Commons Clause terms. Teams can inspect the implementation, run it internally, and follow the roadmap as MCP and API governance patterns mature.

Open repository

For platform teams

Put one enforceable policy surface in front of internal APIs, service tools, and agent-accessible systems.

For security teams

Review traffic, inspect identities, promote shadow rules, and retain audit context around every decision.

For AI builders

Expose MCP tools through a gateway that understands auth, schema validation, discovery, and policy.

For operators

Start in observe and shadow modes before moving rules into blocking enforcement.

GreenHat Labs

Put a policy gateway in front of the systems your agents and APIs can reach.

Use the repository to evaluate the project today, or talk with GreenHat Labs about gateway patterns for API, MCP, and agentic-system control planes.