*** title: mcp-gateway slug: /reference/python/agents/cli/mcp-gateway description: HTTP bridge between MCP servers and SignalWire SWAIG functions. max-toc-depth: 3 --------------------- For a complete index of all SignalWire documentation pages, fetch https://signalwire.com/docs/llms.txt [configloader]: /docs/server-sdks/reference/python/agents/configuration/config-loader [securityconfig]: /docs/server-sdks/reference/python/agents/configuration/security-config The `mcp-gateway` command starts an HTTP/HTTPS server that bridges [Model Context Protocol (MCP)](https://modelcontextprotocol.io/) servers with SignalWire SWAIG functions. It manages sessions, handles authentication, translates between MCP tool calls and SWAIG format, and provides rate limiting and security headers. ```bash mcp-gateway [-c CONFIG_PATH] ``` Path to the JSON configuration file. ## Configuration The gateway is configured via a JSON file. All settings support environment variable substitution using `${VAR_NAME|default}` syntax via [`ConfigLoader`][configloader]. ### Minimal Configuration ```json { "server": { "host": "0.0.0.0", "port": 8080, "auth_user": "admin", "auth_password": "${MCP_AUTH_PASSWORD|changeme}" }, "services": { "my-service": { "command": ["python3", "./my_mcp_server.py"], "description": "My MCP service", "enabled": true } } } ``` ### Full Configuration Reference ```json { "server": { "host": "0.0.0.0", "port": 8080, "auth_user": "admin", "auth_password": "${MCP_AUTH_PASSWORD}", "auth_token": "${MCP_BEARER_TOKEN}" }, "services": { "service-name": { "command": ["python3", "./server.py"], "description": "Service description", "enabled": true, "sandbox_config": { "enabled": true, "resource_limits": true, "restricted_env": true } } }, "session": { "default_timeout": 300, "max_sessions_per_service": 100, "cleanup_interval": 60 }, "rate_limiting": { "default_limits": ["200 per day", "50 per hour"], "tools_limit": "30 per minute", "call_limit": "10 per minute", "session_delete_limit": "20 per minute", "storage_uri": "memory://" }, "logging": { "level": "INFO", "file": "/var/log/mcp-gateway.log" } } ``` ## Configuration Sections ### server Bind address for the gateway server. Port for the gateway server. Username for HTTP Basic Authentication on all protected endpoints. Password for HTTP Basic Authentication. Bearer token for token-based authentication. If set, clients can authenticate with `Authorization: Bearer ` as an alternative to Basic Auth. ### services Each key in the `services` object defines an MCP server that the gateway can spawn and manage. The command and arguments to start the MCP server process. Human-readable description of the service. Whether the service is active. Disabled services are not started or listed. Sandbox configuration for process isolation. Controls resource limits and environment restrictions for the spawned MCP process. ### session Default session timeout in seconds. Sessions are cleaned up after this duration of inactivity. Maximum concurrent sessions per MCP service. Interval in seconds between session cleanup sweeps. ### rate\_limiting Default rate limits applied to all endpoints. Rate limit for the tool listing endpoint. Rate limit for tool call endpoints. Rate limit for session deletion endpoints. Storage backend for rate limit counters. Use `memory://` for in-process storage or a Redis URI for distributed deployments. ## API Endpoints The gateway exposes the following HTTP endpoints: | Endpoint | Method | Auth | Description | | ------------------------ | ------ | ---- | -------------------------------------- | | `/health` | GET | No | Health check with status and timestamp | | `/services` | GET | Yes | List available MCP services | | `/services//tools` | GET | Yes | List tools for a specific service | | `/services//call` | POST | Yes | Call a tool on a service | | `/sessions` | GET | Yes | List active sessions | | `/sessions/` | DELETE | Yes | Terminate a specific session | ### Calling a Tool ```bash curl -X POST "http://localhost:8080/services/my-service/call" \ -u admin:password \ -H "Content-Type: application/json" \ -d '{ "tool": "my_tool", "session_id": "call-123", "arguments": {"param": "value"}, "timeout": 300 }' ``` ## SSL Support If a certificate file exists at `certs/server.pem`, the gateway automatically enables HTTPS. The gateway also uses [`SecurityConfig`][securityconfig] for security headers (X-Content-Type-Options, X-Frame-Options, HSTS, etc.). ## Example ```bash # Start with default config.json mcp-gateway # Start with custom config path mcp-gateway -c /etc/mcp-gateway/config.json ```