Kong AI Gateway 3.13 introduces MCP Tool ACLs, a powerful feature that enables fine-grained authorization and granular security policies for individual AI agent tools, solving the 'all-or-nothing' access problem.
The evolution of AI agents and autonomous systems has created new challenges for enterprise organizations. While securing API endpoints is well-understood, controlling access to individual AI agent tools presents a unique authorization problem. Today, we're excited to announce a powerful solution to this challenge: MCP Tool ACLs in Kong AI Gateway 3.13.
MCP Tool ACLs (Access Control Lists) enable organizations to implement granular authorization policies that control which tools within an MCP server can be accessed by specific users, applications, or AI agents. This feature operates at the gateway layer, allowing you to:
Maintain RESTful upstream APIs: Continue using standard REST APIs while exposing MCP interfaces at the gateway.
One of the most powerful aspects of Kong AI Gateway is its ability to bootstrap an MCP interface from existing RESTful APIs. Here's how the complete workflow operates:
Let's say you have a flight service API with several operations:
This API is defined in OpenAPI specification and works with standard REST clients.
Kong AI Gateway's MCP Proxy Plugin transforms your RESTful API into an MCP-compatible interface. Incoming requests from AI agents, IDEs, or MCP inspectors use the MCP protocol, while Kong translates these to standard RESTful upstream requests.
Integration with authorization servers with the MCP OAuth2 plugin provides robust authentication, identifying the developer, application, or agent attempting to access your MCP server. The MCP OAuth2 plugin acts as an extension to OpenID Connect (OIDC), allowing for seamless integration with compliant identity providers. In our implementation, we use Okta as the identity provider, generating OAuth2 tokens that authenticate each connection.
Here's where the magic happens. In your Kong configuration, you define a default ACL policy and then explicitly grant permissions:
This creates a default-deny policy where the dev-team consumer group is blocked from all tools by default. Then, for specific tools you want to expose:
This approach ensures that only explicitly permitted tools are accessible. Tools without an allow ACL—like booking and deletion operations—remain blocked by the default policy.
When an MCP client connects and executes the tools/list RPC call, Kong intercepts the response from your upstream API and filters the tool list based on the authenticated user's permissions. Clients only see the tools they're authorized to use — they never even know about restricted tools.
Development teams can query production data and test integrations without risk of modifying critical records. QA teams receive read-write access to staging environments, while production write access remains restricted to specific service accounts.
Different customers or tenants can access different subsets of tools from the same MCP server. A basic tier might access read-only tools, while premium tiers unlock advanced capabilities—all managed through declarative ACL policies.
Deploy AI agents with confidence by limiting their tool access based on risk profiles. Customer-facing agents might only access retrieval tools, while internal agents receive broader permissions for automated workflows.
Organizations in regulated industries can enforce strict segregation of duties by ensuring that users who can query sensitive data cannot also modify or delete it—a common compliance requirement.
Let's walk through a practical example using Kong's declarative configuration. We'll expose flight operations via MCP and give the development team read access while restricting booking and deletion operations.
Step 1: Configure the Service and Route
Step 2: Add MCP OAuth2
This configuration integrates with your OAuth2 identity provider (Okta in this example) and validates the presented JWT Token.
The MCP OAuth2 plugin also offers RFC 8707 compliance, exposing a resource metadata endpoint. This allows MCP clients to discover the authorization server and resource location automatically.
Step 3: Configure MCP Proxy with Tool-Level ACLs
Understanding the ACL Logic
The configuration above implements a default-deny approach:
The default_acl blocks all tools for the dev-team consumer group
Individual tools explicitly allow access by adding the dev-team to their allow list
Tools without explicit allow ACLs (like booking and deletion) remain blocked
This creates a secure-by-default posture where new tools are automatically restricted
Step 4: Connect and Verify
When developers authenticate via OAuth2 and connect their MCP client (such as the Insomnia MCP inspector), the tools/list call returns only the three GET operations. The POST and DELETE tools are completely filtered out—clients never see them in the available tools list.
The MCP Tool ACL feature integrates seamlessly with Kong's existing capabilities:
MCP Tool ACLs are available now in Kong AI Gateway 3.13. To start using this feature:
For detailed documentation and configuration examples, visit the Kong AI Gateway 3.13 release notes and the MCP Proxy Plugin documentation.
Kong’s MCP support isn’t locked down to the AI Gateway. You can also use Kong Insomnia to inspect and test MCP workflows–and even test how certain AI Gateway policies work when used for MCP use cases.
MCP Tool ACLs represent a significant step forward in securing and governing AI agent architectures. As organizations increasingly deploy autonomous agents and agentic workflows, fine-grained authorization becomes not just a nice-to-have but a critical requirement.
We're excited to see how enterprises leverage this capability to build safer, more compliant AI systems. The combination of Kong's battle-tested API gateway capabilities with cutting-edge AI agent protocols creates a powerful foundation for the next generation of intelligent applications.
Ready to add fine-grained tool authorization to your AI agent infrastructure? Explore Kong AI Gateway 3.13 today and discover how MCP Tool ACLs can transform your approach to AI governance.
For questions, feedback, or to share your implementation stories, connect with the Kong Community or reach out to our team. We're here to help you build secure, scalable AI agent systems.
Companies are charging headfirst into AI, with research around agentic AI in the enterprise finding as many as 9 out of 10 organizations are actively working to adopt AI agents. LLMs are being deployed, agentic workflows are getting created left
MCP ACLs, Claude Code Support, and New Guardrails New providers, smarter routing, stronger guardrails — because AI infrastructure should be as robust as APIs We know that successful AI connectivity programs often start with an intense focus on how
What does the solution space look like so far? The solution landscape is complicated by the fact that MCP is still finding its footing, and there are many various OSS projects and vendors that are rapidly shipping “MCP support” in an attempt to take
Bridging the API (and API access) gap between AI coding tools, agents, and the APIs that they “eat” Data might be the fuel for AI. But APIs are the proper way to package that “fuel” as AI-ready “food” is through the API. AI coding tools can do a lot
Why AI guardrails matter It's natural to consider the necessity of guardrails for your sophisticated AI implementations. The truth is, much like any powerful technology, AI requires a set of protective measures to ensure its reliability and integrit
LLMs are powerful, but not inherently privacy-aware LLMs operate as highly capable, non-deterministic pattern matchers. But they come with two significant privacy challenges: They don’t automatically distinguish between sensitive and non-sensitive
In one of our posts, Kong AI/MCP Gateway and Kong MCP Server technical breakdown, we described the new capabilities added to Kong AI Gateway to support MCP (Model Context Protocol). The post focused exclusively on consuming MCP server and MCP tool