The control plane for agent tooling

Summon any tool.
Govern every agent.

One MCP endpoint that proxies all your MCP servers — with per-agent access control, a credential vault, and shared memory built into the gateway.

Get a key Read the docs →

Drop-in for Claude, Cursor& any MCP clientSelf-host or cloud

mcp.config.json

{
  "mcpServers": {
    "github": { "command": "npx",
      "args": ["-y", "@mcp/server-github"],
      "env": { "GITHUB_TOKEN": "ghp_live_xY9…" } },
    "slack": { "command": "npx", "args": ["@mcp/slack"],
      "env": { "SLACK_BOT_TOKEN": "xoxb-…" } },
    "postgres": { "command": "npx",
      "args": ["@mcp/postgres", "postgres://…"] },
    "stripe": { "command": "npx", "args": ["@mcp/stripe"],
      "env": { "STRIPE_API_KEY": "sk_live_…" } },
    "internal-tools": { "command": "node",
      "args": ["./mcp/internal.js"] }
  }
}
// 5 servers · 5 secrets on disk · no access control{
  "mcpServers": {
    "mago": {
      "url": "https://gateway.mago.run/mcp",
      "headers": {
        "Authorization": "Bearer mago_live_••••"
      }
    }
  }
}


// 1 endpoint · 0 secrets on disk
// RBAC + vault + memory at the gateway

Same client. Every downstream MCP.−4 servers · −5 secrets

The MCP sprawl problem

Every team building agents hits the same wall.

A dozen MCP servers to deploy, version, and keep alive.

ops > product

Raw OAuth tokens and API keys copied into every agent.

secrets everywhere

No way to scope what a single agent is allowed to touch.

all-or-nothing

Nothing an agent learns survives the end of the session.

no shared memory

One gateway, four jobs

Agents connect to mago. mago handles the rest.

Every request flows through a single control plane: it authorizes the call, injects the right credentials, routes to the downstream MCP, and reads or writes shared memory along the way.

01 · ROUTE

Universal connector

One endpoint speaks MCP to your client and fans out to every downstream server. Add or remove tools without touching agent config.

02 · GOVERN

RBAC for agents

Per-agent and per-role policies decide which tools and scopes a request can reach. Everything else is denied by default.

03 · SECURE

Credential vault

Downstream OAuth tokens and API keys live in mago and are injected at call time. Agents never hold a raw secret.

04 · REMEMBER

Memory & Wiki

A persistent memory layer and shared knowledge base every agent reads from and writes to — across sessions and teammates.

Access control

Scope every agent down to the tool.

Write policy once, in version control. mago enforces it on every call — before the request ever reaches a downstream server.

→Roles, not credentialsAssign an agent a role; the role defines what it can call.
→Tool- and scope-level grantsAllow github.read on docs/* while denying github.write entirely.
→Deny by defaultAnything not explicitly granted is rejected at the gateway and logged.

policy.mago.yaml

role: support-agent · Tier-1 support automation · 3 allow / 2 deny

github.readrepo: docs/*allow

slack.post#support onlyallow

postgres.readtickets tableallow

github.write—deny

stripe.*all endpointsdeny

agent

holds: nothing

tool call

mago · vault

resolves token

+ Bearer sk_live_••••

Stripe MCP

authenticated

Zero secrets in agents

Agents send a tool call with no credentials. mago looks up and injects the right one.

Rotate in one place

Swap a downstream key in the vault — every agent keeps working, no redeploys.

Credential vault

Agents call tools. They never see the keys.

Store every downstream OAuth token and API key in mago. When an authorized call comes through, the matching secret is attached at the gateway — then stripped from logs.

A leaked agent context can't leak a credential it was never given. Revoke an agent's key and its access is gone instantly, everywhere.

Memory & Wiki

Give your agents a memory that outlives the session.

A persistent store for facts an agent learns, and a shared wiki it can read and write — so the next agent, on the next run, starts where the last one left off.

memory · entryPERSISTENT

keycustomer/acme-corpplanenterprise · seat-basedprimary_dbpostgres://prod-eu-1escalation#acme-warroomwritten_bysupport-agentupdated2026-05-29 · 14:02 UTC

wiki · runbooks/refundsSHARED

READbilling-agent loaded the refund policy before acting. — 0.4s ago

WRITEAdded note: refunds > $200 require a human approver. — support-agent

READci-bot referenced the deploy checklist on release. — 2h ago

WRITELinked the EU data-residency doc to acme-corp. — support-agent

One connection.
Every MCP. Full control.

Point your MCP client at mago and govern every agent from day one.

Get a key Talk to us →

Summon any tool.Govern every agent.

Every team building agents hits the same wall.

Agents connect to mago. mago handles the rest.

Universal connector

RBAC for agents

Credential vault

Memory & Wiki

Scope every agent down to the tool.

Agents call tools. They never see the keys.

Give your agents a memory that outlives the session.

One connection.Every MCP. Full control.

Summon any tool.
Govern every agent.

One connection.
Every MCP. Full control.