[3.13] AI Gateway: MCP tools access control #3362
Description
Document MCP tool access control in ai-mcp-proxy. Explain how Consumers and Consumer Groups restrict tool access using allow/deny rules.
Definition of done
- Add section to
ai-mcp-proxydocs for MCP ACLs - Show config fields for:
- allow-list / deny-list
- identifiers:
consumer_id,username,custom_id,consumer_group
- Describe behavior with existing auth plugins (key-auth, oauth2)
- Add examples (tool-level ACL config)
- Document audit log events for allowed/denied tool calls
- Clarify out-of-scope (listener mode, OAuth2 MCP auth in Phase 2)
Additionally, we'll need:
- a how-to based on @hackerchai demo
- a migration guide:
Migration Path
For users already using the `ai-mcp-proxy` plugin:
Phase 1: Add an authentication plugin (for example, `key-auth`) and configure Consumers/Groups
Phase 2: Add ACL fields to the schema
Phase 3: Start defining ACL rules
Phase 4: Enable audit logging to monitor access
Additional information
Implementation details: https://docs.google.com/document/d/1cf-iwtD4WISESc8tMmDuXWoflLzcaQGJdGhEInH8PO4/edit?tab=t.0
Person of contact: Eason Chai
Size
M to L