Core Documentation
Aegis MCP Gateway acts as a central governance, auditing, and policy enforcement proxy between LLM-powered applications (MCP clients) and the internal network resources, endpoints, and databases they interact with (MCP servers).
Unlike standard HTTP reverse proxies, Aegis has deep protocol-level awareness. It intercepts, parses, and restructures raw Model Context Protocol JSON-RPC traffic. This allows Aegis to inspect argument scopes, inject identity tokens, filter output values, and track user actions.
MCP Primitives
Aegis enforces policies across all six primitive layers specified by the Model Context Protocol, executing checks in both client-to-server and server-to-client directions:
| Primitive | Direction | Governance Role | Example Enforcement |
|---|---|---|---|
| Tools | Client → Server | Verifies function execution permissions and argument payloads. | Deny write-operations; check that query strings contain only SELECT. |
| Resources | Client → Server | Governs file reads, DB schema access, and external data fetches. | Limit path reads to /shared/public/*; block local path traversal. |
| Prompts | Client → Server | Regulates templates exposed to LLMs. | Restrict specialized financial prompts to users in the Advisors role. |
| Sampling | Server → Client | Intercepts requests asking the client LLM to generate completions. | Forbid servers from triggering unapproved sub-generations. |
| Roots | Client → Server | Controls directory hierarchies exposed to downstream servers. | Strip local file systems from roots list before routing to third-party endpoints. |
| Elicitation | Server → Client | Intercepts requests for user input or approval loops. | Require MFA verification for critical transaction approvals. |
Authentication & Identity
Aegis integrates with standard Enterprise Identity Providers (IdPs) to assert user and service identity. Inbound request tokens (JSON Web Tokens - JWTs) are intercepted and verified against active JSON Web Key Sets (JWKS):
- Supported Integrations: Microsoft Entra ID, Okta, Auth0, Ping Identity, Google Workspace.
- Identity Mapping: Resolves JWT claims to a uniform
Principal { Subject, TenantId, Roles[], Attributes{} }available in the policy engine context.
Downstream Credentials
Aegis manages credentials securely, meaning downstream servers do not need direct access to primary user credentials. The gateway maps inbound user identities using two techniques:
- OAuth On-Behalf-Of (OBO): Exchanges the inbound user token for a scope-restricted token dedicated to the target downstream server.
- Gateway-Held Service Credentials: Inject service tokens fetched from a secure repository (such as HashiCorp Vault or AWS Secrets Manager) using the
ISecretProviderport.
Cedar Policy Language
Aegis uses the Cedar Policy Language from AWS for writing authorization policies. Cedar's design features ensure that policies are fast, secure, and provably correct:
- Forbid Wins: If a request matches both an
allowand aforbidrule, the forbid rule overrides. This lets platform administrators enforce security boundaries that cannot be overridden by weaker application rules. - Formal Proofs: The Cedar engine supports mathematical validation, allowing security teams to audit policy safety under all scenarios.
- In-Memory Evaluation: Evaluates policies in under 5ms (cached in memory) without network lookups during execution.
Context Properties
Aegis maps MCP Operation fields directly into the Cedar evaluation context:
context.primitive // "tool" | "resource" | "prompt" | "sampling"
context.method // e.g., "tools/call"
context.target // e.g., "jira.create_issue"
context.arguments // JSON element representing argument parameters
Server Integrity & Drift Validation
A major risk in MCP deployments is the "schema rug-pull" — where a compromised or altered downstream server updates its schema to expose dangerous operations or inject malicious tool descriptions. Aegis solves this via its Drift Validator:
- Registration Pinning: When a server is registered via the Control Plane, its schemas and description hashes are pinned.
- Active Scanning: The Drift Validator runs periodic polling against
tools/listandresources/listendpoints, diffing responses against pinned hashes. - Auto-Quarantine: If drift is detected, Aegis triggers an alert and immediately places the route into quarantine (disabling tool execution) until manually reviewed.