API Gateway

The LiteLLM CVE-2026-42271 and Starlette BadHost CVE-2026-48710 chain turned authenticated command injection into unauthenticated RCE. The deeper lesson: AI gateways hold model credentials, route sensitive traffic, and expose MCP utility endpoints — and need action-time authorization, not flat API keys.

MCP auth is necessary, but it is not the same thing as agent authorization. If you want secure agent systems, you need identity, delegation, policy, and runtime enforcement beyond OAuth.

If you are comparing an MCP gateway to a basic MCP proxy, the real difference is not routing. It is identity, authorization, consent, auditability, and runtime control for agent actions.

A practical blueprint for securing Model Context Protocol (MCP) agents across identity, consent, policy, and audit layers without rewrites.

Announcing Permit MCP Gateway, a new trust and enforcement layer for MCP that brings identity, consent, fine-grained authorization, auditability, and runtime control to AI agent actions.

Discover best practices for authorization in REST API. Learn about API authorization layers, actors, tools like Permit.io and OPAL.

Kong is a popular API gateway, but managing access to its APIs and services is hard - especially when required advanced permissions models like RBAC/ABAC/ReBAC