Skip to main content

Cequence AI Gateway MCP

The Cequence AI Gateway MCP server lets any AI agent (Claude Desktop, Claude Code, Cursor, VS Code, ChatGPT, Codex, and others) manage your AI Gateway through natural language. Instead of clicking through the portal, you describe what you want — "expose the read-only Jira tools to a support-triage agent behind an OAuth login" — and the agent discovers the catalog, drafts the configuration, and creates it for you over the Model Context Protocol (MCP).

Overview

The Cequence AI Gateway MCP is a remote MCP server. Unlike the other remote MCP servers in this section, you don't add or configure it yourself — it is provisioned automatically for every tenant and is available out of the box in the MCP Registry (can be created using the app catalog too).

  • Transport: HTTP (Streamable HTTP)
  • Hosted by: Cequence
  • Provisioning: Automatic — created for every tenant, no setup required
  • Server URL: Shown on the server's details page in the UI - copy it from there to connect your client

Supported authentication types

TypeSupportedNotes
OAuth 2.0 / OIDCYesRequired and recommended. You authenticate with your AI Gateway (Descope) account through a browser-based OAuth flow. The server fronts a clean OAuth surface (RFC 8414 + RFC 9728) and proxies to the AI Gateway identity provider, so MCP clients complete the standard public-client PKCE flow.

Because it authenticates with your existing AI Gateway login, your permissions in the MCP server match your permissions in the portal. If your role can't create personas or MCP servers in the UI, those tool calls return the same authorization error over MCP.

What can you do with this MCP server

This server turns AI Gateway administration into a conversational, headless workflow. Capabilities are grouped by area below.

Discover the catalog and existing resources

  • Browse the Cequence-curated app catalog of pre-built APIs and remote MCP servers you can build from (list_third_party_apps, get_third_party_app).
  • List the tenant's uploaded custom API and MCP specs and inspect their endpoints or tools (list_api_specs, get_api_spec, list_mcp_specs, get_mcp_spec).
  • Discover the MCP servers (gateways) already deployed in the tenant and the tools each one exposes (list_mcp_servers, list_tools_for_mcp_server).
  • Explore the API Registry of registered REST APIs and their operations (list_apis, get_api_registry).
  • List private deployment pools and teams to scope where servers run and who can access them (list_pools, list_teams).

Create and manage MCP servers (gateways)

  • Create a new MCP server from an OpenAPI spec (choosing specific endpoints) or by proxying a remote MCP server (choosing specific tools), with your chosen inbound and upstream authentication and cloud or private deployment (create_mcp_server).

Create and manage agent personas

  • List and inspect existing agent personas, including the connect URL each one exposes (list_agent_personas, get_agent_persona).
  • Create a new agent persona — a named agent configuration that grants a least-privilege mix of MCP tools, REST API operations, and skills behind a chosen inbound auth method and rate limit (create_agent_persona).
  • Apply partial edits to an existing persona's grants, auth, rate limits, or teams (update_agent_persona).

Author and attach skills

  • Create a reusable skill — a SKILL.md-style runbook of behavioral guidance — and attach it to personas so agents load consistent instructions on top of their tools (create_skill, plus list_skills / get_skill to discover and inspect).

Apply data protection (DLP)

  • Get a deterministic DLP recommendation derived from a persona's tools, endpoints, and job description (recommend_dlp_policy).
  • Attach a DLP policy to a persona so it follows the agent across every tool, API, and model it uses (attach_dlp_policy).
  • Review the standard sensitive-data categories and the policies attached to a persona (list_sdp_categories, list_dlp_policies).

Govern with observability

  • Query the tenant's tool-call activity — logs, KPI summaries, facets, time-series trends, per-call detail, and SDP findings per server — to right-size rate limits, find least-privilege violations, and triage sensitive-data findings (query_tool_activity).

Tools reference

ToolKindWhat it does
list_third_party_appsReadBrowse the Cequence-curated catalog of apps you can build an MCP server from.
get_third_party_appReadFetch one catalog app's endpoints (API) or tools (MCP).
list_api_specsReadList the tenant's uploaded custom API specs.
get_api_specReadFetch one API spec's endpoints.
list_mcp_specsReadList the tenant's saved remote-MCP specs.
get_mcp_specReadFetch one MCP spec's tool inventory.
list_mcp_serversReadDiscover deployed MCP servers (gateways) in the tenant.
list_tools_for_mcp_serverReadList a single MCP server's tool definitions.
list_apisReadList registered REST APIs (the API Registry).
get_api_registryReadFetch a registered API's operations.
list_poolsReadList private deployment pools.
list_teamsReadList teams (SSO-mapped user groups).
list_skillsReadList registered skills.
get_skillReadFetch one skill's full content.
list_sdp_categoriesReadList standard sensitive-data-protection categories.
list_dlp_policiesReadList DLP policies (optionally scoped to a persona).
list_agent_personasReadList agent personas.
get_agent_personaReadFetch one persona, including its connect URL.
query_tool_activityReadObservability: logs, summary, facets, trends, log detail, and findings.
recommend_dlp_policyReadRecommend a DLP policy for a persona (deterministic).
create_mcp_serverWriteCreate an MCP server from an API or remote-MCP spec.
create_agent_personaWriteCreate an agent persona (supports dryRun validation).
update_agent_personaWriteApply partial edits to an existing persona.
create_skillWriteCreate a reusable skill in the Skill Registry.
attach_dlp_policyWriteCreate and attach a DLP policy to an existing persona.
Two-step writes

The write tools that create resources (create_agent_persona, create_mcp_server) support a dryRun mode. The agent should call them with dryRun:true first to validate every referenced tool, API, and skill and surface any warnings, then call again to actually create only after you approve.

Use cases

The Cequence AI Gateway MCP server exists to make governed agent onboarding fast and conversational. Common use cases include:

  • Self-service agent onboarding — a developer connects their AI client and says "give me an agent that can read our Datadog monitors and create Jira tickets," and the agent assembles a least-privilege persona in minutes instead of a portal ticket.
  • Least-privilege by construction — because the agent picks specific endpoints and tools (never "expose everything"), personas and MCP servers start with the minimum grants and a sensible rate limit.
  • Data protection on every agent — DLP recommendations and attachments happen in the same flow, so sensitive data (PII, secrets, financial, healthcare) is masked or blocked without a separate configuration step.
  • Reusable behavioral guidance — long-form runbooks are lifted into skills once and attached to many personas, keeping agent behavior consistent.
  • Governance and audit — operators query real tool-call activity to right-size limits, find unused (over-granted) tools, and triage sensitive-data findings — all without leaving their AI client.

Prerequisites

Before using the Cequence AI Gateway MCP server, ensure you have:

  • Access to Cequence AI Gateway at aigateway.cequence.ai with an account in the tenant you want to manage.
  • A role with the permissions for the actions you intend to take. Read tools work for any tenant member; creating or updating MCP servers and personas requires an operator role (for example PlatformOperator or TenantUser). Read-only roles receive an authorization error on write tools.
  • An MCP-compatible AI client (Claude Desktop, Claude Code, Cursor, VS Code, Windsurf, or similar) that supports Streamable HTTP and OAuth.
  • A web browser to complete the OAuth sign-in on first connect.

No self-hosting, spec upload, or OAuth app registration is required — the server is Cequence-hosted and provisioned for your tenant automatically.

Example workflows

Once connected, you can run workflows like these from your AI client.

Discover what's available

  • "What MCP servers are already deployed in my tenant?"
  • "List the read-only tools on the GitHub MCP server."
  • "Show me the apps in the catalog related to observability."

Create an MCP server

  • "Create a cloud-hosted MCP server from our Payments OpenAPI spec, exposing only the GET /invoices and GET /invoices/{id} endpoints, with interactive OAuth login."
  • "Proxy the remote Notion MCP server but only expose the search and read-page tools."

Create and refine an agent persona

  • "Create a persona called 'Support Triage Bot' that can read Jira issues and create comments, behind an interactive OAuth login, limited to 100 requests per hour."
  • "Recommend a DLP policy for that persona and attach it."
  • "Add the 'incident-runbook' skill to the Support Triage Bot persona."
  • "Give me the connect URL for the Support Triage Bot."

Govern and audit

  • "Summarize tool-call activity for the last 24 hours."
  • "Which tools on the Datadog MCP server have never been called?"
  • "Show me any calls in the last week that had a sensitive-data finding."

Connecting to the Cequence AI Gateway MCP server

Because this server is provisioned automatically, you don't create it from a vendor URL — you deploy it for your tenant, copy the URL from its MCP details page, and add that URL to your AI client:

  1. Log in to Cequence AI Gateway.
  2. Choose your tenant.
  3. Go to App catalogue.
  4. Filter by Remote MCP server.
  5. Search for Cequence AI Gateway MCP and select it. It is available out of the box for every tenant.
  6. Select Create MCP server and complete the setup as prompted (authentication is your AI Gateway OAuth login).
  7. Open the server's MCP details page and copy the MCP server URL shown there. This is the per-tenant gateway URL your client connects to (not the raw mcp.aigateway.cequence.ai endpoint).

Add the URL shown on the MCP details page to your AI client (Claude, Cursor, Windsurf, VS Code, etc.) as described in the Client Configuration docs, then complete the OAuth sign-in on first connect. For detailed UI steps and screenshots, see Create a third-party MCP Server.

For example, using the URL from the MCP details page with a terminal-based client:

claude mcp add --transport http aigw <MCP server URL from the MCP details page>

Additional information specific to Cequence AI Gateway MCP

  • First-party and hosted by Cequence: This is the only remote MCP server in this section that Cequence operates. It is not a third-party vendor endpoint and requires no self-hosting.
  • Identity and audit: Calls run under your AI Gateway identity via token passthrough; the Control Plane remains the authoritative authorizer, and every action is recorded in the tenant audit trail.
  • Connect URL: The URL you connect to is environment-specific and set per tenant automatically. Always copy it from the server's MCP details page in the gateway UI rather than hardcoding an endpoint.
  • Timeout: The remote server uses a 30-second request timeout.
  • Related concepts: See Agent personas, Teams, Security policies, and Observability for the portal equivalents of what this server manages.