Skip to Content
FeaturesMCP Gateway & Hosting

MCP Gateway & Hosting

MCP Hosting gives tenants a fully managed MCP gateway backed by AWS AgentCore. Owners can expose external REST APIs and upstream MCP servers to any MCP-compatible client (Claude Desktop, Claude.ai Custom Connectors) without running infrastructure.

MCP Gateway

/v1/mcp-gateway — owners provision one AgentCore Gateway per tenant. The gateway validates Cognito JWTs (the same user pool as the control plane) and routes incoming tool calls to registered targets via a pass-through Lambda interceptor. The response includes the gateway endpoint URL and PKCE client_id / client_secret for use in Claude.ai’s Custom Connector form. Deleting the gateway tears down all registered targets first.

MCP server integrations

/v1/mcp-servers — owners and developers register external services as targets on the tenant gateway. Two modes:

  • Marketplace (provider_id from GET /v1/mcp-providers):
    • OpenAPI targets (e.g. Slack, ntfy) — an AgentCore OpenAPI target is registered; the matching tenant secret supplies the API key.
    • Runtime targets (e.g. GitLab, Freshdesk) — a dedicated AgentCore Runtime container per tenant runs the integration’s MCP server (bridged stdio → Streamable HTTP). Tenant-specific config is supplied via extra_env_entries, validated server-side before provisioning.
  • Custom (target_mode): an arbitrary OpenAPI spec (inline JSON or S3 URI) or an upstream MCP server (mcp_server), with none, bearer, or api_key auth backed by a tenant secret.

Each integration stores an AgentCore credential provider ARN and gateway target ID. On update the credential provider is rotated atomically — new provider created, target re-registered, old target and provider deleted.

Verification & logs

  • POST /v1/mcp-servers/{server_id}/verify probes the upstream server and returns { verified, tool_count, verified_at }. Requires the gateway to exist.
  • GET /v1/mcp-servers/{server_id}/logs queries CloudWatch Logs Insights against the interceptor log group for recent tool-call activity.

Authorization: owner or developer for MCP server operations; owner-only for gateway provisioning.

agent-runner-mcp

The agent-runner-mcp TypeScript server (@copebit/agent-runner-mcp, also a pre-built binary) lets users manage skills from inside Claude Code. It exposes management tools (upload_skill, invoke_skill, set_env_vars, create_secret, …) and dynamically registers every active skill as a native Claude tool. It uses the same PKCE → Cognito flow as agent-runner-auth, with separate keychain entries and scoped tokens (agent-runner/skills:rw, agent-runner/skills:invoke).

Last updated on
Skills PlatformConsole