---
title: "MCP Gateway"
slug: mcp-gateway
section: Developer Onboarding
status: stable
description: "One MCP endpoint for every Alliance Abroad tool."
last-updated: 2026-06-19
---

# MCP Gateway

# Alliance MCP Gateway

One MCP endpoint for every Alliance Abroad tool. Configure it once with your personal token and the gateway routes each tool call to the correct backend (Teams, GCP, Nexus, GoDaddy, Auth0, and more) — injecting the right credential and enforcing your role.

> **This replaces the old MCP Shop**
>
> You no longer add each MCP server individually. Add the single gateway below; it aggregates all backends behind role-based access.

## Overview

The gateway is a single Streamable-HTTP MCP endpoint. It authenticates you (Auth0 JWT for humans, or an aag-pat- Personal Access Token for agents/robots), resolves your role-based toolpack, and proxies each call to the right upstream MCP — without ever forwarding your token to backends.

- Gateway MCP endpoint: https://alliance-mcp-gateway-wjn5443muq-nn.a.run.app/mcp

- Admin / setup portal: https://alliance-mcp-gateway-admin-wjn5443muq-nn.a.run.app

## Why a single gateway

- Configure one server instead of a dozen — no per-backend URLs or keys to manage.

- Role-gated: you only see the tools your role permits.

- Credentials stay server-side; your JWT/PAT is never passed to backends.

- Every call is audited.

## Step 1 — Get a token

Agents and robots authenticate with a Personal Access Token (PAT). Create one in the admin portal:

- Open the admin portal and sign in with your Alliance SSO.

- Go to Users & Roles → Robot PATs → New Robot PAT.

- Pick a label and roles, create it, and copy the token — it is shown only once (starts with aag-pat-).

> **Handle tokens safely**
>
> Never commit a PAT. Store it in 1Password / Secret Manager. It carries whatever roles you granted it.

## Step 2 — Add one MCP server

Add a single HTTP MCP server that passes your PAT as an Authorization: Bearer header. This works in Claude, Cursor, Manus (Custom MCP → Import by JSON), and any MCP client that speaks Streamable HTTP.

``

## Step 3 — First calls

Once connected, the gateway tells the agent what to do. The mandatory startup sequence is:

- Call gateway_getting_started and follow it.

- Call gateway_list_skills, then gateway_get_skill for the skills relevant to your task.

- Then use domain tools in the documented order — for example, read the Nexus documentation via the ecosystem_* docs tools before taking any ecosystem action.

## What you get

Backends are exposed as prefixed tools (e.g. gcp_*, teams_*, godaddy_*, ecosystem_*, auth0_*, azure_*, 1password_*, manus_*). Plus three gateway-native tools: gateway_getting_started, gateway_list_skills, gateway_get_skill. Call tools/list after connecting to see exactly what your role grants.

## Notes & troubleshooting

- 401 unauthorized: the Authorization: Bearer header is missing or the PAT is wrong.

- "requires authorisation": that backend is personal/multi-tenant and needs you to connect it via OAuth in the portal first. Robot PATs cannot use personal-mode tools.

- A tool you expect is missing: your role does not grant it, or the backend is disabled — check the admin portal.
