What is an MCP proxy?

An MCP proxy sits between an AI agent client and MCP servers so tool calls can be observed, audited, budgeted, denied, revoked, or charged before expensive actions execute.

Why put SatGate in front of MCP servers?

MCP tools can trigger paid APIs, cloud work, searches, code agents, or sensitive data access. SatGate adds request-path economic governance around those tool calls.

Which MCP clients can use this pattern?

The proxy pattern applies to Cursor, Claude Desktop, Claude Code, OpenClaw, and custom MCP-capable clients that can route tool calls through an MCP server command or proxy.

Free MCP proxy config generator

MCP Proxy Config Generator

Generate a starter SatGate MCP proxy config for Cursor, Claude Desktop, Claude Code, OpenClaw, or custom MCP clients with budgets, audit, revocation, and optional L402 Charge.

Generate config MCP governance

Configure the proxy

MCP clientSatGate modeUpstream MCP server nameSession budget USDMax expensive tool call USD

.cursor/mcp.json

{
  "mcpServers": {
    "satgate-internal-tools": {
      "command": "satgate-mcp-proxy",
      "args": [
        "--upstream",
        "stdio://internal-tools",
        "--mode",
        "control",
        "--budget-usd",
        "50",
        "--max-tool-call-usd",
        "5",
        "--audit",
        "full",
        "--on-budget-exhausted",
        "block"
      ],
      "env": {
        "SATGATE_POLICY": "internal-tools-mcp-policy",
        "SATGATE_REQUIRE_AGENT_ID": "true",
        "SATGATE_REQUIRE_TASK_ID": "true"
      }
    }
  }
}

Policy YAML

mcp_proxy:
  name: satgate-internal-tools
  client: Cursor
  config_path: .cursor/mcp.json
  upstream: stdio://internal-tools
  mode: control
policy:
  require_agent_id: true
  require_task_id: true
  session_budget_usd: 50
  max_tool_call_usd: 5
  on_budget_exhausted: block
  charge: disabled
credentials:
  type: revocable_capability
  expiry_minutes: 240
  allow_delegation: false
audit:
  level: full
  include:
    - tenant_id
    - agent_id
    - task_id
    - mcp_server
    - mcp_tool
    - estimated_cost_usd
    - remaining_budget_usd
    - policy_decision
    - revocation_state

What the proxy makes governable

MCP turns tools into runtime authority. The proxy turns that authority into policy decisions before the tool runs.

Tool cost

Attach prices, budgets, and risk tiers to individual MCP tools.

Spend caps

Block or observe calls when session, tool, or per-request budgets are exhausted.

Capabilities

Require scoped, revocable, expiring authority instead of broad ambient access.

Audit

Record agent, task, server, tool, cost, budget, policy, and decision.

Revocation

Stop future tool calls when a loop, violation, or risky delegation appears.

Modes

Start in Observe, enforce in Control, and use Charge/L402 when tools become paid products.

Put MCP tools behind an economic firewall.

SatGate lets agent teams observe, control, revoke, audit, and charge MCP tool calls in the request path — before expensive or sensitive work executes.

MCP cost control MCP tool policy generator