Extensions & Built-in Services

Your gateway comes with built-in MCP services that work out of the box, plus an extension gallery where you can enable managed integrations like AWS CloudWatch. Extensions run as isolated processes with encrypted credential storage.

Built-in Services

Built-in services are always available to your agents with zero configuration. They run inside the gateway and are included in your subscription at no extra cost.

RAG Engine

5 tools

Semantic search over your uploaded documents. Ingest files (PDF, DOCX, Markdown, etc.), and your agents can query them via MCP tools.

knowledge_query ingest_document list_sources delete_source get_stats

Media Storage

5 tools

Upload, list, download, and manage files in cloud storage. Agents can store and retrieve documents, images, and other media.

upload_file list_files download_file delete_file get_file_info

Extensions

Extensions are managed MCP server integrations that you enable from the gallery. You provide your own credentials (e.g., AWS access keys) and the gateway runs the extension as an isolated subprocess with encrypted credential storage.

How Extensions Work

1

Browse the Extension Gallery in the console and find an integration you want to enable

2

Enter your credentials (e.g., AWS Access Key ID and Secret Access Key for CloudWatch)

3

Credentials are encrypted with Fernet symmetric encryption and stored securely

4

The gateway spawns the extension as an isolated subprocess and exposes its tools through your MCP endpoint

Available Extensions

AWS CloudWatch

Extension

Query CloudWatch metrics, logs, alarms, and dashboards directly from your AI agents. Powered by the awslabs.cloudwatch-mcp-server open-source package.

Required Credentials

AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_REGION

Recommended IAM Policy

Create a dedicated IAM user with read-only CloudWatch access:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "cloudwatch:GetMetricData",
      "cloudwatch:ListMetrics",
      "cloudwatch:DescribeAlarms",
      "logs:GetLogEvents",
      "logs:FilterLogEvents",
      "logs:DescribeLogGroups"
    ],
    "Resource": "*"
  }]
}

More Coming Soon

The extension gallery is growing. Future extensions will include integrations for popular cloud services, monitoring platforms, and developer tools. Have a request? Let us know.

Enabling an Extension

1

Open the Extension Gallery

Go to MCP Gateway → Gallery in the console dashboard and switch to the Extensions tab.

2

Configure Credentials

Click on an extension card and enter the required credentials. For AWS CloudWatch, this is your AWS Access Key ID, Secret Access Key, and Region.

3

Verify & Enable

The gateway validates your credentials (e.g., calls AWS STS GetCallerIdentity). Once verified, the extension is enabled and its tools appear in your MCP endpoint alongside your other servers.

4

Use from Your Agent

Extension tools are namespaced just like any other server. Call them through the standard MCP endpoint: 

POST /mcp
{
  "method": "tools/call",
  "params": {
    "name": "cloudwatch__get_metric_data",
    "arguments": {
      "namespace": "AWS/ECS",
      "metric_name": "CPUUtilization"
    }
  }
}

Security

Encrypted at rest

Credentials are encrypted using Fernet symmetric encryption before storage. Encryption keys are stored in AWS Secrets Manager, separate from the data.

Isolated execution

Each extension runs as an isolated subprocess in a dedicated Extension Runner service. Extensions cannot access each other's credentials or processes.

Credential validation

Credentials are validated before being saved. For AWS extensions, the gateway calls STS GetCallerIdentity to verify the keys work before enabling the extension.

VPC-internal communication

The Extension Runner service is not exposed to the internet. It communicates with the gateway over VPC-internal service discovery, authenticated with a shared token.

Managing Extensions

You can manage extensions through the console or the REST API:

Action Endpoint Method
List extensions /api/extensions GET
Enable extension /api/extensions/{alias}/enable POST
Disable extension /api/extensions/{alias}/disable POST
List built-in services /api/builtins GET
Toggle built-in service /api/builtins/{alias}/toggle POST
Back to Documentation