Core Documentation

Prism MCP Gateway acts as a central governance, auditing, and policy enforcement proxy between LLM-powered applications (MCP clients) and the internal network resources, endpoints, and databases they interact with (MCP servers).

Unlike standard HTTP reverse proxies, Prism has deep protocol-level awareness. It intercepts, parses, and restructures raw Model Context Protocol JSON-RPC traffic. This allows Prism to inspect argument scopes, inject identity tokens, filter output values, and track user actions.

MCP Primitives

Prism enforces policies across all six primitive layers specified by the Model Context Protocol, executing checks in both client-to-server and server-to-client directions:

Primitive Direction Governance Role Example Enforcement
Tools Client → Server Verifies function execution permissions and argument payloads. Deny write-operations; check that query strings contain only SELECT.
Resources Client → Server Governs file reads, DB schema access, and external data fetches. Limit path reads to /shared/public/*; block local path traversal.
Prompts Client → Server Regulates templates exposed to LLMs. Restrict specialized financial prompts to users in the Advisors role.
Sampling Server → Client Intercepts requests asking the client LLM to generate completions. Forbid servers from triggering unapproved sub-generations.
Roots Client → Server Controls directory hierarchies exposed to downstream servers. Strip local file systems from roots list before routing to third-party endpoints.
Elicitation Server → Client Intercepts requests for user input or approval loops. Require MFA verification for critical transaction approvals.

Authentication & Identity

Prism integrates with standard Enterprise Identity Providers (IdPs) to assert user and service identity. Inbound request tokens (JSON Web Tokens - JWTs) are intercepted and verified against active JSON Web Key Sets (JWKS):

  • Supported Integrations: Microsoft Entra ID, Okta, Auth0, Ping Identity, Google Workspace.
  • Identity Mapping: Resolves JWT claims to a uniform Principal { Subject, TenantId, Roles[], Attributes{} } available in the policy engine context.

Downstream Credentials

Prism manages credentials securely, meaning downstream servers do not need direct access to primary user credentials. The gateway maps inbound user identities using two techniques:

  1. OAuth On-Behalf-Of (OBO): Exchanges the inbound user token for a scope-restricted token dedicated to the target downstream server.
  2. Gateway-Held Service Credentials: Inject service tokens fetched from a secure repository (such as HashiCorp Vault or AWS Secrets Manager) using the ISecretProvider port.

Cedar Policy Language

Prism uses the Cedar Policy Language from AWS for writing authorization policies. Cedar's design features ensure that policies are fast, secure, and provably correct:

  • Forbid Wins: If a request matches both an allow and a forbid rule, the forbid rule overrides. This lets platform administrators enforce security boundaries that cannot be overridden by weaker application rules.
  • Formal Proofs: The Cedar engine supports mathematical validation, allowing security teams to audit policy safety under all scenarios.
  • In-Memory Evaluation: Evaluates policies in under 5ms (cached in memory) without network lookups during execution.

Context Properties

Prism maps MCP Operation fields directly into the Cedar evaluation context:

context.primitive  // "tool" | "resource" | "prompt" | "sampling"
context.method     // e.g., "tools/call"
context.target     // e.g., "jira.create_issue"
context.arguments  // JSON element representing argument parameters

Server Integrity & Drift Validation

A major risk in MCP deployments is the "schema rug-pull" — where a compromised or altered downstream server updates its schema to expose dangerous operations or inject malicious tool descriptions. Prism solves this via its Drift Validator:

  1. Registration Pinning: When a server is registered via the Control Plane, its schemas and description hashes are pinned.
  2. Active Scanning: The Drift Validator runs periodic polling against tools/list and resources/list endpoints, diffing responses against pinned hashes.
  3. Auto-Quarantine: If drift is detected, Prism triggers an alert and immediately places the route into quarantine (disabling tool execution) until manually reviewed.

API Reference

Prism provides a clean segregation of concerns, exposing distinct API interfaces for the runtime data plane and the administration control plane:

Data Plane (MCP Core)

The Data Plane exposes native Model Context Protocol (MCP) routing endpoints. It serves as a transparent, governed gateway for standard MCP-compatible clients:

Endpoint / Channel Methods / Upgrade Component Description
/{path} POST Streamable HTTP Primary JSON-RPC channel. Resolves tenant/server from path/hostname, executes the enforcement pipeline, and relays the streamable response.
/ws
/ws/{path}
GET (Upgrade) WebSocket Bridge Upgrades connections to full-duplex WebSocket. Normalizes MCP JSON-RPC frames into the internal session, applying bidirectional policy enforcement.
stdin / stdout STDIO Subprocess Host Critical for P1 self-hosted/sidecar servers. Runs downstream servers as local managed subprocesses, routing payloads through the standard pipeline.

Every data plane request is subject to the following runtime policies:

  • Zero-Trust Routing: Routing context is dynamically resolved from request headers, paths, or hostnames to determine the tenant_id and the downstream server.
  • Fail-Closed Enforcement: When the enforcement pipeline denies a request, execution short-circuits immediately to avoid unneeded downstream traffic, returning standard MCP JSON-RPC 2.0 error codes (-32001 to -32004 and -32010).

Control Plane (Admin API)

The Control Plane exposes an administrative REST and gRPC API layer, typically running on port :8081 under the /api/v1/ path prefix:

Endpoint Methods Component Description
/api/v1/servers GET POST PUT DEL Registry Complete CRUD operations for registering downstream MCP servers, tracking server metadata, target transport configurations, and quarantine states.
/api/v1/policies GET POST PUT DEL Policy Management Endpoints to author, version, and cryptographically sign policy bundles.
/api/v1/policies/simulate POST Policy Simulation Dry-run candidate policies against historic telemetry to assess impacts before rolling out.
/api/v1/roles GET POST DEL RBAC Management Configures coarse-grained permissions mapping user identities to platform roles.
/api/v1/bindings GET POST DEL RBAC Management Configures bindings mapping users/groups to defined roles.
/api/v1/audit GET Audit Trail Allows searching and exporting the per-tenant audit chain.
/api/v1/audit/verify POST Audit Integrity Verify signature integrity and cryptographically prove the logs have not been tampered with.
/api/v1/secrets/refs GET POST PUT DEL Secret References Configures pointers to credentials stored in secret managers (e.g., Vault, AWS Secrets Manager) without exposing raw credentials.