Docker MCP Gateway
One-liner — An open-source (MIT) Docker CLI plugin that runs MCP servers as isolated containers from a signed catalog and puts them behind one central gateway, adding secrets handling, image-signature verification, call logging, and request interceptors — security mainly through containment.
What it does
Docker MCP Gateway sits between MCP clients (the AI app / agent) and the MCP
servers (the tools). Instead of an agent launching tool servers directly on the
host via npx/uvx, the gateway pulls each MCP server as a Docker image and
runs it in its own container “with restricted privileges, network access, and
resource usage.” It then aggregates many such servers behind a single endpoint,
so one gateway connection exposes a curated, filtered set of tools.
Around that it layers a handful of governance features:
- Verified catalog — servers come from the Docker MCP Catalog (300+ servers distributed via Docker Hub), where Docker “builds and signs all local servers” and ships them with full provenance and SBOM metadata.
- Signature verification —
--verify-signatureschecks image provenance before a server is allowed to run. - Secrets management — credentials/API keys are injected from Docker
Desktop’s secret store rather than pasted into config; a
--block-secretsinterceptor scans inbound/outbound payloads for content that looks like API keys, passwords, or tokens and blocks it. - Interceptors — pre-call (argument/type checks, safety classifiers) and post-call (redaction, PII scrub) hooks on tool traffic.
- Logging / call tracing —
--log-callsaudits gateway activity for visibility and governance. - OAuth — built-in OAuth flows for services that need token auth.
- Tool filtering — restrict which servers and which individual tools are
exposed (
--servers=...,--tools=...).
Where it sits in the stack
Primary category: mcp-gateway (layer: model-prompt). It is the control point between an agent and its tools, the same slot as other MCP gateways/proxies.
Lethal-trifecta role: its main contribution is containment — each tool server
runs sandboxed in a container with limited host/network/resource access, which
shrinks the blast radius if a tool is malicious or compromised, and the gateway
is a chokepoint where untrusted tool input and outbound egress can be inspected
(--block-secrets, interceptors, signature checks). It touches the
untrusted-input leg (it is the boundary where tool responses re-enter the
agent) and the egress leg (secret-blocking and call logging on outbound
traffic). It does not by itself solve the sensitive-data leg — that depends on
which servers you run and how interceptors are configured.
Deployment & architecture
- Form factor: a
docker mcpCLI plugin; the gateway is a process that spawns MCP servers as Docker containers on demand and routes client traffic to them. - Two ways to run it:
- Bundled in Docker Desktop’s MCP Toolkit — runs automatically in the background when the Toolkit is enabled; zero-config for desktop developers.
- Standalone with any Docker Engine — download the binary into
~/.docker/cli-plugins/and rundocker mcp gateway run. Integrates with Docker Compose for production/agentic workloads.
- Transports: stdio and SSE (e.g.
--transport=sse). - Clients: any MCP client — Docker documents VS Code, Cursor, and Claude Desktop connecting to the same gateway config.
- Catalog: Docker MCP Catalog on Docker Hub (
hub.docker.com/mcp); custom org-specific catalogs can be imported. - Kubernetes: not clearly documented as a first-class deployment in the sources reviewed (to verify).
Positioning & differentiators
Docker’s angle is isolation-first governance: it leans on the thing Docker is already good at — running things in containers — and adds catalog signing, secrets hygiene, and interceptors on top. That makes it distinctive among MCP gateways, most of which focus on identity/policy/proxying rather than per-tool sandboxing.
Nearest neighbors (all in mcp-gateway):
- ibm-contextforge — open-source MCP gateway/registry; federation and virtualization of servers, less about container sandboxing.
- agentgateway — data-plane/proxy oriented gateway for agent/MCP traffic.
- obot — MCP gateway with an access-control/management focus.
- mintmcp — managed MCP gateway aimed at enterprise governance.
- arcade — tool-calling/auth platform (strong on per-user OAuth/identity).
- pomerium — identity-aware access proxy applied to MCP.
Versus those, Docker’s relative strengths are containment + a signed image supply chain + native Docker/Compose workflow; its relative gaps are enterprise identity, multi-tenant policy, and centralized RBAC, where the identity-proxy products (Pomerium, Arcade, MintMCP) are stronger. Many of these are complementary rather than mutually exclusive.
Ownership, funding & M&A
- Owner: Docker, Inc., an independent private company headquartered in Palo Alto, California. MCP Gateway is its open-source project, licensed MIT (per the GitHub repo), launched/open-sourced 2025-07-09.
- Parent funding: Docker, Inc. raised $105M at a ~$2.1B valuation in 2022 led by Bain Capital Ventures; aggregators cite a cumulative ~$443M–$541M (figures vary by source, not from audited filings — low confidence).
- M&A: none relevant to the gateway. Docker, Inc. has not been acquired; it sold its enterprise business to Mirantis in 2019 and refocused on developer tooling. No seed M&A flag for this entry.
CTO / hedge-fund lens
This is a Day-2 building block, not a turnkey enterprise governance platform. It is most attractive to a fund that (a) already standardizes on Docker / Docker Desktop and (b) wants to let developers or agents use MCP tools without each one running unsandboxed on a laptop or server. The container-isolation and signed-catalog story is the part a security team will like: it gives a defensible default (sandbox + verified images + secret-blocking + audit log) at low adoption cost.
Limits to weigh: it is developer/workstation-centric in its bundled form; enterprise-grade centralized identity, RBAC, and multi-tenant policy are thinner than in the identity-proxy gateways, so a regulated shop would likely pair it with (or front it by) an identity-aware proxy. No SR 11-7 / model-risk angle — this is infrastructure plumbing. Good as the sandboxing and supply-chain layer of an MCP stack; not sufficient on its own as the access-governance layer.
Competitors / alternatives
ibm-contextforge · agentgateway · obot · mintmcp · arcade · pomerium
Open questions / to verify
- First-class Kubernetes deployment story (vs Docker Desktop / Compose)?
- Exact interceptor extensibility (custom interceptors / plugin API) and whether
--block-secrets/redaction are configurable beyond on/off. - Centralized multi-user RBAC / multi-tenant policy — present or roadmap?
- Parent Docker, Inc. total funding — no primary/audited figure; aggregator range only.
- Relationship/overlap with Docker’s
cagentmulti-agent tooling.
Sources
- Docker MCP Gateway: Open Source, Secure Infrastructure for Agentic AI — fetched 2026-06-28 — supports: what it does, interceptors (
--verify-signatures/--block-secrets/--log-calls), OAuth, Compose, launch date 2025-07-09; confidence: high (vendor blog) - docker/mcp-gateway (GitHub) — fetched 2026-06-28 — supports: MIT license, container isolation, secrets via Docker Desktop, OAuth, catalog, dynamic discovery, monitoring; confidence: high (primary repo)
- MCP Gateway / MCP Catalog (Docker Docs) — fetched 2026-06-28 — supports: proxy/isolation architecture, restricted privileges/network/resources, Docker Desktop vs standalone install, signed catalog (300+ servers, provenance + SBOM); confidence: high (vendor docs)
- Docker Raises $105M at $2.1B Valuation (Crunchbase News) — fetched 2026-06-28 — supports: Docker, Inc. private, Palo Alto HQ, 2022 raise/valuation; confidence: medium (secondary); total-funding figures low confidence (aggregators disagree)
History
- [2026-06-28] Stub created from seed registry.
- [2026-06-28] Researched; established Docker MCP Gateway as an MIT-licensed open-source Docker CLI plugin/gateway (launched 2025-07-09) that runs MCP servers as isolated containers from a signed Docker MCP Catalog, with secrets handling,
--verify-signatures/--block-secrets/--log-callsinterceptors, and OAuth; ships in Docker Desktop’s MCP Toolkit and runs standalone on Docker Engine. Owner = Docker, Inc., independent private company (Palo Alto); not acquired. Corrected license assumption: repo states MIT, not Apache-2.0. Kept primary category mcp-gateway. Set ownership_confidence high (origin) but funding low (aggregator-only). hedge_fund_fit = medium. No M&A flag; no contradictions.