While deploying Model Context Protocol (MCP) servers in production, enterprises need fine-grained access control across servers, observability into which teams use which tools, security guarantees against data exfiltration, and centralized credential management, all at scale. Amazon Bedrock AgentCore Gateway sits between MCP servers and the clients that consume them, centralizing credential management, observability, and secure connectivity into a single trusted entry point.

Today, we’re extending AgentCore Gateway with new capabilities that further strengthen support for enterprise MCP deployments. This post covers extended MCP tool schema support, MCP prompts and MCP resources as first-class primitives, dynamic listing for runtime discovery of MCP servers, streaming and session management for stateful real-time interactions, elicitation for mid-execution input requests, and OAuth 2.0 on-behalf-of token exchange for delegated authentication. For hands-on examples, visit the GitHub samples repository.

Without a centralized gateway, every MCP server that your organization builds must independently handle credentials, policy enforcement, private connectivity, and logging. This means that your legal team’s contract review MCP server, your finance team’s data retrieval MCP server, and your operations team’s incident response MCP server each carry the same infrastructure burden. Security teams review each server individually, developers wait for approvals, and nobody has a unified view of how MCP infrastructure is being used across the organization.

AgentCore Gateway helps avoid this duplication by establishing a single-entry point that MCP traffic flows through. The following diagram shows the main features for AgentCore Gateway that allow central governance and control.

Each team builds only the business logic for their MCP server. AgentCore Gateway handles everything else. It aggregates capabilities across different target types, including MCP servers, REST APIs, AWS Lambda functions, and more. Resource-based policies (RBP) control who can invoke AgentCore Gateway, for example, restricting invocation to an Amazon Virtual Private Cloud (Amazon VPC). Service control policies (SCPs) govern how AgentCore Gateway is maintained within your AWS organization.

For network isolation, AgentCore Gateway supports AWS PrivateLink for both control plane and data plane operations so that traffic stays within your Amazon VPC boundaries. You can also connect to private API endpoints or MCP servers through managed VPC resource mode. Centralized application and identity logs help you manage audit and compliance requirements.