The transport gateway is necessary but no longer sufficient
Traditional gateways provide TLS termination, authentication, routing, load balancing, timeouts, retries, quotas, WAF controls, and telemetry. Those remain essential. Agent traffic adds semantic operations over MCP, A2A, model APIs, streaming sessions, and ordinary HTTP APIs. The policy question is no longer only “may this client call this route?” but “may this agent discover and invoke this capability for this user, tenant, task, target, and effect?”
An inference gateway is another related layer. Projects such as Envoy AI Gateway and the Kubernetes Gateway API Inference Extension add model-aware routing, provider abstraction, token-based limits, priority, rollout, and serving optimization. An agent gateway extends beyond inference into agent-to-tool and agent-to-agent traffic. These layers can share a data plane, but their policy objects are different.
| Dimension | API gateway | Inference gateway | Agent gateway |
|---|
| Primary objects | Routes, methods, clients, services, headers, and payloads. | Models, providers, prompts, tokens, queues, accelerators, and inference pools. | Agents, users, tenants, tasks, tools, skills, resources, plans, and side effects. |
| Discovery | Static API catalog or OpenAPI documentation. | Model aliases and serving endpoints. | Authorization-filtered MCP tools, resources, prompts, and A2A Agent Cards or skills. |
| Authorization | Route or resource scope, role, claim, network, and tenant. | Model entitlement, provider policy, data class, and cost tier. | Delegated subject plus acting agent, task purpose, exact tool, object, arguments, effect, and approval. |
| Rate limiting | Requests, bytes, connections, or business quota. | Input and output tokens, requests, model capacity, cost, and priority. | Tool calls, mutations, external recipients, task depth, delegated agents, tokens, money, and cumulative risk. |
| Reliability | Timeouts, retries, circuit breakers, failover. | Provider fallback, queueing, model rollout, token streaming. | Idempotent effects, long-running task state, cancellation, approval waits, compensation, and loop termination. |
| Audit | Request, identity, route, status, latency. | Model, provider, tokens, cost, latency, finish reason. | Intent, plan, tool version, policy, approval, arguments, result, downstream action, and final task outcome. |
Discovery is a security decision
Tool lists and Agent Cards influence what an agent believes it can do. A gateway should not expose the full enterprise registry to every agent. Filter discovery by user, agent, tenant, environment, task type, data classification, region, and approval state. Return only capabilities that could be authorized in the current context, while still rechecking policy at invocation time.
The registry itself needs provenance: owner, protocol, endpoint, schema, version, signer, required scopes, input and output classifications, side effects, idempotency behavior, approval class, egress destinations, rate limits, dependencies, and deprecation state. Treat tool description changes like API contract changes because model selection behavior can change even when the executable endpoint does not.
RegistryWhich tools, agents, models, skills, schemas, owners, versions, and trust metadata exist?
IdentityWhich human or service delegated work, which agent instance acts, and which resource is the token for?
PolicyWhich capability, arguments, target, purpose, approval, data class, and cumulative risk are allowed?
EvidenceWhich discovery result, plan, call, route, policy decision, output, and downstream action occurred?
Every call should pass through a semantic enforcement pipeline
Agent gateway call path01 DiscoverFilter capabilitiesResolve protocol metadata, registry trust, tenant context, task purpose, and capability visibility.
02 IdentifyBind subject and actorValidate user, agent, client, workload, tenant, audience, delegation chain, expiration, and proof.
03 ParseUnderstand semanticsDecode MCP or A2A operation, model request, tool name, schema version, arguments, targets, and effect class.
04 AuthorizeEvaluate policyCheck object relationships, purpose, argument constraints, data class, approval, region, and segregation.
05 BudgetReserve capacity and riskReserve calls, tokens, cost, mutations, recipients, concurrency, task depth, and time.
06 RouteSelect trusted upstreamChoose tool, model, or agent version; inject upstream credentials; enforce egress and protocol policy.
07 ObserveRecord structured eventsCorrelate task, call, policy, approval, route, stream, result, retries, and downstream invocations.
08 VerifyClose the control loopValidate result schema and postconditions, charge actual usage, stop loops, revoke authority, and emit outcome.
OAuth tokens must be resource-bound, not passed through
The MCP authorization specification requires protected resource metadata based on RFC 9728 and emphasizes least privilege. Its current security guidance requires servers to validate that tokens were issued for their resource and explicitly forbids token passthrough. The gateway should exchange or obtain a downstream token for the exact protected resource rather than forwarding a broad token received from the agent.
Preserve the human or service subject and the acting agent as distinct identities. Short-lived credentials should be scoped to task, tool, tenant, object, and operation. If an agent delegates to another agent, the chain must remain bounded and auditable; delegation should never silently widen scope.
Budgets need more dimensions than requests per second
An agent can stay under a request quota while creating unacceptable aggregate behavior. It may call a cheap tool thousands of times, send many external messages, traverse a deep delegation graph, spend a large token budget, or retry a non-idempotent mutation. Apply limits at call, task, user, tenant, agent, tool, model, and destination levels.
Reserve budgets before execution and reconcile with actual usage afterward. Include input and output tokens, monetary cost, tool calls, write operations, records touched, external recipients, wall-clock time, concurrency, retries, delegated task depth, and a domain-specific risk score. When a task exceeds a threshold, pause for approval instead of merely returning HTTP 429 and encouraging an automated retry loop.
Retries and fallback must respect meaning
Transport retries are dangerous when the operation has side effects. The gateway needs tool metadata declaring idempotency, idempotency-key support, retryable errors, compensation, and postcondition checks. Provider fallback may be acceptable for text generation but forbidden when data residency, model approval, or output compatibility differs.
Streaming and long-running tasks also need session policy. Reauthorize after material context changes, tool registry updates, approval expiration, or delegation. Support cancellation and revocation that propagate to upstream tasks rather than only closing the client connection.
Event logs should explain the task without leaking it
Correlate every discovery response, authorization decision, model request, tool invocation, agent message, retry, approval, and result under a task and trace identifier. OpenTelemetry provides semantic conventions for HTTP and GenAI operations, while MCP-specific conventions are emerging. Use structured protocol attributes rather than treating all traffic as opaque POST requests.
Do not store raw prompts, tool arguments, secrets, or model outputs indiscriminately. Record schemas, hashes, classifications, stable object IDs, policy versions, usage, decisions, and protected evidence references. The operations team needs causality; attackers should not gain a transcript archive.
What I would build
I would build a gateway with a shared HTTP and gRPC data plane plus protocol-aware extensions for model APIs, MCP, and A2A. Its control plane would manage a signed capability registry, authorization policies, credential exchange, budgets, egress, approval classes, schema versions, and telemetry rules.
The primary operations view would reconstruct one task across agent, model, tool, API, and downstream agent boundaries. It would show why each capability was visible, why each call was allowed, what budget changed, which side effects occurred, and where execution stopped.
The design principle
An agent gateway should not decide whether a model's plan is intelligent. It should make every capability visible by policy, every identity explicit, every side effect bounded, every retry semantically safe, and every task reconstructable.