Home/Blog/Agent Gateway
Agent Infrastructure

The API Gateway Becomes An Agent Gateway

An API gateway knows that a client called POST /refunds. An agent gateway must also know which user delegated the task, which agent selected the tool, what side effect was intended, what budget remains, and whether the result may trigger another action.

The transport gateway is necessary but no longer sufficient

Traditional gateways provide TLS termination, authentication, routing, load balancing, timeouts, retries, quotas, WAF controls, and telemetry. Those remain essential. Agent traffic adds semantic operations over MCP, A2A, model APIs, streaming sessions, and ordinary HTTP APIs. The policy question is no longer only “may this client call this route?” but “may this agent discover and invoke this capability for this user, tenant, task, target, and effect?”

An inference gateway is another related layer. Projects such as Envoy AI Gateway and the Kubernetes Gateway API Inference Extension add model-aware routing, provider abstraction, token-based limits, priority, rollout, and serving optimization. An agent gateway extends beyond inference into agent-to-tool and agent-to-agent traffic. These layers can share a data plane, but their policy objects are different.

DimensionAPI gatewayInference gatewayAgent gateway
Primary objectsRoutes, methods, clients, services, headers, and payloads.Models, providers, prompts, tokens, queues, accelerators, and inference pools.Agents, users, tenants, tasks, tools, skills, resources, plans, and side effects.
DiscoveryStatic API catalog or OpenAPI documentation.Model aliases and serving endpoints.Authorization-filtered MCP tools, resources, prompts, and A2A Agent Cards or skills.
AuthorizationRoute or resource scope, role, claim, network, and tenant.Model entitlement, provider policy, data class, and cost tier.Delegated subject plus acting agent, task purpose, exact tool, object, arguments, effect, and approval.
Rate limitingRequests, bytes, connections, or business quota.Input and output tokens, requests, model capacity, cost, and priority.Tool calls, mutations, external recipients, task depth, delegated agents, tokens, money, and cumulative risk.
ReliabilityTimeouts, retries, circuit breakers, failover.Provider fallback, queueing, model rollout, token streaming.Idempotent effects, long-running task state, cancellation, approval waits, compensation, and loop termination.
AuditRequest, identity, route, status, latency.Model, provider, tokens, cost, latency, finish reason.Intent, plan, tool version, policy, approval, arguments, result, downstream action, and final task outcome.

Discovery is a security decision

Tool lists and Agent Cards influence what an agent believes it can do. A gateway should not expose the full enterprise registry to every agent. Filter discovery by user, agent, tenant, environment, task type, data classification, region, and approval state. Return only capabilities that could be authorized in the current context, while still rechecking policy at invocation time.

The registry itself needs provenance: owner, protocol, endpoint, schema, version, signer, required scopes, input and output classifications, side effects, idempotency behavior, approval class, egress destinations, rate limits, dependencies, and deprecation state. Treat tool description changes like API contract changes because model selection behavior can change even when the executable endpoint does not.

RegistryWhich tools, agents, models, skills, schemas, owners, versions, and trust metadata exist?
IdentityWhich human or service delegated work, which agent instance acts, and which resource is the token for?
PolicyWhich capability, arguments, target, purpose, approval, data class, and cumulative risk are allowed?
EvidenceWhich discovery result, plan, call, route, policy decision, output, and downstream action occurred?

Every call should pass through a semantic enforcement pipeline

Agent gateway call path
01 DiscoverFilter capabilitiesResolve protocol metadata, registry trust, tenant context, task purpose, and capability visibility.
02 IdentifyBind subject and actorValidate user, agent, client, workload, tenant, audience, delegation chain, expiration, and proof.
03 ParseUnderstand semanticsDecode MCP or A2A operation, model request, tool name, schema version, arguments, targets, and effect class.
04 AuthorizeEvaluate policyCheck object relationships, purpose, argument constraints, data class, approval, region, and segregation.
05 BudgetReserve capacity and riskReserve calls, tokens, cost, mutations, recipients, concurrency, task depth, and time.
06 RouteSelect trusted upstreamChoose tool, model, or agent version; inject upstream credentials; enforce egress and protocol policy.
07 ObserveRecord structured eventsCorrelate task, call, policy, approval, route, stream, result, retries, and downstream invocations.
08 VerifyClose the control loopValidate result schema and postconditions, charge actual usage, stop loops, revoke authority, and emit outcome.

OAuth tokens must be resource-bound, not passed through

The MCP authorization specification requires protected resource metadata based on RFC 9728 and emphasizes least privilege. Its current security guidance requires servers to validate that tokens were issued for their resource and explicitly forbids token passthrough. The gateway should exchange or obtain a downstream token for the exact protected resource rather than forwarding a broad token received from the agent.

Preserve the human or service subject and the acting agent as distinct identities. Short-lived credentials should be scoped to task, tool, tenant, object, and operation. If an agent delegates to another agent, the chain must remain bounded and auditable; delegation should never silently widen scope.

Budgets need more dimensions than requests per second

An agent can stay under a request quota while creating unacceptable aggregate behavior. It may call a cheap tool thousands of times, send many external messages, traverse a deep delegation graph, spend a large token budget, or retry a non-idempotent mutation. Apply limits at call, task, user, tenant, agent, tool, model, and destination levels.

Reserve budgets before execution and reconcile with actual usage afterward. Include input and output tokens, monetary cost, tool calls, write operations, records touched, external recipients, wall-clock time, concurrency, retries, delegated task depth, and a domain-specific risk score. When a task exceeds a threshold, pause for approval instead of merely returning HTTP 429 and encouraging an automated retry loop.

Retries and fallback must respect meaning

Transport retries are dangerous when the operation has side effects. The gateway needs tool metadata declaring idempotency, idempotency-key support, retryable errors, compensation, and postcondition checks. Provider fallback may be acceptable for text generation but forbidden when data residency, model approval, or output compatibility differs.

Streaming and long-running tasks also need session policy. Reauthorize after material context changes, tool registry updates, approval expiration, or delegation. Support cancellation and revocation that propagate to upstream tasks rather than only closing the client connection.

Event logs should explain the task without leaking it

Correlate every discovery response, authorization decision, model request, tool invocation, agent message, retry, approval, and result under a task and trace identifier. OpenTelemetry provides semantic conventions for HTTP and GenAI operations, while MCP-specific conventions are emerging. Use structured protocol attributes rather than treating all traffic as opaque POST requests.

Do not store raw prompts, tool arguments, secrets, or model outputs indiscriminately. Record schemas, hashes, classifications, stable object IDs, policy versions, usage, decisions, and protected evidence references. The operations team needs causality; attackers should not gain a transcript archive.

What I would build

I would build a gateway with a shared HTTP and gRPC data plane plus protocol-aware extensions for model APIs, MCP, and A2A. Its control plane would manage a signed capability registry, authorization policies, credential exchange, budgets, egress, approval classes, schema versions, and telemetry rules.

The primary operations view would reconstruct one task across agent, model, tool, API, and downstream agent boundaries. It would show why each capability was visible, why each call was allowed, what budget changed, which side effects occurred, and where execution stopped.

The design principle

An agent gateway should not decide whether a model's plan is intelligent. It should make every capability visible by policy, every identity explicit, every side effect bounded, every retry semantically safe, and every task reconstructable.