Tool Groups

Groups let you expose different subsets of your upstreams at different MCP endpoints — all from the same running proxy. Use them to create read-only, tiered, or role-based views.

Basic configuration

groups:
  - name: all
    endpoint: /mcp
    upstreams: [kraken, cluster, ops]

  - name: market
    endpoint: /mcp/market
    upstreams: [kraken]

Each group has a unique endpoint path. MCP clients connect to their assigned endpoint and see only the tools from the listed upstreams.

JSONPath filters

The filter field is a JSONPath expression evaluated against each operation in the OpenAPI spec. Only operations that match the filter are included in the group's tools. Non-HTTP upstreams (command, script) are not filtered.

Read-only group

groups:
  - name: readonly
    endpoint: /mcp/readonly
    upstreams: [kraken]
    filter: "$.paths.*[?(@['x-mcp-safe'] == true)]"

This includes only operations where x-mcp-safe: true is set in the spec or overlay.

Tier-based group

groups:
  - name: premium
    endpoint: /mcp/premium
    upstreams: [myapi]
    filter: "$.paths.*[?(@['x-mcp-tier'] == 'premium')]"

GET-only (all GET operations)

groups:
  - name: get-only
    endpoint: /mcp/get
    upstreams: [myapi]
    filter: "$.paths.*.get"

Group-level auth

Combine groups with inbound auth to create access-controlled endpoints. Configure inbound_auth on each group independently:

groups:
  - name: public
    endpoint: /mcp/public
    upstreams: [kraken]
    # no inbound_auth — open access

  - name: internal
    endpoint: /mcp/internal
    upstreams: [kraken, cluster]
    inbound_auth:
      strategy: jwt
      jwt:
        issuer: https://auth.example.com
        jwks_url: https://auth.example.com/.well-known/jwks.json

Transport per group

Each group can specify which MCP transports to enable:

groups:
  - name: streaming
    endpoint: /mcp
    upstreams: [kraken]
    transport:
      - streamable-http
      - sse

Supported transports: streamable-http, sse.

Default group

If no groups are defined, the proxy creates a default group at /mcp that includes all upstreams with no filter.

See also

• OpenAPI Overlays — set x-mcp-safe and x-mcp-tier on operations
• Authentication — per-group inbound auth strategies
• Multi-Upstream Routing — configure multiple upstreams