Security
Security isn't a feature.
It's the product.
ModGate exists because 91.5% of MCP servers have no real authentication. Here's exactly how we're different — and why it matters.
The gap we're closing
91.5%
of MCP servers lack proper OAuth
41%
have zero authentication at all
36.7%
are SSRF-vulnerable
Authentication
OAuth 2.1 with PKCE (S256)
All HTTP-based MCP transports require OAuth 2.1 with PKCE. No exceptions. Static API keys are not accepted.
Enforced
Dynamic Client Registration
Agents register programmatically. No manual credential distribution. Clients are issued unique, audience-bound credentials.
Enforced
/.well-known discovery
Every ModGate server exposes a compliant OAuth 2.1 discovery endpoint automatically.
Automatic
Short-lived access tokens
Tokens expire in minutes, not days. Headless refresh flows keep agents running without long-lived credential exposure.
Enforced
Agent identity
Named agent credentials
Every agent gets a named identity with attributes: which user delegated it, what scopes it has, which servers it can access, and when credentials expire.
Available
Tool-level scope policies
Define policies like "Agent X can call read_contacts but not delete_contacts." Granular, per-tool, per-agent.
Available
Audience binding
Tokens issued for server A are cryptographically rejected by server B. Confused deputy attacks are structurally prevented.
Enforced
Instant revocation
One-click revoke any agent's access. For high-security tools, token introspection ensures revocation takes effect immediately — not at expiry.
Available
Infrastructure
Per-tenant isolation
Every customer's MCP server runs in an isolated sandbox. One tenant's breach cannot touch another's data.
Enforced
SSRF protection
All outbound requests from MCP servers are validated. Internal network access is blocked by default.
Enforced
TLS everywhere
All connections encrypted in transit. No plaintext communication at any layer.
Enforced
Secrets never logged
Authorization headers, tokens, codes, and secrets are scrubbed from all logs. Sensitive fields are redacted before storage.
Enforced
Compliance
Full audit log
Every tool call, token issuance, and access decision logged with agent identity, timestamp, and outcome. Searchable and exportable.
Available
SOC 2 Type I (in progress)
SOC 2 Type I audit initiated. Reports available to enterprise customers on request.
In progress
EU data residency
GDPR-compliant EU data residency available on Enterprise plans. Data never leaves your chosen region.
Enterprise
Responsible disclosure
Found a security issue? We take all reports seriously and respond within 24 hours. Please email us directly — we don't have a bug bounty program yet but we'll acknowledge your contribution publicly if you'd like.
tony@modgate.io →Security posture last updated: June 2026 · Arty Fishall LLC