MCP Gateway 2026: Composio vs Docker vs MCPJungle vs Obot
Four MCP gateways, four very different bets. Composio sells you managed OAuth across a thousand SaaS apps. Docker gives you container-isolated routing inside Docker Desktop. MCPJungle is a sharp, single-purpose router that just does the routing. Obot bundles a gateway, a registry, and a chat UI into one self-hosted platform. We pulled every fact below from the official repos, docs, and product pages — and call out the trade-offs each one papers over.
On this page · 14 sections▾
TL;DR + decision tree
- You mostly use SaaS apps and want zero ops — Composio. Managed OAuth across 1,000+ toolkits, per-user endpoints, you pay them to handle the connector tax. Lock-in is real; speed-to-value is unbeatable.
- You’re Docker-comfortable and want container isolation — Docker MCP Gateway. Every MCP server runs in its own container with bounded CPU, memory, and network. Docker Desktop integration is one toggle.
- You need a sharp router and the rest of your stack already does auth + observability — MCPJungle. Self-hosted, MPL-2.0, Prometheus-compatible metrics, tight scope. OAuth is on the roadmap, not yet shipped.
- You want one self-hosted product that does gateway + registry + chat UI + audit — Obot. MIT, batteries included, OAuth 2.1, RBAC. The trade-off is that you adopt the whole platform, not just the gateway slice.
These four overlap less than the names suggest. Composio and Obot include MCP gateway features inside larger products. Docker’s gateway is bundled with the catalog and Docker Desktop. MCPJungle is the only one whose entire scope is the routing layer. Pick by what else you need around the routing — the routing itself works in all four. Section below walks through the decision frame more carefully.
What an MCP gateway actually does
Strip away the marketing and an MCP gateway does four jobs. Different products weight them differently — that’s the whole basis for choosing between them.
Job 1: Registry and discovery. Somewhere the gateway has a list of MCP servers it knows about, with metadata about each (tools exposed, auth required, transport, version). When a client connects, the gateway can advertise the union of tools across all registered servers as a single tool list. Obot ships a curated registry; Composio runs one centrally; MCPJungle has CLI commands to register tools; Docker uses the MCP Catalog (200+ servers) as its registry.
Job 2: Tool routing. When the model calls a tool, the gateway figures out which underlying MCP server owns that tool and forwards the call. This is where namespace collisions happen — if two underlying servers both expose a tool named search, the gateway has to disambiguate. Tool groups (MCPJungle), connection-level scoping (Obot), and explicit server-IDs in the URL (Composio) are the three strategies in use.
Job 3: Auth proxy. The hardest job. The gateway holds — or brokers — credentials for the upstream MCP servers and presents a single auth surface to the client. Composio is the most opinionated here (full managed OAuth with refresh handling). Obot supports OAuth 2.1 end-to-end. Docker injects credentials from secrets into each container. MCPJungle today does bearer-token auth, with OAuth on the roadmap.
Job 4: Sandboxing and isolation. A malicious or buggy MCP server should not be able to read your SSH keys or eat all your RAM. Docker MCP Gateway is the only one of the four where strict container isolation is the default — every upstream server runs with restricted privileges, capped resources, and explicit network rules. Obot inherits whatever isolation your Kubernetes namespace provides. MCPJungle runs upstream stdio servers as child processes (no extra isolation). Composio sandboxes execution server-side but you don’t see the boundaries.
A gateway you adopt should be evaluated against all four jobs. Reading vendor pages, you’ll notice each leans heavy on one or two and quiet on the rest. The matrix below maps every product against every job so the trade-offs are obvious.
One more thing worth naming up front: a gateway is not a substitute for getting good at writing MCP servers. The gateway routes; it doesn’t make a bad MCP server good. If an upstream server has poorly named tools, ambiguous descriptions, or unbounded result payloads, those problems get amplified — the model sees more tools through a gateway, not fewer, so the noise floor is higher. Plan for both: the right gateway choice and the discipline to curate which upstream servers earn a spot in your routing tree. Many teams treat the gateway as gatekeeping infrastructure and run a quarterly review of what’s registered, in the same way you’d audit installed VS Code extensions.
Four axes that matter
Beyond the four jobs above, four practical axes decide whether a gateway fits your shop. We score each tool against these in the matrix and in the per-tool sections.
License and source availability. Composio is proprietary SaaS — you can’t download and run their gateway on your own hardware (bring-your-own-cloud exists for enterprise, but it’s a managed dedicated deployment, not source-available). The other three are open source: MCPJungle under MPL-2.0, Obot under MIT, Docker MCP Gateway as part of Docker’s OSS tooling. License matters because gateways tend to become load-bearing infrastructure — being able to fork or audit is non-trivial.
Host: hosted SaaS vs self-hosted vs hybrid.Composio is hosted by default (your gateway URL lives atbackend.composio.dev). Docker MCP Gateway runs locally on each developer’s machine via Docker Desktop, or centrally on a server via the CLI plugin. MCPJungle and Obot are deploy-anywhere — your laptop, a VM, a Kubernetes cluster. The host choice is also a data choice: hosted means the gateway operator sees every tool call and every credential.
Tool catalog size and curation. Composio advertises 1,000+ toolkits with managed OAuth — that’s the headline number. Docker MCP Catalog lists 200+ vetted servers, weighted toward developer infra. Obot ships a curated registry of MCP servers it knows how to host. MCPJungle is bring-your-own — it routes to whatever you register and doesn’t opine on the catalog. Bigger isn’t always better; a curated catalog is faster to navigate, while a bring- your-own catalog avoids gatekeeping.
Auth depth and sandboxing. The pair that matters most for production. Composio: full managed OAuth, no runtime sandbox visible to you. Docker: container isolation first, credential injection second. Obot: OAuth 2.1, RBAC, and whatever isolation your host platform gives you. MCPJungle: bearer auth today, ACLs in enterprise mode, no sandboxing. Three of the four cover production-grade auth; only Docker gives you process-level isolation out of the box.
Side-by-side matrix
Every cell is sourced from the official repo or product page. Star counts and version stamps were captured 2026-05-11; treat them as a snapshot, not a forever truth.
| Dimension | Composio | Docker MCP Gateway | MCPJungle | Obot |
|---|---|---|---|---|
| Maintainer | Composio (commercial) | Docker, Inc. | mcpjungle (community) | obot-platform (open core) |
| License | Proprietary (SaaS) | OSS via Docker tooling | MPL-2.0 | MIT |
| Host | Hosted SaaS + BYOC | Local (Docker Desktop) or Engine | Self-host anywhere | Self-host anywhere |
| Language | Python / Node SDKs | Go (Docker CLI plugin) | Go | Go |
| Pre-built tools | 1,000+ toolkits | 200+ MCP Catalog servers | Bring-your-own | Curated registry |
| Auth | Managed OAuth (full) | Credential injection per container | Bearer tokens; OAuth on roadmap | OAuth 2.1 + RBAC |
| Sandboxing | Server-side (opaque) | Container per server (strict) | Process spawning (none) | Inherits host (k8s namespaces) |
| Observability | Dashboard + logs | Built-in call tracing | Prometheus / OTel metrics | Audit logging + usage dashboard |
| MCP transport (client) | Streamable HTTP | stdio + Streamable HTTP | Streamable HTTP (primary), stdio | Streamable HTTP, stdio |
| Best fit | SaaS-heavy teams, zero ops | Docker shops, dev tooling | Routing-only, embed in your stack | All-in-one self-hosted MCP platform |
Three takeaways. First, only Docker gives you strict per-server sandboxing out of the box — if isolating a malicious MCP server is in your threat model, that single row often decides the choice. Second, Composio is the only one with managed OAuth across a large app catalog; if your agent needs to OAuth into ten SaaS apps and you don’t want to write ten broker integrations, the math favours them. Third, MCPJungle and Obot are both Go-based self-host options but they aim at different problems — MCPJungle is single-purpose, Obot is a platform. Picking between them is mostly about scope discipline.
Composio — managed SaaS
Composio
Hosted MCP gateway with managed OAuth across 1,000+ SaaS toolkits — Slack, Gmail, Linear, GitHub, Notion, Salesforce, Hubspot, the long tail.
- Per-user MCP endpoints at backend.composio.dev/v3/mcp/{server-id}
- Managed OAuth: token storage, refresh, lifecycle
- Bring-your-own-cloud option for enterprise
- Streamable HTTP transport; client-agnostic
What it does best
Composio sells the OAuth tax. Connecting Gmail, Slack, Linear, Hubspot, and Salesforce to an MCP-aware agent is, individually, a few days of work each: register an OAuth app with the vendor, store client secrets, handle redirect flows, refresh tokens before expiry, store per-user credentials, deal with the vendor’s rate limits and pagination quirks. Composio has already done that for over a thousand apps. You sign up, you pick which toolkits matter, your users do a connect flow at a Composio-hosted URL, and your agent gets per-user MCP endpoints that just work. The price is dependency on a third party for credential storage.
Pick this if you...
- Need an agent that touches more than five SaaS apps and you don’t want to build a credential broker
- Are comfortable with a hosted vendor seeing tool calls and storing OAuth tokens on your users’ behalf
- Need to ship fast — Composio is days-to-value where self-hosting is weeks
- Have enterprise sponsorship for BYOC if multi-tenant SaaS isn’t acceptable for your data classification
Recipe: ship a Linear-and-Slack triage agent in an hour
Assume you’ve created a Composio account and your team has connected Linear and Slack via the dashboard. In a Cursor chat config:
{
"mcpServers": {
"composio": {
"url": "https://backend.composio.dev/v3/mcp/YOUR_SERVER_ID?user_id=YOUR_USER_ID",
"headers": {
"x-api-key": "ck_live_..."
}
}
}
}The agent now sees Linear and Slack tools side by side. Ask it to “triage open Linear issues tagged bug, post a summary to #engineering with @-mentions for the assignees” and it picks the right tools and runs the OAuth-backed calls against each user’s stored credentials. The interesting part isn’t the agent loop — it’s that you didn’t write any OAuth code. Replace Linear and Slack with any combination of the 1,000+ toolkits.
Skip it if...
You have hard requirements that user OAuth tokens never leave your infrastructure, or your auditors say a third party can’t hold credentials for production systems. BYOC helps but is an enterprise sale. If self-hosting is mandatory, Obot is the closest functional substitute for the breadth-of- integrations angle, though you’ll wire the OAuth flows yourself.
Docker MCP Gateway — install + recipe
What it does best
Docker MCP Gateway is the only gateway in this comparison where strict per-server isolation is the default and not an afterthought. Every MCP server in the catalog runs inside its own Docker container with constrained CPU and memory, an explicit network policy, and no access to the host filesystem beyond what you opt into. Pair that with Docker Desktop’s MCP Toolkit (one toggle to flip on) and a curated catalog of 200+ vetted servers, and you have a gateway that’s safe to run in shops with strict supply-chain rules. The vendor-trust story is also strong: it’s an Inc. behind it, not a single-maintainer GitHub repo.
Pick this if you...
- Already standardised on Docker Desktop or Docker Engine and want to add MCP without introducing a new runtime
- Need container-grade isolation between MCP servers so a buggy server can’t take out neighbours or the host
- Want a vetted catalog and a vendor that ships security patches without you babysitting GitHub releases
- Care about supply-chain provenance (signed images, SBOMs, the usual Docker apparatus carried into MCP land)
Recipe: run a database + browser MCP pair safely
After enabling the MCP Toolkit in Docker Desktop, open the gateway settings and add two servers from the catalog: the Postgres MCP and the Playwright MCP. Each pulls as a container image. Then point Cursor at the gateway:
{
"mcpServers": {
"docker": {
"command": "docker",
"args": ["mcp", "gateway", "run"]
}
}
}The agent now has Postgres and Playwright tools available, each container-isolated. Ask “query the orders table for rows where status=pending and load each one’s tracking URL in a Playwright browser to verify it 200s” and the Postgres container talks to your database (over a network you explicitly opened), while the Playwright container scrapes URLs in its own namespace. Neither container sees the other’s credentials. A misbehaving server can’t escalate into the host because Docker’s default capability set is restrictive.
Skip it if...
You don’t run Docker, or you need the gateway to live in a managed control plane that you can’t put a Docker daemon inside (some serverless platforms). It’s also overweight if your only need is two or three lightweight HTTP MCP servers — MCPJungle does that in fewer moving parts.
MCPJungle — minimal router
MCPJungle
Sharp, single-purpose MCP gateway and registry. Run it as a binary or container, register upstream servers via CLI, expose one HTTP endpoint to all your clients.
- Self-hosted; binary, Homebrew, or Docker Compose
- Tool Groups to scope which tools each client sees
- Bearer-token auth today; OAuth marked as coming soon
- Prometheus-compatible OpenTelemetry metrics built in
What it does best
MCPJungle is the right answer when the routing problem is your only problem. The whole codebase fits in your head, deployment is a single binary, and the feature surface stays scoped. You register upstream servers with a CLI, group tools by client audience, and expose a single Streamable HTTP endpoint. Auth is bearer-token based — fine for service-to-service, fine for a trusted internal team, less fine if you need user-level OAuth proxying. The trade-off is honest: less surface area than Obot or Docker, less polish than Composio, but a tighter and more-auditable router.
Pick this if you...
- Already have an auth provider (Auth0, Okta, Cognito) and observability stack (Prometheus, Grafana) and don’t need the gateway to ship them
- Want a self-hosted gateway with a small, readable Go codebase you can fork if needed
- Need Tool Groups to scope which tools different agents or teams see, without standing up a full RBAC system
- Value an MPL-2.0 license that lets you self-host commercially without copyleft-ing your stack
Recipe: front three internal MCP servers behind one endpoint
Install MCPJungle and start it:
brew install mcpjungle/mcpjungle/mcpjungle
mcpjungle start --port 8080
# Register three upstream servers
mcpjungle register \
--name docs \
--url http://docs-mcp.internal:9000
mcpjungle register \
--name search \
--url http://search-mcp.internal:9100
mcpjungle register \
--name finance \
--url http://finance-mcp.internal:9200
# Create a tool group for the finance team only
mcpjungle tool-group create finance-team \
--servers finance,docsNow every client in the finance team points at the samehttp://mcpjungle.internal:8080 with a tool-group token, and they see only the finance and docs tools. Engineering clients hit the same endpoint with a different token and see everything. The whole flow is one daemon, three CLI commands, one HTTP endpoint per client. If you need OAuth, you wrap the gateway behind your existing identity proxy (Pomerium, oauth2- proxy) and let it handle the user-level flow.
Skip it if...
You need built-in managed OAuth for per-user credentials — that’s on the roadmap, not in the codebase today. If you don’t have an existing identity-proxy story, MCPJungle pushes the auth problem onto you. Composio solves that out of the box; Obot solves it with native OAuth 2.1.
Obot — full platform
Obot
Open-source MCP platform: gateway, registry, chat client, RBAC, audit logging, and OAuth 2.1 — all in one Go codebase under MIT.
- MCP gateway + curated registry + built-in chat UI
- OAuth 2.1 end-to-end; RBAC with role-based scoping
- Docker / Kubernetes deploys; runs MCP servers natively
- Audit logging and usage dashboards out of the box
What it does best
Obot is the answer when you want one self-hosted thing to be your whole MCP story. The gateway is there, but so is a registry of curated MCP servers, a chat UI for non-developers, audit logging, RBAC, and OAuth 2.1. You install once and you get the whole stack; you don’t bolt together a gateway, an identity proxy, an observability sidecar, and a chat client from four repos. The cost is buying into the Obot way of doing things — if you only need the gateway slice, you’re hosting a lot of extra surface area.
Pick this if you...
- Want a self-hosted MCP platform that’s usable by non-engineers (PMs, support, ops) via the bundled chat UI
- Need OAuth 2.1 and RBAC out of the box without standing up Keycloak or wiring oauth2-proxy
- Care about audit logging — every tool call recorded, who ran it, when, and what came back
- Are okay running a Kubernetes namespace or a docker compose stack instead of a single binary
Recipe: stand up Obot with two MCP servers and a chat UI
Quickest path is docker compose. After cloning the obot repo and configuring an OIDC provider:
docker run -d --name obot \
-p 8080:8080 \
-e OBOT_SERVER_AUTH_PROVIDER=github \
-e GITHUB_AUTH_CLIENT_ID=... \
-e GITHUB_AUTH_CLIENT_SECRET=... \
ghcr.io/obot-platform/obot:latest
# Visit http://localhost:8080
# Browse the registry, click 'install' on two MCP servers
# (e.g. GitHub MCP + Postgres MCP). Obot pulls and runs them.
# Now your Cursor / Claude Code config:
{
"mcpServers": {
"obot": {
"url": "http://obot.internal:8080/mcp",
"headers": { "Authorization": "Bearer YOUR_OBOT_TOKEN" }
}
}
}Non-engineers in your org can open the Obot chat UI and ask questions against the same MCP servers without ever touching Cursor. Audit logs surface every tool call. RBAC lets you give support engineers GitHub read-only and engineering full access. The whole stack is one container in dev or one Helm chart in production.
Skip it if...
You only need a thin routing layer — Obot is a platform, and MCPJungle is the lighter answer. Also skip if you don’t want a built-in chat UI; you’re still paying the operational cost of maintaining one.
Self-host vs SaaS for MCP routing
The host axis is the loudest in this category and the most misunderstood. SaaS gateways (Composio) get you to working tooling faster than self-hosted ones (Docker, MCPJungle, Obot), but they centralise a kind of risk that’s not always priced in. Walk through the cases.
The pro-SaaS case. Onboarding is hours, not weeks. Managed OAuth across hundreds of apps would take a team months to replicate. Vendor handles uptime, patching, vulnerability response. Per-user endpoints and credential storage are someone else’s problem. For a team shipping a customer- facing agent that needs to touch the SaaS stack of a thousand customers — each with their own Slack workspace, their own Gmail account, their own Hubspot org — building this yourself is not a good use of time. Composio earns its keep.
The pro-self-host case. The gateway is now in the path of every privileged action your agents take. The blast radius of a gateway compromise is total. A SaaS gateway means you trust the operator with that blast radius. For internal tools touching production databases, source code, or customer PII, many teams won’t accept that trust boundary. Self-hosting means the credentials live in your secret manager, the logs live in your SIEM, and a compromise of the gateway operator doesn’t cascade into your stack.
The hybrid case. Docker MCP Gateway and Obot let you keep self-hosted control while still benefiting from curated catalogs. The gateway runs on your hardware; the catalog is vendor-curated but the code paths are auditable. MCPJungle takes hybrid further — bring your own catalog entirely, the gateway just routes.
Practical rule: SaaS for customer-facing agents touching the long tail of consumer SaaS; self-hosted for internal agents touching anything in your production stack. Many teams end up with one of each, talking to different agents — that’s fine and not a sign of architectural failure.
Yes, you can combine gateways
Nothing in the MCP spec stops one gateway from being an upstream of another. A common pattern in larger orgs: a top-level Obot or MCPJungle gateway that fans out across teams, with team- specific Docker MCP Gateways behind it providing container- isolated tools, and a Composio endpoint plugged in as one more upstream for the SaaS-heavy tools. Clients see one URL; the back-end is a routing tree. The cost is operational — two gateway processes to keep alive, two sets of logs, two failure modes — but the payoff is that you get container isolation where you need it and managed OAuth where you need it, without picking one. Teams under twenty people rarely need this; teams over a hundred almost always end up here.
Pre-built integrations: who has what
The headline integration counts are misleading without context. Composio’s 1,000+ toolkits and Docker MCP Catalog’s 200+ servers count different units of work, so direct comparisons need a caveat.
Composio counts toolkits. A toolkit is an integration with one SaaS app — Slack, Linear, Gmail, Hubspot, Stripe. Inside each toolkit are usually 5-50 tools (list channels, post message, react with emoji). The catalog spans CRM, sales, support, marketing, productivity, dev tools, and the long tail of business SaaS. Weighting is heavy toward managed-OAuth-required apps because that’s where Composio adds the most value.
Docker MCP Catalog counts MCP servers. Each server is itself a complete MCP — Postgres, GitHub, Playwright, Brave Search, Kubernetes, Memory, Sequential Thinking. The catalog skews toward developer infrastructure: databases, browsers, container platforms, search APIs, version control. Each one runs in its own container. That’s why 200+ here isn’t directly comparable to 1,000+ over there — these are larger, longer-lived units of execution.
Obot ships a curated registry. Smaller than either, but every entry is one Obot can host natively (no separate runtime). Lean toward developer tooling and AI infra.
MCPJungle is bring-your-own. No catalog. You point it at whatever you want to route to. Practically this means you find MCPs from mcp.directory or other registries and register them yourself.
If you need breadth across SaaS apps with managed OAuth, Composio wins on pure surface area. If you need vetted dev infra with container isolation, Docker MCP Gateway wins on production-readiness. If you need a curated MCP-platform experience, Obot wins on cohesion. If you want zero opinion, MCPJungle wins on minimalism. Pick the question first; the catalog math falls out of it.
One subtlety on catalog quality: integration depth varies wildly within Composio’s 1,000+ figure. Tier-one apps (Slack, Gmail, GitHub, Linear) have dozens of well-named tools with clear descriptions. Long-tail apps sometimes have just three or four tools wrapping a thin slice of an API. Before committing to a gateway based on raw catalog size, sample 10 specific integrations you actually need and check tool descriptions, argument shapes, and error handling. The headline number does not predict the experience for any single integration; pulling a sample is fifteen minutes well spent.
Common pitfalls
Gateway becomes a single point of failure
Every tool call funnels through one process. If the gateway is down, every agent in every editor on every laptop loses every tool. Run the gateway under a process supervisor (systemd, docker restart=always) and put a health-check on it in your monitoring. For Composio, accept that you inherit their uptime; check their status page and budget for incident windows.
Auth proxy strips the wrong headers
Some upstream MCP servers expect specific request headers (custom Authorization schemes, vendor-specific tokens). A naive gateway that rewrites Authorization will break them. Both MCPJungle and Obot support custom-header pass-through; test every upstream server before assuming it works through the gateway.
Tool-name collisions confuse the model
Two upstream servers exposing tools named search or get will produce ambiguity. Gateways disambiguate differently — Composio scopes by server ID in the URL, MCPJungle uses tool groups, Obot uses server prefixes. Either way, watch for tool descriptions that don’t make the server origin clear, and rename or prefix where you can.
Credential blast radius after a leak
A gateway holds credentials for many downstream services. A single token exfiltration unlocks everything the gateway can reach. Mitigations: scoped tokens per upstream (no org-wide admin), short-lived tokens with refresh, and network ACLs so the gateway can only talk to the systems it routes to. Read the OWASP MCP Top 10 in our /blog/ mcp-security piece for the broader threat model.
Catalog drift — the gateway has stale tool definitions
Upstream MCP servers update their tool definitions over time. A gateway that caches the union of tools at startup can serve stale signatures until restart. Docker MCP Gateway and Obot refresh on container restart; MCPJungle and Composio refresh on registration. Schedule periodic refresh, or trigger one after every catalog change.
Description bloat at the aggregate level
A gateway with 200 tools advertises 200 tool descriptions on every prompt. That eats context fast — even a frugal 50-token description across 200 tools is 10k tokens of overhead. Use tool groups (MCPJungle), per-user scoping (Composio, Obot), or progressive disclosure to keep relevant tools in scope. Our /blog/mcp-context-bloat- fix-2026-tool-search-code-mode-progressive-disclosure post has the full pattern.
Forgetting to audit tool calls
All four gateways log tool calls in some form. Few teams actually read those logs until something breaks. Set up a weekly review of tool-call patterns — unusual frequency, novel argument shapes, tools called by accounts that shouldn’t need them. The audit trail is only useful if it’s read.
Community signal
The MCP gateway category is moving weekly in 2026. Quotes pulled from project READMEs and product pages on 2026-05-11:
“A self-hosted MCP gateway for developers and teams who want to manage multiple MCP servers” without scattered configurations.
— MCPJungle project README, github.com/mcpjungle/mcpjungle
“Complete MCP Platform — Hosting, Registry, Gateway, and Chat Client.”
— Obot project description, github.com/obot-platform/obot
“A centralized proxy between clients and servers, managing configuration, credentials, and access control” — running MCP servers “in isolated Docker containers with restricted privileges, network access, and resource usage.”
— Docker MCP Gateway docs, docs.docker.com/ai/mcp-gateway
The consistent theme across all four projects is operator fatigue — the actual pain point isn’t a missing protocol or a slow tool, it’s the per-laptop configuration burden across an editor, a desktop client, a CI runner, and a teammate who joined last week. Gateways solve that. Pick the one whose opinions about auth, isolation, and registry match what your team already does.
Three signals to watch in 2026 as the category matures. First, whether MCPJungle ships its planned OAuth support — that would close the only material gap with Obot for self-hosted setups and change the calculus for a lot of teams. Second, whether Docker MCP Gateway extends beyond Docker Desktop into managed- control-plane offerings (Docker Build Cloud, Docker Hub-hosted gateways) — the local-only story is the main reason teams who like the container isolation model still pick Obot. Third, whether Composio publishes a credible response to the “you hold all our OAuth tokens” objection that keeps security- conscious enterprises on self-hosted gateways. The BYOC story exists but isn’t loud, and the multi-tenant default is a hard sell for regulated industries. All three of these are tractable problems with public roadmaps; expect at least one resolved by end of year.
Frequently asked questions
What is an MCP gateway and why do I need one?
An MCP gateway sits between your AI client (Claude, Cursor, Codex, Windsurf) and the actual MCP servers you want to use. Instead of pasting twenty server configs into every client on every laptop, the client connects to the gateway once and the gateway routes to whichever underlying server the tool call needs. You typically need a gateway as soon as you cross three thresholds: more than five MCP servers in use, more than one person on the team, or any single MCP that requires a credential you don't want sitting in plain JSON on a developer machine. Below those thresholds, raw mcpServers blocks in your client config work fine.
Composio vs Docker MCP Gateway — which has more pre-built tools?
Composio advertises 1,000+ toolkits across SaaS apps (GitHub, Gmail, Slack, Notion, Salesforce, Linear, the long tail of CRM and ticketing). Docker MCP Catalog lists 200+ tools and services, weighted toward developer infrastructure (databases, browsers, Kubernetes, GitHub, search). If your agent needs to send a Slack message, file a Jira ticket, and create a Hubspot deal, Composio's marketplace is the shortest path — they've already done the OAuth dance for you. If your agent does shell commands, queries Postgres, scrapes a page, and pushes to GitHub, Docker's catalog covers it and you keep everything self-hosted with container isolation per server.
Is MCPJungle production-ready in 2026?
It's been adopted in production but you should read the trade-offs. MCPJungle (MPL-2.0, written in Go, ~1k GitHub stars at time of writing) is a self-hosted gateway focused on the routing problem: one HTTP endpoint, many MCP servers behind it, ACLs in enterprise mode. It does stateful and stateless modes, has tool groups, and exposes Prometheus-compatible OpenTelemetry metrics. The honest weak spot is that OAuth is marked as 'coming soon' — auth today is bearer-token-based, which is fine for service-to-service but means you can't directly proxy a user's GitHub OAuth through the gateway. If you need that, look at Obot or Composio.
Can I run Obot on my own infrastructure or is it cloud-only?
Obot is MIT-licensed and you run it yourself — Docker Compose, Kubernetes via Helm, or a single docker run for local kicking-the-tires. There is no required hosted service. The Obot project ships the whole stack: an MCP gateway, an MCP server registry, a built-in chat client, RBAC, audit logging, and OAuth 2.1 support. Practically that means a small team can stand up Obot once, point their Cursor and Claude Desktop clients at it, and let the gateway manage which users see which servers without per-user secrets in each editor.
Does Docker MCP Gateway require Docker Desktop?
Docker Desktop is the easy path — flip the MCP Toolkit feature on and you have a working gateway. For Linux servers or CI runners without Docker Desktop, Docker ships the gateway as a CLI plugin (binary in ~/.docker/cli-plugins/) you install manually against any Docker Engine. Either way the architecture is the same: every MCP server runs inside its own container with capped CPU, memory, and network access, so a misbehaving server can't take out the host. That sandboxing-by-default is the strongest reason to pick Docker MCP Gateway over a lighter router like MCPJungle.
How does Composio handle authentication for the apps it integrates?
Composio runs a managed OAuth broker. You point your users at a Composio-hosted connect flow, they OAuth into GitHub or Gmail or wherever, and Composio stores the refresh tokens server-side. Your MCP endpoint (https://backend.composio.dev/v3/mcp/{server-id}?user_id={user-id}) gets per-user URLs, and each tool call is executed against the right user's stored credential. The trade-off is concentrated: Composio holds tokens for every connected app for every user, so an account compromise there has wide blast radius. For internal-only deployments you can use bring-your-own-cloud, but the default is multi-tenant SaaS.
Which gateway should I pick for a team of 5-50 engineers?
Three reasonable defaults, depending on shape. If your team mostly uses SaaS apps (Slack, Linear, Notion, GitHub web) and you want zero ops, Composio is the shortest path — managed OAuth, hosted endpoints, 1,000+ apps already plumbed. If you're a Docker-comfortable infra team and you mostly use developer tooling, Docker MCP Gateway gives you container isolation, Docker Desktop integration, and 200+ vetted servers in the catalog. If you want a unified MCP platform with a built-in chat UI and audit logging — and you're OK self-hosting — Obot has all of that in one repo. MCPJungle is best when the routing problem is the only problem (you have the auth and observability stack elsewhere already).
Do these gateways support remote MCP / streamable HTTP?
All four expose Streamable HTTP as the primary transport for clients connecting to the gateway. The difference is on the upstream side. MCPJungle and Obot can talk to upstream MCP servers over both stdio (spawning processes) and Streamable HTTP. Docker MCP Gateway spawns each upstream MCP server in its own container, then exposes the aggregate to clients. Composio mostly proxies to its own server-side tool execution; underlying integrations are not exposed as raw MCP servers to the gateway operator. If you need a long-running stdio-based community MCP server like the Playwright MCP, MCPJungle, Obot, and Docker Gateway can host it; Composio cannot.
Is it safe to give an MCP gateway access to all my tools at once?
Only if you've thought carefully about least privilege per tool, per user, per request. The gateway becomes a credential aggregation point — if it's compromised, every downstream MCP it routes to is compromised too. The mitigations are well-known but require setup: scoped tokens per MCP server (not org-wide admin tokens), RBAC to limit which users can call which tools, audit logging on every tool call, and container or process isolation between servers. Docker MCP Gateway, Obot, and MCPJungle Enterprise all support these patterns. We cover the broader threat model in our /blog/mcp-security-200000-exposed-servers-owasp-mcp-top-10-cves piece.
Can I switch gateways later or am I locked in?
The MCP protocol itself is the lock-in firebreak. As long as your upstream MCP servers and downstream clients speak standard MCP (which they all do — that's the point), swapping the gateway in the middle is mostly a config change. The wrinkle is sidecars: Composio's managed OAuth, Obot's chat client and registry, Docker's container-per-server model — those don't transfer when you switch gateways. So the real lock-in is your auth and audit story, not the routing layer. Plan for portability by keeping per-app credentials in your own secret manager (Vault, AWS Secrets Manager, doppler) and treating the gateway as stateless routing infrastructure.
Sources
Composio
- composio.dev — product page, 1,000+ toolkits claim
- docs.composio.dev — auth methods, MCP transport, per-user endpoint shape
Docker MCP Gateway
- docs.docker.com/ai/mcp-gateway — gateway architecture, container isolation
- hub.docker.com/mcp/explore — MCP Catalog
- /servers/docker-mcp-server — directory entry with install configs
MCPJungle
- github.com/mcpjungle/mcpjungle — source, MPL-2.0
- mcpjungle.com — project site, enterprise features
Obot
- github.com/obot-platform/obot — source, MIT
- docs.obot.ai — installation, auth, registry
Related comparisons + primers
- /blog/mcp-security-200000-exposed-servers-owasp-mcp-top-10-cves — threat model that justifies sandboxing requirements
- /blog/oauth-21-for-remote-mcp-servers-streamable-http-explained-2026 — the auth-proxy story explained
- /blog/mcp-foundation-linux-foundation-aaif-2026-explained — protocol governance context
- /blog/what-is-mcp — protocol primer