Skip to main content
The MCP section of the Tyk Dashboard is the central registry of all MCP servers in your organization. Each proxy entry records the upstream server address, the listen path clients use to connect, the tools and resources the server exposes, and the access policies that govern it. Teams have a single authoritative place to see what MCP capabilities are available, onboard new servers, and control who can access them. The section gives you a searchable catalog of all registered proxies, a guided creation wizard for onboarding new servers, and the MCP Designer with two tabs: Settings for proxy-level configuration and middleware, and Primitives for managing per-primitive middleware on individual tools, resources, and prompts. For scripted or automated management, use the Dashboard API or Gateway API. See MCP API extensions for the full endpoint reference.
MCP OAS definitions use the Tyk OAS format. They are not available as Tyk Classic API definitions. For the full definition structure, see MCP OAS definition.

Permissions

Access to MCP proxy management is controlled by the mcp permission on the user’s role. Permissions are assigned in the Dashboard under User Management → Users. For organization-wide access control, configure permissions on user groups rather than individual users. MCP permission setting in the Dashboard

The MCP proxies list

The list page shows every MCP proxy managed by this Dashboard instance. Clicking a row opens the MCP Designer. The search input at the top filters proxies by name in real time. Clear the input to return to the full list. The Add MCP Proxy button opens the creation wizard. MCP proxy list

Create an MCP proxy

The creation wizard collects the minimum information needed to define a working MCP proxy. It has three steps.

Step 1: Basic information

The name must be unique across all MCP proxies in this Dashboard instance. Click Continue to proceed. Create MCP proxy, step 1: basic information

Step 2: Register server

Enter the full URL of your upstream MCP server, for example https://weather-mcp.example.com. This is the server Tyk proxies to, not the URL clients use to connect to Tyk. Click Continue to proceed. Create MCP proxy, step 2: register server

Step 3: Connect gateways

Select the gateway instances to deploy this proxy to. You can click Skip for now to save the proxy without deploying it; it will exist in the Dashboard but will not serve traffic until you return and assign a gateway. Click Finish to save. The Dashboard displays “MCP proxy successfully created” and returns you to the proxy list.
The wizard creates the proxy with bearer token authentication enabled and a listen path derived from the proxy name. For most deployments you’ll want to open the MCP Designer to configure authentication, add per-primitive middleware, or set up OAuth discovery. See the Settings tab and Primitives tab below.

The MCP Designer

Clicking a proxy in the list opens the MCP Designer. The MCP Designer has two tabs. MCP Designer tabs

Settings tab

The Settings tab covers two areas: core proxy configuration and proxy-level middleware. Core configuration: name, upstream server URL, and gateway assignment. To edit these fields, make your changes and click Save MCP Proxy. The Dashboard triggers a gateway reload automatically. Authentication: the authentication method applied to all inbound requests. Select a method from the Authentication type dropdown. See Authentication for all supported methods and configuration options. Proxy-level middleware: middleware that applies to all requests through this proxy, regardless of which primitive is invoked. The following options are available in the Settings tab: These options map to x-tyk-api-gateway.middleware.global in the proxy definition. For full configuration details, see MCP middleware: proxy level.

Primitives tab

The Primitives tab lists every tool, resource, and prompt you have manually registered for this proxy. Each entry shows the primitive’s name, its type (Tool, Resource, or Prompt), and the number of middleware rules applied to it. Use the type filter and search input to narrow the list. Adding a primitive Click Add Primitive to open the add primitive modal. Select the type (Tool, Resource, or Prompt) and enter the primitive name: this must match the name the upstream MCP server uses when advertising that primitive. Names cannot contain whitespace and must be unique within their type. Adding a primitive creates an entry in x-tyk-api-gateway.middleware.mcpTools, mcpResources, or mcpPrompts (depending on type) in the proxy definition. Adding middleware to a primitive Click a primitive to open its detail view, then click Add Middleware. The following middleware is available for primitives: Each middleware option maps to the corresponding configuration block inside the primitive’s entry in the proxy definition. See MCP middleware for what each option does and how it is configured.

Editing the full definition

The Dashboard UI covers most proxy configuration. To access advanced options not yet exposed in the UI — such as upstream OAuth, per-primitive token exchange overrides, and traffic management — edit the proxy’s MCP OAS definition directly. Open the editor via Actions → View MCP Proxy Definition on the MCP Designer. View MCP Proxy Definition The MCP OAS definition is an OpenAPI 3.0.3 document with an x-tyk-api-gateway vendor extension containing all Tyk-specific configuration. The key sections are: After editing, click Save MCP Proxy to save and redeploy. Changes are applied to all connected gateways automatically.

Common edits after initial setup

Configuring authentication: The proxy is created with bearer token authentication enabled. To switch to a different method, open the Settings tab and select from the Authentication type dropdown. To use the external IdP integration — including scope check, PRM, and token exchange — select OAuth 2.0. See Authentication for all supported methods. Enabling PRM for OAuth discovery: Open the Settings tab, select OAuth 2.0 as the authentication type, and enable the Protected Resource Metadata toggle. Set the resource URL and add at least one authorization server URL. See OAuth 2.0 authentication for full configuration details. Restricting which tools clients can call: Use the Primitives tab: add the tool as a primitive, then add Allow middleware to it. Once any tool in the proxy has an Allow rule, all unlisted tools are blocked. For definition-based configuration, see MCP middleware: access control. Applying rate limits to a specific tool: Use the Primitives tab: open the tool primitive and add Rate Limit middleware. For definition-based configuration, see MCP middleware: traffic management. Configuring upstream OAuth: Add an authentication.oauth.clientCredentials block to x-tyk-api-gateway.upstream to have Tyk obtain and forward OAuth tokens to your upstream MCP server. See MCP Gateway: OAuth 2.1 authentication. Adding CORS or global header transforms: Configure these in the Settings tab under the middleware section. Changes apply to all requests through the proxy. For a complete explanation of every field in the definition, see MCP OAS definition.

Delete an MCP proxy

  1. In the sidebar, click MCP.
  2. Open the proxy you want to delete.
  3. Click Actions → Delete MCP Proxy and confirm.
Deletion removes the proxy definition from the Dashboard and undeploys it from all connected gateways. Associated API keys and policies are not removed automatically; remove the access right from any keys scoped to this proxy, or delete those keys separately.
Deleting an MCP proxy also removes it from any versioning hierarchy it belongs to. If the deleted proxy was a versioned child, the version entry is removed from the base proxy’s definition.