x-tyk-api-gateway vendor extension) and adds the MCP-specific structures that allow Tyk to inspect JSON-RPC traffic and apply middleware at the method and primitive level. This page explains the structure of an MCP API definition, how MCP concepts (primitives, methods, operations) map to it, and which parts of the extension are specific to MCP.
If you are not familiar with Tyk OAS API definitions, read Tyk OAS first. This page focuses on the MCP-specific aspects and assumes knowledge of the base format.
Structure overview
An MCP API definition has two parts that work together:- The OpenAPI specification: Describes the MCP server’s transport endpoints and, optionally, each JSON-RPC method as a documented operation. Tyk uses this to understand the API’s shape and to present it in the Developer Portal.
- The
x-tyk-api-gatewayextension: Contains all gateway configuration: the listen path, upstream URL, authentication, and the middleware maps that govern individual tools, resources, and prompts.
MCP concepts in the definition
Three core MCP concepts shape how you write an MCP API definition: primitives, JSON-RPC methods, and transport endpoints. Understanding them before reading the definition structure makes the configuration decisions much clearer.Primitives
Primitives are the capabilities an MCP server exposes. The MCP specification defines three categories:- Tools: Actions an AI agent can invoke. Each tool has a name, an input schema, and returns a result. For example, a
get-weathertool that accepts a location and returns a forecast. - Resources: Data an AI agent can read. Each resource is identified by a URI (for example,
weather://stations/london). Resources support URI wildcard patterns for template-based access (for example,weather://stations/*). - Prompts: Pre-written instruction templates that shape LLM behavior. Each prompt has a name and accepts arguments that customise the generated content.
x-tyk-api-gateway extension, each primitive category has its own middleware map: mcpTools, mcpResources, and mcpPrompts.
JSON-RPC methods
MCP clients communicate with servers by sending JSON-RPC 2.0 requests. Every request carries amethod field that identifies the operation:
In the
x-tyk-api-gateway extension, you can configure middleware at the method level (applying a rule to every tools/call request regardless of which tool is named) using the middleware.operations map.
Transport endpoints
All MCP traffic flows through a single path (/mcp) that supports two HTTP methods:
POST /mcp: Clients send JSON-RPC messages. The server responds with either a single JSON object or a Server-Sent Events stream.GET /mcp: Clients open a persistent SSE connection for server-initiated messages.
POST /mcp and GET /mcp. Tyk proxies both.
The OpenAPI specification portion
The OpenAPI specification in an MCP API definition documents the server’s HTTP interface. For MCP, this has a standard structure that you can treat as a template.Transport paths
At minimum, thepaths object documents the two transport endpoints:
operationId values (mcpTransportPost, mcpSSEGet) are referenced internally by Tyk for the transport endpoints. These values are fixed; do not change them.
Method paths
In addition to the transport paths, you can document each JSON-RPC method as a separate path. This is optional for gateway operation but makes the API browsable in the Tyk Developer Portal:/mcp/{namespace}/{action}) and the operationId convention ({method}POST) are what tie the OpenAPI spec to the middleware.operations map in the x-tyk-api-gateway extension.
The method paths do not correspond to real HTTP endpoints. All traffic still flows through
POST /mcp. The method paths exist solely for documentation, schema validation, and middleware configuration purposes.The x-tyk-api-gateway extension
Thex-tyk-api-gateway extension contains all gateway configuration. For MCP proxies, it has the same four top-level sections as any Tyk OAS API definition, with MCP-specific content in the middleware section.
info, server, and upstream
Theinfo, server, and upstream sections work identically to a standard Tyk OAS API definition. They configure the API’s identity, its client-facing interface, and its upstream connectivity:
bearerAuth as the security scheme — a simple bearer token check. For full OAuth 2.1 compliance (token validation, scope enforcement, Protected Resource Metadata, and token exchange), use the oauth2 scheme instead. See MCP OAuth 2.1.
The middleware section
Themiddleware section is where MCP OAS definitions diverge from standard Tyk OAS API definitions. It contains the same global block for API-wide middleware, but adds two new concepts: an operations map keyed by JSON-RPC method, and three primitive maps: mcpTools, mcpResources, and mcpPrompts.
global
Global middleware applies to every request on the API. It is configured identically to a standard Tyk OAS API (CORS, traffic logs, header transformations, custom plugins, and so on). There is nothing MCP-specific here.operations: method-level middleware
Theoperations map lets you configure middleware that applies to every invocation of a JSON-RPC method, regardless of which specific primitive is targeted. It is keyed by the operation ID of the method path in the OpenAPI spec, which follows the convention {json-rpc-method}{HTTP-method}:
For example, to rate limit all tool calls at the method level:
tools/call request, whatever tool name appears in params.name. Method-level middleware evaluates before primitive-level middleware.
mcpTools: per-tool middleware
ThemcpTools map configures middleware for individual tools. Each key is the tool name as it appears in the params.name field of a tools/call request:
mcpTools has allow enabled, the entire tools category enters allowlist mode: only the explicitly listed tools are accessible, and all other tool names are rejected. Tools, resources, and prompts are evaluated independently; allowlisting tools does not affect access to resources or prompts.
mcpResources: per-resource middleware
ThemcpResources map configures middleware for individual resources or URI patterns. Each key is matched against the params.uri field of a resources/read request. Keys can be exact URIs or wildcard patterns using *:
mcpPrompts: per-prompt middleware
ThemcpPrompts map configures middleware for individual prompts. Each key is the prompt name as it appears in the params.name field of a prompts/get request:
Middleware precedence
When a request arrives, Tyk evaluates middleware in this order:- Global middleware: Applies to all requests on the API.
- Operation middleware (
operations): Applies to all requests for the matched JSON-RPC method. - Primitive middleware (
mcpTools,mcpResources, ormcpPrompts): Applies to the specific named tool, resource, or prompt. Scope check (scopeCheck) and token exchange (exchange) run at this level — scope check validates the inbound token’s scopes against the primitive’ssecurity:requirements, and token exchange replaces theAuthorizationheader before the request reaches the upstream. - Upstream proxy: The modified request is forwarded to the upstream MCP server.
tools/call request to execute-query must pass global middleware, then the tools/callPOST operation middleware, then the execute-query primitive middleware, in that order. If any level rejects the request, processing stops and Tyk returns a JSON-RPC error to the client.
All three middleware levels apply to all consumers of the proxy. For per-consumer control (different rate limits or tool access for different API keys), use security policies. Policies introduce a five-level rate limit hierarchy (including per-consumer primitive rate limits) and primitive allow/block lists that are evaluated independently for each consumer key. See MCP proxy policies for details.
A complete example
The following definition configures a weather MCP proxy with bearer token authentication, method-level and tool-level rate limiting, resource caching, and a prompt allowlist.- The API listens on
/weather/and proxies tohttps://weather-mcp.example.com. Clients connect to{gateway_host}/weather/mcp. - Bearer token authentication is required on all requests.
- All
tools/callrequests are rate limited to 500 per minute at the method level. - Only two tools are accessible (
get-weatherandget-forecast). Any other tool name is rejected. Each tool has its own tighter rate limit. - Resources matching
weather://stations/*are accessible. - Only the
weather-summaryprompt is accessible. - Traffic logs are enabled for all requests.
bearerAuth for simplicity. For full OAuth 2.1 compliance — including token validation against an external IdP, per-primitive scope enforcement, Protected Resource Metadata, and RFC 8693 token exchange — replace bearerAuth with the oauth2 scheme. See MCP OAuth 2.1 for a complete worked example.
Supported MCP spec features
The following table documents which MCP protocol capabilities Tyk currently implements and how each maps to the proxy definition.
MCP specification version: Tyk implements the
2025-11-25 revision of the MCP specification.