Admin Panel
The MCP Gateway includes an optional web-based admin panel for monitoring, configuration, and security management. Access it at http://localhost:8989/admin when the gateway is running.
The admin panel requires the admin feature to be enabled at compile time. The database feature adds user authentication, API keys, and audit logging.
Authentication
Localhost Access
By default, connections from 127.0.0.1 or ::1 (localhost) require no authentication. This provides a frictionless experience for local development.
Remote Access
When accessing from a remote machine, authentication is required:
| Method | Use Case | How It Works |
|---|---|---|
| Session Cookie | Web UI access | Login with username/password, cookie valid 24 hours |
| API Key | Programmatic access | Bearer token in Authorization header |
First-Run Setup
On first access to a fresh gateway, create an initial admin user:
POST /admin/api/auth/setup
Content-Type: application/json
{
"username": "admin",
"password": "your-secure-password"
}
Dashboard Features
Real-Time Status
The dashboard shows:
- Gateway uptime and version
- Active connections/sessions
- Total request count and error rate
- Memory and CPU usage
- Configured and running servers count
Server Management
| Action | Description |
|---|---|
| View Status | See which servers are running, idle, or crashed |
| Start/Stop | Manually start or stop server processes |
| Restart | Stop and respawn a server process |
| View Logs | See recent stdout/stderr from the server |
| Reset Circuit Breaker | Re-enable a server disabled due to repeated failures |
Session Management
- See connected terminals/clients
- View connection duration and last activity
- Disconnect problematic sessions
- Block sessions or IPs
Configuration
View current configuration. Changes are made by editing the YAML file and triggering hot reload:
# Via CLI
mcpg reload
# Via API
POST /admin/api/config/reload
User Management
User management is only available when compiled with the database feature.
Roles
| Role | Permissions |
|---|---|
| admin | Full access: create users, manage API keys, view audit logs, configure servers |
| readonly | View-only: see status, metrics, logs but cannot make changes |
User Operations
# List users
GET /admin/api/users
# Create user
POST /admin/api/users
{"username": "newuser", "password": "secure", "role": "readonly"}
# Change password
PUT /admin/api/users/{id}/password
{"new_password": "new-secure-password"}
# Deactivate user
DELETE /admin/api/users/{id}
API Keys
Create API keys for programmatic access:
POST /admin/api/api-keys
{
"name": "CI Pipeline",
"permissions": ["tools:call", "resources:read"],
"rate_limit": 100,
"expires_in_days": 90
}
Response includes the secret—save it immediately:
{
"api_key": {"id": "abc123", "name": "CI Pipeline"},
"secret": "mcp_abc123...",
"warning": "Save this secret now - it cannot be retrieved later!"
}
Permissions
| Permission | Allows |
|---|---|
* | Full access to all operations |
tools:call | Execute tools on backend servers |
tools:list | List available tools |
resources:read | Read resources from servers |
prompts:get | Get prompts from servers |
admin:read | View admin dashboard data |
admin:write | Modify configuration and settings |
Revoking Keys
DELETE /admin/api/api-keys/{id}
Audit Log
Tracks security-relevant events:
| Event | Description |
|---|---|
login / login_failed | Login attempts |
logout | User logout |
user_created / user_deactivated | User changes |
password_changed | Password updates |
api_key_created / api_key_revoked | API key lifecycle |
config_updated | Configuration changes |
server_installed / server_removed | Catalog changes |
Querying
GET /admin/api/audit?limit=100
{
"entries": [
{
"timestamp": "2024-01-15T10:30:00Z",
"action": "login",
"actor_id": "user-123",
"ip_address": "192.168.1.100",
"success": true
}
]
}
API Reference
All admin endpoints are prefixed with /admin/api:
| Endpoint | Method | Description |
|---|---|---|
/auth/status | GET | Check auth status |
/auth/setup | POST | First-run setup |
/auth/login | POST | Login |
/auth/logout | POST | Logout |
/status | GET | Gateway status and metrics |
/processes | GET | List server processes |
/sessions | GET | List MCP client sessions |
/config/reload | POST | Hot reload configuration |
/users | GET/POST | List/create users |
/api-keys | GET/POST | List/create API keys |
/audit | GET | Query audit log |
/catalog/install | POST | Install server from catalog |
Security Best Practices
- Strong passwords: Gateway uses Argon2id hashing
- Rotate API keys: Set expiration dates, rotate periodically
- Monitor audit log: Review failed logins and unusual activity
- Restrict remote access: Keep gateway bound to localhost if remote admin isn't needed