Every system you run.
One gateway. Any AI agent.
PlugMCP turns your REST, SOAP, OData (SAP), GraphQL, SQL and file systems into governed Model Context Protocol tools — scoped keys, human approvals and a full audit trail between your agents and your infrastructure.
Your systems already describe themselves.
We just speak their language.
OpenAPI specs, WSDLs, GraphQL schemas, database catalogs — machine-readable descriptions of everything an agent could do. PlugMCP translates them into MCP. No code, no wrappers.
Import a spec — or paste a connection string
OpenAPI 3.x, WSDL 1.1, GraphQL introspection, Postgres/MySQL/SQLite. Or pick one of 417 catalog connectors.
# or point at any spec URL importing acme-crm… ✓ 19 operations → 19 tools
Mint scoped keys, set the rules
Per-connector allowlists, read-only scopes, human approval for writes. Credentials AES-256-GCM encrypted — agents never see them.
key: claude-desktop scope: acme-crm · read-only writes: require approval
One endpoint for every agent
Claude, ChatGPT, Cursor, Gemini, Copilot — anything that speaks MCP connects to one governed URL.
https://gw.you.io/mcp Authorization: Bearer pmcp_… ✓ connected
An agent, your ERP, and a human
exactly where one belongs.
crm_flag_account is a write — waiting for human approval…✓ approved by anna@opsevery call scoped · budgeted · audited — the write waited for a human click
This is the actual product.
Not a mockup.
The dashboard your team gets — one governed home for every agent, every system, every call.
Your legacy stack, MCP-ready.
No other gateway does this.
The VC-funded competition connects Gmail and Slack. Your value lives in SAP, an ERP from 2009 and a folder of nightly CSV exports. PlugMCP translates the protocols enterprises actually run:
OData — SAP, Dynamics, SharePoint
Point at a service root; PlugMCP reads $metadata (v2 & v4) and generates list/get tools with $filter/$select/$top — writes opt-in, behind approval. No BTP project, no per-service server.
SOAP / WSDL
WSDL 1.1 document/literal — the dialect of SAP, .NET/WCF and Java backends. Agents send JSON; the gateway builds envelopes and parses responses.
File drops & CSV exports
The oldest interface there is: a folder the nightly job writes into. List files, read them (CSV auto-parsed — comma, semicolon, tab), run SQL over any CSV. Read-only, traversal-safe, audited.
Four SQL dialects
PostgreSQL, MySQL/MariaDB, SQLite and Microsoft SQL Server (beta). Read-only by default; writes are guarded and approval-gated.
REST & GraphQL too
OpenAPI 3.x import and GraphQL introspection round out the modern half — one gateway, every interface generation since 2000.
Same governance everywhere
Whether the call hits S/4HANA or a CSV: scoped keys, budgets, approvals for writes, audit log, OpenTelemetry. One rulebook for every system.
Governance is the product,
not an afterthought.
Every protocol in
REST (OpenAPI 3.x), SOAP (WSDL 1.1 — where the enterprise data lives), GraphQL and SQL. One import each.
Works with claude.ai & ChatGPT
Built-in OAuth per the MCP spec: add PlugMCP as a remote connector in claude.ai or ChatGPT, approve with an API key, done. Desktop clients connect with a bearer header.
Human-in-the-loop writes
Write calls wait for a human click before they execute. The agent blocks politely; you stay in control.
No context flooding
Compact search surface instead of 300 schemas; oversized responses become pageable via fetch_result instead of flooding the context window.
Scoped keys with budgets
Per-connector allowlists, per-tool on/off, read-only flags, daily call budgets, expiry dates — and per-key upstream credentials, so every agent acts as itself.
Audit everything
Every call, caller, latency and result — queryable log, CSV export, retention policies, Prometheus /metrics and OpenTelemetry traces.
Virtual MCP servers
Bundle connectors into named endpoints — /mcp/sales, /mcp/support — one server per team instead of one endpoint for everything.
Playbooks
Write down how your systems should be used; agents get it as prompt & resource. Institutional knowledge, not tribal knowledge.
417 ready connectors
Generated from vendors' own public specs, each quality-gated to import into working tools. GitHub, Stripe, Trello, Telegram…
One binary. Your server. No dependencies.
# single ~17 MB binary — SQLite & web UI embedded $ ./plugmcp ✓ PlugMCP listening on :8080 — admin UI ready # or Docker, or the full TLS production stack: $ docker compose up -d # deploy/ — Caddy + auto-HTTPS ✓ https://gw.your-domain.io live
Fully functional offline. No license key. No telemetry. The deploy kit takes you from zero to a TLS-secured instance on a €4/month server in ~20 minutes.
Agents are interns with root.
Give them a supervisor.
- ✓Read-only by defaultSQL connectors ship SELECT-only tools with row limits and timeouts. DDL is blocked outright.
- ✓Approval gate for writesEach write can require a human decision — with full argument visibility before anything executes.
- ✓SSRF guard & rate limitsConnectors can't reach internal networks unless allowed; per-key token buckets stop runaway loops.
- ✓Multi-tenant orgsOrganizations as tenants, users with roles, org-scoped keys — one instance, clean separation.
Free where it should be. Simple where it costs.
The self-hosted gateway is the full product, forever. Pay only when you need the AGPL lifted — or someone on the hook.
- The complete gateway — nothing gated, ever
- Unlimited connectors, servers, users
- No license key, no phone-home
- Community support on GitHub
- Commercial license — no AGPL copyleft obligations
- Modify, embed & integrate without source disclosure
- Proper invoice for procurement, VAT handled
- Priority on your GitHub issues
- Per-instance commercial licensing at scale
- OEM / embedding terms
- Support with SLA, architecture reviews
- A quote, not a discovery-call funnel
Prefer not to host anything? PlugMCP Cloud starts free — paid plans from €19/month.
Run it yourself. We've got your back.
PlugMCP is 100% AGPL — companies can self-host it freely. Three offers for when free isn't the point:
Commercial license
Your legal team wary of AGPL's network copyleft? A commercial license removes every copyleft obligation — embed, modify, integrate without disclosure. Per production instance, per year.
Support & SLA
A named contact, guaranteed response times, priority fixes and upgrade guidance for your self-hosted gateway. Monthly, cancel anytime.
Implementation
We connect your SAP, ERP or legacy stack to your AI agents — governed, audited, production-ready. Fixed-scope projects, typically two weeks.
Where PlugMCP wins — and where it doesn't.
| PlugMCP | SaaS MCP platforms Composio & co. |
Hand-written MCP servers | |
|---|---|---|---|
| SaaS apps (Gmail, Slack, Notion…) | 417 via public specs | ✓ 1,000+ managed — their home turf | one per service, DIY |
| SOAP / OData (SAP, Dynamics) / CSV drops | ✓ built in — unique | — | weeks of work each |
| SQL databases | ✓ 4 dialects, guarded | — | DIY, usually unguarded |
| Your data & credentials | ✓ stay inside your firewall | flow through their cloud | ✓ yours |
| Approvals, budgets, audit | ✓ one rulebook for everything | platform-dependent | rebuild per server |
| claude.ai / ChatGPT remote connector | ✓ built-in OAuth | ✓ | DIY OAuth server |
| Pricing | free self-hosted (AGPL) | per tool call — loops get expensive | free + your engineering time |
| Phone-home / lock-in | none, ever | by design | ✓ none |
If your agents mainly need Gmail and Slack, a SaaS platform is a fine choice. The moment they need your systems, you're in PlugMCP territory.
Questions engineers actually ask
What is an MCP gateway?
It sits between AI agents (Claude, ChatGPT, Cursor) and your existing systems: it translates REST, SOAP, GraphQL and SQL interfaces into Model Context Protocol tools, adds authentication, access control and auditing — one governed endpoint instead of dozens of ad-hoc MCP servers.
How do I convert an OpenAPI spec to MCP tools?
Upload the OpenAPI 3.x document (JSON or YAML) or point PlugMCP at its URL. Every operation becomes an agent-ready MCP tool with parameter schemas, auth injection and read/write classification — no code. Full guide →
How do I connect my SQL database to Claude?
Paste a Postgres/MySQL/SQLite connection string. Agents get three safe read-only tools — list tables, describe table, SELECT queries — with limits, timeouts and audit. Writes are opt-in behind approval. Full guide →
How does PlugMCP prevent MCP tool overload?
Past a configurable threshold, agents see a compact search surface (search_tools, describe_tool, call_tool) instead of hundreds of schemas. Curated tools stay natively visible; oversized responses are capped with hints.
Is it really free and open source?
Yes — the entire repository is AGPL-3.0. No open-core split, no license keys, no phone-home. Commercial licenses without copyleft obligations exist for OEM/embedding.
Does it work with ChatGPT and Cursor too?
Yes. PlugMCP speaks standard MCP over streamable HTTP — any MCP-compatible client connects: Claude Desktop and Claude Code, ChatGPT, Cursor, Gemini, Copilot and more.
Can I connect SAP to Claude or ChatGPT?
Yes. SAP Gateway and S/4HANA speak OData — give PlugMCP the service root and it imports $metadata itself: every entity set becomes list/get tools with $filter/$select/$top, writes are opt-in behind human approval. Same for Dynamics 365 and SharePoint. Full guide →
How do I connect PlugMCP to claude.ai?
Add your gateway's URL as a remote connector — PlugMCP implements the MCP authorization spec (OAuth 2.1 with dynamic client registration and PKCE). claude.ai opens PlugMCP's consent page, you paste an API key, and the connection gets exactly that key's permissions. Revoke the key to disconnect the client.