Open source · AGPL-3.0 · one binary · no phone-home

Every system you run.
One gateway. Any AI agent.

PlugMCP turns your REST, SOAP, OData (SAP), GraphQL, SQL and file systems into governed Model Context Protocol tools — scoped keys, human approvals and a full audit trail between your agents and your infrastructure.

MCP · STREAMABLE HTTP REST APIs SOAP / WSDL GraphQL OData · SAP SQL databases CSV exports PlugMCP GATEWAY AUTH·KEYS APPROVALS·AUDIT Claude ChatGPT Cursor Gemini Copilot
◂ your systems — every protocol one governed gateway your agents — one protocol ▸
0ready connectors
0agent-ready tools
1binary, ~17 MB
100%AGPL open source
how it works

Your systems already describe themselves.
We just speak their language.

OpenAPI specs, WSDLs, GraphQL schemas, database catalogs — machine-readable descriptions of everything an agent could do. PlugMCP translates them into MCP. No code, no wrappers.

01 / CONNECT

Import a spec — or paste a connection string

OpenAPI 3.x, WSDL 1.1, GraphQL introspection, Postgres/MySQL/SQLite. Or pick one of 417 catalog connectors.

# or point at any spec URL
importing acme-crm…
✓ 19 operations → 19 tools
02 / GOVERN

Mint scoped keys, set the rules

Per-connector allowlists, read-only scopes, human approval for writes. Credentials AES-256-GCM encrypted — agents never see them.

key: claude-desktop
scope: acme-crm · read-only
writes: require approval
03 / CONNECT AGENTS

One endpoint for every agent

Claude, ChatGPT, Cursor, Gemini, Copilot — anything that speaks MCP connects to one governed URL.

https://gw.you.io/mcp
Authorization: Bearer pmcp_…
✓ connected
what it feels like

An agent, your ERP, and a human
exactly where one belongs.

claude.ai — connected to PlugMCP via /mcp
Which customers have overdue invoices above €10k? Flag the worst one for collections.
erp_query SELECT customer, SUM(amount) … WHERE due < date('now') GROUP BY … ✓ 214 ms
salesorders_list $filter=Customer eq 'NORDWIND AG' & $top=5 ✓ 187 ms
crm_flag_account is a write — waiting for human approval…✓ approved by anna@ops
crm_flag_account {"account":"NORDWIND AG","flag":"collections"} ✓ 96 ms
Three customers are over the €10k threshold. NORDWIND AG is the worst at €38,400 across 4 invoices (oldest: 62 days). I've flagged the account for collections — approved by anna@ops. Full breakdown below.

every call scoped · budgeted · audited — the write waited for a human click

see it in action

This is the actual product.
Not a mockup.

The dashboard your team gets — one governed home for every agent, every system, every call.

app.plugmcp.io
PlugMCP overview dashboard — calls, error rate, p95 latency, pending approvals, recent agent activity
the approval moment
A write call from an agent waiting for human approval, with structured arguments
An agent wants to write. It waits — until a human clicks.
every tool, inspectable
Tool detail drawer with description and parameter schema
Every generated tool with its full parameter schema.
the systems everyone else ignores

Your legacy stack, MCP-ready.
No other gateway does this.

The VC-funded competition connects Gmail and Slack. Your value lives in SAP, an ERP from 2009 and a folder of nightly CSV exports. PlugMCP translates the protocols enterprises actually run:

OData — SAP, Dynamics, SharePoint

Point at a service root; PlugMCP reads $metadata (v2 & v4) and generates list/get tools with $filter/$select/$top — writes opt-in, behind approval. No BTP project, no per-service server.

SOAP / WSDL

WSDL 1.1 document/literal — the dialect of SAP, .NET/WCF and Java backends. Agents send JSON; the gateway builds envelopes and parses responses.

File drops & CSV exports

The oldest interface there is: a folder the nightly job writes into. List files, read them (CSV auto-parsed — comma, semicolon, tab), run SQL over any CSV. Read-only, traversal-safe, audited.

Four SQL dialects

PostgreSQL, MySQL/MariaDB, SQLite and Microsoft SQL Server (beta). Read-only by default; writes are guarded and approval-gated.

REST & GraphQL too

OpenAPI 3.x import and GraphQL introspection round out the modern half — one gateway, every interface generation since 2000.

Same governance everywhere

Whether the call hits S/4HANA or a CSV: scoped keys, budgets, approvals for writes, audit log, OpenTelemetry. One rulebook for every system.

built for production

Governance is the product,
not an afterthought.

Every protocol in

REST (OpenAPI 3.x), SOAP (WSDL 1.1 — where the enterprise data lives), GraphQL and SQL. One import each.

Works with claude.ai & ChatGPT

Built-in OAuth per the MCP spec: add PlugMCP as a remote connector in claude.ai or ChatGPT, approve with an API key, done. Desktop clients connect with a bearer header.

Human-in-the-loop writes

Write calls wait for a human click before they execute. The agent blocks politely; you stay in control.

No context flooding

Compact search surface instead of 300 schemas; oversized responses become pageable via fetch_result instead of flooding the context window.

Scoped keys with budgets

Per-connector allowlists, per-tool on/off, read-only flags, daily call budgets, expiry dates — and per-key upstream credentials, so every agent acts as itself.

Audit everything

Every call, caller, latency and result — queryable log, CSV export, retention policies, Prometheus /metrics and OpenTelemetry traces.

Virtual MCP servers

Bundle connectors into named endpoints — /mcp/sales, /mcp/support — one server per team instead of one endpoint for everything.

Playbooks

Write down how your systems should be used; agents get it as prompt & resource. Institutional knowledge, not tribal knowledge.

417 ready connectors

Generated from vendors' own public specs, each quality-gated to import into working tools. GitHub, Stripe, Trello, Telegram…

self-hosted in minutes

One binary. Your server. No dependencies.

you@your-server
# single ~17 MB binary — SQLite & web UI embedded
$ ./plugmcp
✓ PlugMCP listening on :8080 — admin UI ready

# or Docker, or the full TLS production stack:
$ docker compose up -d        # deploy/ — Caddy + auto-HTTPS
✓ https://gw.your-domain.io live 

Fully functional offline. No license key. No telemetry. The deploy kit takes you from zero to a TLS-secured instance on a €4/month server in ~20 minutes.

the moment that matters

Agents are interns with root.
Give them a supervisor.

  • Read-only by defaultSQL connectors ship SELECT-only tools with row limits and timeouts. DDL is blocked outright.
  • Approval gate for writesEach write can require a human decision — with full argument visibility before anything executes.
  • SSRF guard & rate limitsConnectors can't reach internal networks unless allowed; per-key token buckets stop runaway loops.
  • Multi-tenant orgsOrganizations as tenants, users with roles, org-scoped keys — one instance, clean separation.
⏸ PENDING APPROVALjust now
agentclaude · my-first-agent
toolcreateCustomer (write)
args{"name":"Hooli GmbH","plan":"team"}
✓ executed after approvalaudit #4821
pricing

Free where it should be. Simple where it costs.

The self-hosted gateway is the full product, forever. Pay only when you need the AGPL lifted — or someone on the hook.

Self-hosted
€0
forever · AGPL-3.0
  • The complete gateway — nothing gated, ever
  • Unlimited connectors, servers, users
  • No license key, no phone-home
  • Community support on GitHub
Download on GitHub
Small business license
€490
per year · companies up to 50 people · self-serve
  • Commercial license — no AGPL copyleft obligations
  • Modify, embed & integrate without source disclosure
  • Proper invoice for procurement, VAT handled
  • Priority on your GitHub issues
key issued & emailed automatically after payment
Enterprise
Custom
larger orgs · OEM · SLA
  • Per-instance commercial licensing at scale
  • OEM / embedding terms
  • Support with SLA, architecture reviews
  • A quote, not a discovery-call funnel
Talk to us

Prefer not to host anything? PlugMCP Cloud starts free — paid plans from €19/month.

for companies

Run it yourself. We've got your back.

PlugMCP is 100% AGPL — companies can self-host it freely. Three offers for when free isn't the point:

§

Commercial license

Your legal team wary of AGPL's network copyleft? A commercial license removes every copyleft obligation — embed, modify, integrate without disclosure. Per production instance, per year.

Support & SLA

A named contact, guaranteed response times, priority fixes and upgrade guidance for your self-hosted gateway. Monthly, cancel anytime.

Implementation

We connect your SAP, ERP or legacy stack to your AI agents — governed, audited, production-ready. Fixed-scope projects, typically two weeks.

an honest comparison

Where PlugMCP wins — and where it doesn't.

PlugMCP SaaS MCP platforms
Composio & co.
Hand-written MCP servers
SaaS apps (Gmail, Slack, Notion…)417 via public specs✓ 1,000+ managed — their home turfone per service, DIY
SOAP / OData (SAP, Dynamics) / CSV drops✓ built in — uniqueweeks of work each
SQL databases✓ 4 dialects, guardedDIY, usually unguarded
Your data & credentials✓ stay inside your firewallflow through their cloud✓ yours
Approvals, budgets, audit✓ one rulebook for everythingplatform-dependentrebuild per server
claude.ai / ChatGPT remote connector✓ built-in OAuthDIY OAuth server
Pricingfree self-hosted (AGPL)per tool call — loops get expensivefree + your engineering time
Phone-home / lock-innone, everby design✓ none

If your agents mainly need Gmail and Slack, a SaaS platform is a fine choice. The moment they need your systems, you're in PlugMCP territory.

faq

Questions engineers actually ask

What is an MCP gateway?

It sits between AI agents (Claude, ChatGPT, Cursor) and your existing systems: it translates REST, SOAP, GraphQL and SQL interfaces into Model Context Protocol tools, adds authentication, access control and auditing — one governed endpoint instead of dozens of ad-hoc MCP servers.

How do I convert an OpenAPI spec to MCP tools?

Upload the OpenAPI 3.x document (JSON or YAML) or point PlugMCP at its URL. Every operation becomes an agent-ready MCP tool with parameter schemas, auth injection and read/write classification — no code. Full guide →

How do I connect my SQL database to Claude?

Paste a Postgres/MySQL/SQLite connection string. Agents get three safe read-only tools — list tables, describe table, SELECT queries — with limits, timeouts and audit. Writes are opt-in behind approval. Full guide →

How does PlugMCP prevent MCP tool overload?

Past a configurable threshold, agents see a compact search surface (search_tools, describe_tool, call_tool) instead of hundreds of schemas. Curated tools stay natively visible; oversized responses are capped with hints.

Is it really free and open source?

Yes — the entire repository is AGPL-3.0. No open-core split, no license keys, no phone-home. Commercial licenses without copyleft obligations exist for OEM/embedding.

Does it work with ChatGPT and Cursor too?

Yes. PlugMCP speaks standard MCP over streamable HTTP — any MCP-compatible client connects: Claude Desktop and Claude Code, ChatGPT, Cursor, Gemini, Copilot and more.

Can I connect SAP to Claude or ChatGPT?

Yes. SAP Gateway and S/4HANA speak OData — give PlugMCP the service root and it imports $metadata itself: every entity set becomes list/get tools with $filter/$select/$top, writes are opt-in behind human approval. Same for Dynamics 365 and SharePoint. Full guide →

How do I connect PlugMCP to claude.ai?

Add your gateway's URL as a remote connector — PlugMCP implements the MCP authorization spec (OAuth 2.1 with dynamic client registration and PKCE). claude.ai opens PlugMCP's consent page, you paste an API key, and the connection gets exactly that key's permissions. Revoke the key to disconnect the client.

ready when you are

Plug your systems into AI.
Today.