The three provisioning modes
For each server on a gateway, and independently for tools, prompts, and resources, you pick one of three schemes from a dropdown:- Allowing all (shown as Allowing all tools, Allowing all resources, or Allowing all prompts) — every capability of that type passes through. This is the scheme a server gets when you first assign it to a gateway.
- Allow if conditions are met — only capabilities matching an explicit allowlist pass; everything else is hidden and uncallable. This is least privilege in practice.
- Blocking all (shown as Blocking all tools, and so on) — no capability of that type is exposed.
Preview a server’s tools with an identity
To choose which tools to allow, MCP Manager shows you the server’s live feature list. Because a server can return a different set of tools to different identities, you first pick an identity to preview against — your own, or a shared one. MCP Manager fetches the tools that identity can see, so you select from the real, current list rather than guessing. (Picking the identity to preview is also where you set the server’s identity scheme — per-user or shared.)Provision the tools you want
Open the server on the gateway
Pick an identity to preview
Choose Allow if conditions are met for tools
Add each tool you want
Choose which fields must match
Set prompts and resources, then save
Pinning a tool by its metadata
Each allowed tool is admitted only if it matches the fields you chose, exactly. How tightly you pin is a deliberate trade-off:- Match on name only to tolerate the vendor improving a tool’s description over time.
- Match on name and description to freeze exactly the wording you reviewed — so if the description later changes, the tool no longer matches and is dropped rather than reaching the model with new, unreviewed text.
Filter and gate by tool type
MCP tools can carry annotations — behavioral hints the upstream server attaches to a tool, such as whether it only reads data or might delete it. MCP Manager surfaces those hints as a tool’s tool type and lets you use them in two ways: to filter the lists you provision from, and to gate an allowlist condition. Every tool’s annotations appear in a Tool type column on the Available, Provisioned, and Conditions tabs. Each reported annotation shows as an icon — its -off variant when the value isfalse — and annotations the server didn’t report are left out. Hover any icon for a tooltip stating that annotation’s value, such as Read-only is true. The four hints are independent — a tool can be read-only and open-world at once — so each renders on its own.
Filter the list by tool type
On the Available, Provisioned, and Conditions tabs, open Filter by tool type to narrow which rows are shown. The dropdown has one section per annotation — Read-only, Destructive, Idempotent, and Open world — and within each you can check is true, is false, and/or is unknown. Select all and Deselect all toggle every box at once.- The checks are combined with OR, across every section: a row is shown if it matches any box you’ve checked. With nothing checked, everything is shown — the trigger reads “Filter by tool type”; check one box and it reads “Filtering by 1 annotation”, more than one and it reads “Filtering by N annotations”.
- is unknown matches tools whose server didn’t report that annotation — a state distinct from
trueorfalse. - The same filter sits on all three tabs and shares one selection: it narrows the Available and Provisioned lists of tools, and on the Conditions tab it narrows the allowlist rules to those that gate on the annotations you’ve checked.
- The filter composes with the search box, so you can stack a Destructive is true filter on top of a name search to scan, say, every delete-style tool on a large server.
- Filtering applies to tools only. Prompts and resources don’t carry these hints, so the control doesn’t appear for them.
Gate an allowlist on tool type
A condition is an allowlist entry that admits tools by a rule rather than by naming a single tool — it lives on the Conditions tab next to the tools you’ve pinned by name. When you add one, you can constrain it on annotations alongside name, title, and description. Each annotation offers is true, is false, is unknown, or No value — and No value is the default, meaning “don’t constrain on this annotation.” A single condition combines its constraints with AND: a tool matches only if it satisfies every field you set. So Read-only is true on its own admits every tool the server marks read-only, without your naming each one; add Open world is false to the same condition and it narrows to tools that are both read-only and closed-world. The allowlist as a whole combines its entries with OR: a tool is exposed if it matches any entry — any tool pinned by name, or any condition. That lets you pair a broad rule (“all read-only tools”) with specific pins (“plus these three write tools I reviewed”) on the same server. The filter and a condition use opposite logic by design: the filter casts a wide net with OR so you can eyeball several types at once, while a condition tightens with AND so one rule can be precise. is unknown in a condition gates to tools whose server didn’t report that hint — a way to single out or quarantine unannotated tools, distinct fromtrue or false. Identical conditions are de-duplicated, so adding the same rule twice is a no-op. However you build it, a condition is enforced like any other allowlist entry: non-matching tools are filtered out of what clients see, and a direct call to one is blocked — see What clients see, and how it’s logged.
What each annotation means, and how far to trust it
The four annotations come straight from the Model Context Protocol tool specification. When a server sets one totrue, it means:
Turn off prompts and resources you don’t need
Tools aren’t the only feature type a server can expose. If a gateway doesn’t need a server’s prompts or resources, set those types to Block all to remove them entirely — fewer features means less context, lower cost, and a smaller surface.What clients see, and how it’s logged
gateway_feature_filtered, and a direct call to a disallowed capability is logged as gateway_feature_blocked. That lets you confirm what a gateway exposes and catch the moment a previously-passing tool stops matching — for example, when an upstream server renames or rewrites it.
Further reading
Feature Governance
Curating exposed tools
Identity Controls
Viewing Logs
gateway_feature_filtered and gateway_feature_blocked log types.
