Deployment Guide
This guide covers deployment options, agent configuration, and production recommendations for both Mitrity Gateway and Mitrity MCP Sidecar.
System Requirements
Mitrity Gateway
| Resource | Minimum | Recommended |
|---|---|---|
| Architecture | 64-bit (amd64 or arm64) | amd64 |
| OS | Linux (kernel 4.14+) | Linux (kernel 5.10+) |
| Memory | 64 MB | 256 MB |
| Disk | 10 MB (binary) | 50 MB (with model cache) |
| Network | Outbound HTTPS to control plane | Outbound HTTPS + gRPC |
| CPU | 0.1 vCPU | 0.5 vCPU |
Mitrity Gateway handles concurrent MCP connections, tool routing, credential management, and ML inference. For production workloads with many agents, allocate additional memory and CPU based on expected request volume.
Mitrity MCP Sidecar
| Resource | Minimum | Recommended |
|---|---|---|
| Architecture | 64-bit (amd64 or arm64) | amd64 |
| OS | Linux, macOS, Windows | Linux or macOS |
| Memory | 30 MB | 64 MB |
| Disk | 10 MB (binary) | 30 MB (with model cache) |
| Network | Outbound HTTPS to control plane | Outbound HTTPS + gRPC |
| CPU | 0.05 vCPU | 0.1 vCPU |
Mitrity MCP Sidecar is a lightweight stdio wrapper. It does not run an HTTP server or handle network connections, so its resource requirements are minimal.
Deploying Mitrity Gateway
Docker container
The recommended option for most environments. Official images are published to GitHub Container Registry:
docker run -d \
--name mitrity-gateway \
--restart unless-stopped \
-v /path/to/mitrity-gateway.yaml:/etc/mitrity/config.yaml \
ghcr.io/mitrity-io/mitrity-mcp-gateway:latest
The image is built from a distroless base with no shell, no package manager, and no unnecessary system libraries. Debug symbols are stripped.
Standalone binary
Download the pre-built binary for your platform:
# Linux (amd64)
curl -Lo mitrity-gateway \
https://releases.mitrity.com/mcp-gateway/latest/mitrity-mcp-gateway-linux-amd64
# Linux (arm64)
curl -Lo mitrity-gateway \
https://releases.mitrity.com/mcp-gateway/latest/mitrity-mcp-gateway-linux-arm64
chmod +x mitrity-gateway
# Run with a config file
./mitrity-gateway --config /etc/mitrity/mitrity-gateway.yaml
systemd service
For bare-metal or VM deployments, install Mitrity Gateway as a systemd service:
sudo mv mitrity-gateway /usr/local/bin/
sudo useradd --system --no-create-home mitrity
sudo mkdir -p /etc/mitrity
# Place your config file
sudo cp mitrity-gateway.yaml /etc/mitrity/config.yaml
sudo chown mitrity:mitrity /etc/mitrity/config.yaml
sudo chmod 600 /etc/mitrity/config.yaml
# Create the systemd unit
sudo tee /etc/systemd/system/mitrity-gateway.service << EOF
[Unit]
Description=Mitrity Gateway
After=network-online.target
[Service]
Type=simple
User=mitrity
ExecStart=/usr/local/bin/mitrity-gateway --config /etc/mitrity/config.yaml
Restart=always
RestartSec=5
LimitNOFILE=65535
[Install]
WantedBy=multi-user.target
EOF
sudo systemctl daemon-reload
sudo systemctl enable --now mitrity-gateway
Cloud Run
Mitrity Gateway runs on Cloud Run as a stateless service:
gcloud run deploy mitrity-gateway \
--image ghcr.io/mitrity-io/mitrity-mcp-gateway:v1.0.0 \
--memory 256Mi \
--cpu 1 \
--min-instances 1 \
--max-instances 10 \
--set-secrets "CONFIG=/mitrity-gateway-config:latest" \
--region europe-north1
Deploying Mitrity MCP Sidecar
Mitrity MCP Sidecar is a local binary that wraps an MCP server process. It is not deployed as a network service.
Binary download
Download Mitrity MCP Sidecar for your platform:
# Linux (amd64)
curl -Lo mitrity-mcp-sidecar \
https://releases.mitrity.com/mcp-sidecar/latest/mitrity-mcp-sidecar-linux-amd64
# Linux (arm64)
curl -Lo mitrity-mcp-sidecar \
https://releases.mitrity.com/mcp-sidecar/latest/mitrity-mcp-sidecar-linux-arm64
# macOS (Apple Silicon)
curl -Lo mitrity-mcp-sidecar \
https://releases.mitrity.com/mcp-sidecar/latest/mitrity-mcp-sidecar-darwin-arm64
# macOS (Intel)
curl -Lo mitrity-mcp-sidecar \
https://releases.mitrity.com/mcp-sidecar/latest/mitrity-mcp-sidecar-darwin-amd64
# Windows (amd64)
curl -Lo mitrity-mcp-sidecar.exe \
https://releases.mitrity.com/mcp-sidecar/latest/mitrity-mcp-sidecar-windows-amd64.exe
On Linux and macOS, make the binary executable and move it to your PATH:
chmod +x mitrity-mcp-sidecar
sudo mv mitrity-mcp-sidecar /usr/local/bin/
On Windows, move mitrity-mcp-sidecar.exe to a directory in your PATH.
Running Mitrity MCP Sidecar
The sidecar wraps an upstream MCP server command. Point your MCP client at the sidecar instead of the upstream server:
# Run with a config file
mitrity-mcp-sidecar --config /path/to/mitrity-mcp-sidecar.yaml
In your MCP client configuration, replace the upstream server command with the sidecar:
{
"mcpServers": {
"filesystem": {
"command": "mitrity-mcp-sidecar",
"args": ["--config", "/path/to/mitrity-mcp-sidecar.yaml"]
}
}
}
The upstream_command and upstream_args fields in the config file tell the sidecar which MCP server to launch and wrap.
Agent Configuration
For Mitrity Gateway
Agents connect to the gateway via the MCP protocol. Point your MCP client at the gateway in its configuration:
{
"mcpServers": {
"mitrity-gateway": {
"command": "/path/to/mitrity-gateway",
"args": ["--config", "mitrity-gateway.yaml"]
}
}
}
For agents connecting to a remote gateway (Docker, Cloud Run), configure the gateway's transport URL in the MCP client settings. No proxy environment variables are needed -- agents communicate directly via the MCP protocol.
For Mitrity MCP Sidecar
No environment variable changes are needed. Update your MCP client configuration to launch the sidecar as the server command, and configure the upstream server in mitrity-mcp-sidecar.yaml:
upstream_command: "/usr/local/bin/some-mcp-server"
upstream_args: ["--mode", "stdio"]
agent_id: "my-agent"
Verifying Installation
Mitrity Gateway
Check that the gateway is running:
# View logs
docker logs mitrity-gateway
# or
journalctl -u mitrity-gateway -f
Mitrity MCP Sidecar
Check that the sidecar can launch the upstream MCP server:
# Test by sending a simple MCP request via stdin
echo '{"jsonrpc":"2.0","method":"initialize","id":1,"params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"test","version":"0.1"}}}' | mitrity-mcp-sidecar --config /path/to/mitrity-mcp-sidecar.yaml
Production Recommendations
Mitrity Gateway
- Pin image versions in production. Use a specific tag (e.g.,
ghcr.io/mitrity-io/mitrity-mcp-gateway:v1.0.0) rather thanlatest - Use secrets management for the API key and upstream credentials. On Kubernetes, use a Secret resource. On GCP Cloud Run, use Secret Manager. Never bake secrets into a container image
- Set resource limits appropriate to your workload. The gateway may handle many concurrent tool calls from multiple agents
- Configure health checks for container orchestration. The gateway exposes a health endpoint for liveness and readiness probes
- Enable log aggregation to forward structured logs to your observability stack. The gateway emits JSON-formatted logs with request timing, decision outcomes, and upstream routing details
- Verify binary signatures after download using
cosign verify. All binaries are signed with Sigstore
Mitrity MCP Sidecar
- Verify binary signatures after download using
cosign verify. All binaries are signed with Sigstore - Use the latest version to ensure you have the most current ML model and policy engine
- Store the config file with restricted permissions (
chmod 600) since it contains the API key - Set
agent_idto a unique identifier for each agent instance. This enables per-agent audit trails in the MITRITY dashboard
Related Documentation
- Integration Modes -- overview of Mitrity Gateway and Mitrity MCP Sidecar
- Configuration Reference -- full YAML configuration reference
- Getting Started -- end-to-end quickstart guide