Skip to content

This guide explains how to deploy and operate the

Model Context Protocol: A standard protocol for AI agent and server interactions that defines how AI assistants communicate with external tools and data sources.Learn more(opens in new tab) Identity Gateway on your own Linux host, as a standalone service that you run and maintain.

When you self-host, you run the MCP Identity Gateway as a systemd service on a Linux host that you provision and maintain, alongside a colocated Agent Controller. A bare virtual machine and a cloud instance (such as an AWS EC2 instance) follow the same procedure—an EC2 instance is a virtual machine for this purpose.

How self-hosting differs from the managed service

Section titled “How self-hosting differs from the managed service”

The Aembit Cloud configuration is identical for both deployment models: you create an Identity Provider, two Access Policies, and a Credential Provider for each MCP server. Self-hosting adds the host-side work that Aembit otherwise does for you:

ResponsibilityManaged serviceSelf-host
Compute hostAembitYou provision and maintain a Linux host
Gateway hostname<tenantId>.mcpgateway.aembit.ioA DNS name you own (for example, mcp-gateway.example.com)
TLS certificateAembitYou obtain and renew it
Gateway runtime and upgradesAembitYou install, start, and upgrade the binary
Aembit Cloud configuration (IdP, Access Policies, Credential Providers)YouYou

This guide covers the host-side work. Once the Gateway is running, you configure Aembit Cloud using the existing setup guide.

Before you begin, ensure you have:

  • An Aembit Tenant: Aembit Tenants serve as isolated, dedicated environments within Aembit that provide complete separation of administrative domains and security configurations.Learn more with admin access
  • A Linux host (a virtual machine or cloud instance) for the MCP Identity Gateway, with network access to:
    • Your Aembit Tenant (https://<tenantId>.aembit.io, outbound HTTPS)
    • Target MCP Server: A server that implements the Model Context Protocol to provide tools, resources, or data to AI agents and MCP clients.Learn more(opens in new tab) (outbound HTTPS)
    • MCP Client: An application (such as Claude Desktop, Claude Code, or Gemini CLI) that connects to MCP servers to access tools and resources on behalf of users.Learn more and AI agents (inbound on the listener port, typically 443)
  • A DNS name you control for the Gateway (for example, mcp-gateway.example.com)
  • The ability to obtain a TLS certificate for that DNS name (a public certificate authority or your internal public key infrastructure)

Create a Linux host for the MCP Identity Gateway. Aembit supports the Gateway as a systemd service on a virtual machine or cloud instance; an Ubuntu host is a common choice.

Size the host’s network access so it can:

  • Accept inbound MCP client connections (typically on port 443)
  • Reach the Aembit control plane (outbound HTTPS)
  • Reach every MCP server you plan to proxy (outbound HTTPS)

For detailed host setup guidance, see Linux virtual machine deployment.

The MCP Identity Gateway requires a colocated Agent Controller on the same host. The Agent Controller registers the Gateway with Aembit Cloud and supplies it with the credentials and configuration it needs to operate. Because the two run on the same host and communicate over localhost, credentials never traverse the network.

Create the Agent Controller in your Aembit Tenant, then install it on the Gateway host before you install the Gateway itself. For full instructions, see Install Agent Controller on Linux. Use the following configuration:

SettingValueReason
TLSOffThe MCP Identity Gateway terminates TLS and reaches the Agent Controller over localhost.
RegistrationTrust Provider-basedRecommended for automated registration
Port5000 (default)The MCP Identity Gateway connects to http://localhost:5000

Point your chosen DNS name at the host so MCP clients can reach the Gateway.

Create an address (A) record that maps your Gateway hostname (for example, mcp-gateway.example.com) to the host’s public IP address. On AWS, you create this record in Route 53 for the hosted zone of the domain you control.

Confirm the record resolves before continuing:

Terminal window
dig +short mcp-gateway.example.com

Expected: the host’s public IP address.

The MCP Identity Gateway terminates TLS itself, so it needs a certificate and private key for your Gateway hostname.

The following steps use Let’s Encrypt with certbot to issue a certificate. This is a quick option for a single host; for production you might instead offload TLS to a load balancer or use your internal public key infrastructure.

  1. Open inbound port 80 on the host (and in your cloud security group) so Let’s Encrypt can complete the HTTP challenge.

  2. Install nginx, which certbot uses to answer the challenge:

    Terminal window
    sudo apt update
    sudo apt install nginx -y
    sudo systemctl enable nginx
  3. Install certbot and its nginx plugin:

    Terminal window
    sudo apt install -y certbot python3-certbot-nginx
  4. Request a certificate for your Gateway hostname (replace mcp-gateway.example.com with your own):

    Terminal window
    sudo certbot --nginx -d mcp-gateway.example.com

    certbot writes the certificate chain and private key to /etc/letsencrypt/live/mcp-gateway.example.com/.

  5. Stop and disable nginx so it doesn’t compete with the Gateway for port 443:

    Terminal window
    sudo systemctl stop nginx
    sudo systemctl disable nginx
  6. Close inbound port 80 again—the Gateway only needs inbound 443 for normal operation.

Download, install, and start the MCP Identity Gateway on the host. On startup, the Gateway registers with Aembit Cloud through the colocated Agent Controller.

  1. Download the MCP Identity Gateway archive from the Aembit releases portal and extract it:

    Terminal window
    tar xf <archive-name>.tar.gz
  2. Install the Gateway, supplying its configuration as environment variables on the install command:

    Terminal window
    sudo AEMBIT_AUTHORIZATION_SERVER=https://<tenantId>.mcp.useast2.aembit.io/ \
    AEMBIT_MCP_GATEWAY_URL=https://mcp-gateway.example.com \
    AEMBIT_TLS_CERT_CHAIN_PATH=/etc/letsencrypt/live/mcp-gateway.example.com/fullchain.pem \
    AEMBIT_TLS_PRIVATE_KEY_PATH=/etc/letsencrypt/live/mcp-gateway.example.com/privkey.pem \
    AEMBIT_AGENT_CONTROLLER_URL=http://localhost:5000 \
    AEMBIT_LOG_LEVEL=info \
    ./install

    Replace <tenantId> with your Aembit Tenant ID (visible in your Aembit Tenant URL—for example, abc123 in https://abc123.aembit.io), and replace mcp-gateway.example.com with your own Gateway hostname. For a full description of every variable, see MCP Identity Gateway environment variables.

Confirm the Gateway is running before you configure Aembit Cloud.

  1. Check that the service is active:

    Terminal window
    sudo systemctl status aembit_mcp_gateway

    Expected: active (running). If it isn’t, check the environment variables and the TLS certificate paths.

  2. Confirm the endpoint is reachable and presents a valid certificate:

    Terminal window
    curl -I "https://mcp-gateway.example.com/"

    Expected: the TLS handshake succeeds and you get an HTTP response (possibly an error, since this isn’t a valid MCP request). If it fails, confirm DNS resolves and the certificate is valid for the hostname.

  3. Review the Gateway logs for startup or connection events:

    Terminal window
    sudo journalctl --namespace aembit_mcp_gateway -n 50

With the Gateway running, complete the Aembit Cloud configuration—the Identity Provider, both Access Policies, and a Credential Provider for each MCP server. These steps are identical to the managed service.

Follow Set up the MCP Identity Gateway, starting at Configure an Identity Provider, with one substitution:

After you configure both Access Policies, return to the setup guide’s Verify the connection section to test the end-to-end flow.

Because you run the Gateway yourself, you also operate it:

  • Restart the service after a configuration change:

    Terminal window
    sudo systemctl restart aembit_mcp_gateway
  • Follow the logs while troubleshooting:

    Terminal window
    sudo journalctl --namespace aembit_mcp_gateway -f
  • Upgrade by downloading a newer release and rerunning the install command.

  • Renew TLS certificates before they expire, as described in Obtain a TLS certificate.

For connectivity, log, and metrics details, see the MCP Identity Gateway reference.