Tool Scoping

Tool scoping controls which tools are exposed through each gateway. A gateway starts with no tools assigned — you explicitly choose which tools to include so each gateway has a focused, purpose-specific surface area.

Gateways page — empty state

In the UI

Open the gateway detail page
Click the Tools tab
Click Add Tools to see all available tools in your organization
Select one or more tools and click Assign
Use the presets dropdown (All, None, Read Only, Admin, Public) for quick selection
Toggle individual tools on or off with the Enabled switch
Click a tool row to configure per-gateway rate limits and security policies

Via the API

Assign a single tool


curl -X POST /gateways/{gatewayId}/tools \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "toolId": "tool-uuid"
  }'

Bulk assignment


curl -X POST /gateways/{gatewayId}/tools/bulk \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "toolIds": ["tool-1", "tool-2", "tool-3"]
  }'

Remove a tool


curl -X DELETE /gateways/{gatewayId}/tools/{toolId} \
  -H "Authorization: Bearer $TOKEN"

Remove all tools


curl -X DELETE /gateways/{gatewayId}/tools \
  -H "Authorization: Bearer $TOKEN"

List available tools

Returns tools in the organization that are not yet assigned to this gateway.


curl /gateways/{gatewayId}/tools/available \
  -H "Authorization: Bearer $TOKEN"

Presets

Preset	Description
All	Assign every available tool
None	Remove all assignments
Read Only	Assign only GET/query operations
Admin	Assign all CRUD operations
Public	Assign tools suitable for public access

Per-gateway tool configuration

Each assignment can carry gateway-specific overrides:


curl -X PATCH /gateways/{gatewayId}/tools/{gatewayToolId} \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "enabled": true,
    "rateLimit": 100,
    "securityPolicy": {
      "requireAuth": true,
      "allowedScopes": ["tools:execute"]
    }
  }'

Field	Type	Description
`enabled`	boolean	Whether the tool is active on this gateway
`rateLimit`	number	Max requests per minute for this tool
`securityPolicy`	object	Gateway-specific security overrides

Usage statistics


curl /gateways/{gatewayId}/tools/stats \
  -H "Authorization: Bearer $TOKEN"


{
  "stats": [
    {
      "toolId": "tool-1",
      "toolName": "get_users",
      "totalCalls": 1250,
      "successRate": 98.4,
      "avgDuration": 234,
      "lastCalledAt": "2026-03-23T10:30:00Z"
    }
  ]
}

Common patterns

Read-only public gateway — assign only GET/query tools, enable API key auth, set rate limits per tool.

Internal admin gateway — assign all tools, require Bearer token auth, no rate limits.

Per-team gateways — create separate gateways for different teams (e.g., marketing gets analytics tools, engineering gets deployment tools), each with its own API keys.