▲ 1 ▼ nenya - A lightweight, highly secure AI API Gateway/Proxy written in Go

github.com godoc.org goreportcard.com posted by Rafael Gumieri 9 days ago

A lightweight, zero-dependency AI API Gateway written in Go. Nenya sits between your AI coding clients and upstream LLM providers, adding secret redaction, context management, agent routing, and MCP tool integration — all with transparent SSE streaming. Security-hardened: non-root execution, mlock for secrets, seccomp + no-new-privileges.

▲ Oleksandr 6 days ago ▼

Hi! Could you clarify whether your gateway handles authentication and authorization for interactions between AI agents and MCP services and/or LLMs?
I’m particularly interested in whether there is built-in support for securing agent-to-service communication, or if this is expected to be implemented externally.

Contributing
▲ Rafael Gumieri 32 minutes ago ▼

Hi Oleksandr, sorry for the late reply.

Yes, Nenya handles the authentication between the Agents and the MCP Servers. The upstream providers never see MCP server credentials or URLs.

We support HTTP MCP servers with configurable auth headers passed through by the gateway, but stdio MCP servers are outside the current scope.

The gateway talks to MCP servers directly (via HTTPTransport with configured headers). When MCP tools get injected into the upstream LLM request, only the tool names (prefixed with the server name, e.g. mempalace__search), descriptions, and parameter schemas are sent in the JSON body as OpenAI function tool definitions (internal/mcp/openai.go:MCPToolsToOpenAI). When the LLM calls a tool, the gateway intercepts it, routes it to the MCP server internally, and only sends the tool result text back to the LLM. The MCP server URL and auth headers never leave the gateway — they're only used by the transport layer (internal/mcp/transport.go:setHeaders) when the gateway itself connects to the MCP server.

Contributing