System Architecture

The Simplaix Gateway sits between client applications and upstream agent runtimes, providing a unified security, identity, and credential management layer. It is protocol-agnostic -- the same Gateway can route to MCP servers, or any custom HTTP service.

Architecture Diagram

Layers

Authentication Layer

The Gateway supports three authentication methods:

• JWT -- for admin operations and agent invocation from frontends
• API Keys (gk_) -- for server-to-server communication between agent runtimes and the Gateway
• Agent Runtime Tokens (art_) -- runtime identity for registered agents

See Authentication for details.

Core Services

• Provider Access Service -- enforces provider-level ACL and tool-level policy rules from the database
• Policy Engine -- fallback config policy layer (used when DB rules are unavailable)
• Request Pauser -- holds requests pending human confirmation decisions
• Agent Service -- manages agent registration, configuration, and lifecycle
• Credential Service -- encrypted credential storage and runtime resolution
• Credential Providers -- defines how each credential type (OAuth2, API key, JWT, basic) works
• Tool Aggregation -- merges and filters tools across accessible providers for unified MCP

Proxy Layer

• Unified MCP Endpoint -- single /api/v1/mcp/mcp endpoint that aggregates tools from all authorized providers
• MCP Proxy -- per-provider endpoint (/api/v1/mcp-proxy/:providerId/mcp) for direct proxying
• Agent Invoke -- protocol-agnostic agent invocation with credential pre-checking (supports JSON and SSE streaming responses)
• Header Injector -- injects end-user/agent identity and provider auth headers into upstream requests

Data Layer

• Audit Service -- logs every tool call with full context and timing
• AES-256-GCM Encryption -- encrypts all credentials at rest
• SQLite / PostgreSQL -- pluggable database backend via Drizzle ORM

Real-time

• SSE Stream -- server-sent events for real-time confirmation notifications