## Agen for SaaS overview

**Agen for SaaS** enables SaaS companies to make their products **AI-native** by securely exposing product capabilities to **AI platforms and agents** such as ChatGPT, Claude, Gemini, and custom agents. Your customers can interact with your product through natural language and autonomous agents while you retain full **security, governance, and observability**.

Agen for SaaS implements a managed **MCP (Model Context Protocol) Gateway** that sits in front of your APIs and tools, enforcing **authentication, authorization, guardrails, data protection, and auditing** on every agent-initiated action.

### How Agen for SaaS works

The Agen for SaaS control plane provides a visual pipeline view of your entire MCP server configuration. From top to bottom, the pipeline shows:

1. **Your MCP Gateway** — A unique gateway endpoint (e.g., `your-id.mcp-gw.frontegg.com`) that AI agents connect to. A status indicator confirms whether the MCP server is running and ready to handle requests.
2. **Authentication** — The identity verification layer that validates every incoming request using your chosen auth provider (Frontegg or any OpenID Connect provider).
3. **Guardrails** — The governance layer comprising five modules that enforce security policies on every tool call:
  - **Access control** — Role-based and attribute-based restrictions on who can invoke which tools.
  - **Data protection** — Masking and redaction of sensitive data (PII, PHI, PCI) in tool responses.
  - **Policies** — Conditional rules that deny, step up, or require approval for specific actions.
  - **Approval flows** — Human-in-the-loop review workflows for sensitive operations.
  - **Hooks** — Custom JavaScript code that executes on tool call and tool listing events.
4. **Sources** — The external APIs and services connected to your MCP server (REST, GraphQL, or MCP server sources).
5. **Tools** — The individual API endpoints extracted from your sources that AI agents can discover and invoke.


Each component in the pipeline displays a green (active) or gray (not configured) status indicator so you can see your configuration state at a glance.

### What Agen for SaaS provides

| Capability | Description |
|  --- | --- |
| **Sources** | Connect REST (OpenAPI), GraphQL, or remote MCP servers as data sources. Tools are auto-generated from your API specifications. |
| **Tool management** | Enable, disable, edit, and delete individual tools. Each tool maps to an API endpoint with a specific HTTP method and path. |
| **Access control (RBAC/ABAC)** | Map tools to **roles** or **permissions** using JWT attributes. Control which users can invoke which tools. |
| **Policies and guardrails** | Conditional rules that **deny**, **step up authentication**, or **request approval** based on request attributes like IP, amount, or country. |
| **Approval flows** | Multi-step approval workflows with configurable approvers (by role or email), notification channels (email/SMS), and advanced settings like auto-approve timeouts and reminders. |
| **Data protection** | Mask sensitive information (PII, PHI, PCI) in tool responses based on compliance requirements and conditional targeting rules. |
| **Hooks** | Custom JavaScript functions that execute on `Call tool` or `List tools` events, enabling custom logic and transformations. |
| **Monitoring and auditing** | End-to-end event trails for tool calls, policy decisions, approvals, and configuration changes. |
| **Authentication** | Frontegg or OpenID Connect providers with federation URL and optional custom domain. |
| **Configuration** | Server name, MCP Gateway URL, custom domain, and allowed origins management. |


### Designed for SaaS

- **Multi-tenant by design** — Clean separation of tenants with claims-aware access and per-tenant policy control.
- **Bring your auth** — Use Frontegg or any OIDC-compliant provider. Your existing JWTs drive access control and entitlements.
- **Least-privilege for agents** — Fine-grained tool-level access with conditional policies ensure agents only do what they should.
- **Separation of duties** — Approval flows and audit logs enforce human oversight for sensitive operations.


### Get started

- **Quickstart** — Set up your MCP server, import tools, and configure authentication in minutes.
- **Connect to AI platforms** — Link your MCP gateway to ChatGPT, Claude, or Gemini.


> Continue with **[Quickstart](/agen-for-saas/getting-started/quickstart)**.


### Related topics

- [Core concepts](/agen-for-saas/introduction/core-concepts)
- [Sources](/agen-for-saas/sources/overview)
- [Tools](/agen-for-saas/tools/about-tools)
- [Access control](/agen-for-saas/access-control/overview)
- [Policies](/agen-for-saas/policies/overview)
- [Approval flows](/agen-for-saas/policies/approval-flows)
- [Data protection](/agen-for-saas/data-protection/overview)
- [Hooks](/agen-for-saas/hooks/overview)