Now available — v2.7.93
NEW One-click OAuth onboarding for vendors

The spend control plane
for enterprise AI agents

Your AI agents are spending money on every tool call — across vendors, with no visibility. Magertron meters every call, charges it back per user and per team, and enforces hard budget limits at the gateway. See what your agents cost, and cap it.

OSS Free up to 20 servers — no signup, no credit card.

Schedule a Demo → View on GitHub →
Install in 5 minutes
$ git clone https://github.com/magertron/orchestrator.git
$ cd orchestrator
$ ./install.sh                                  # Free tier — no license needed
$ ./install.sh --license /path/to/license.json  # With a license
Magertron AI Cost Dashboard — total agent spend, committed vs pay-as-you-go, per-vendor and per-user cost breakdown with budget tracking
Enterprise Security

Rogue MCP servers are already inside your network

Developers are spinning up ungoverned MCP servers on laptops, in personal cloud accounts, and inside your perimeter — with no audit trail and no controls. AI agents talking to these servers can execute actions at scale.

Read the security guide →
THREAT VECTOR 01
External AI agents
AI agents outside your perimeter reaching ungoverned internal MCP servers. Perimeter firewalls catch these — but only if the agent actually crosses the perimeter, and only if the MCP server is registered as a public service.
Deployment Patterns

Three deployment patterns. One policy plane.

Internal MCP servers

MCP servers run as pods in your cluster. Traffic stays inside your network.

Hybrid MCP servers

Internal MCP server pods that reach external APIs for data enrichment.

External MCP servers

SaaS or cloud-hosted MCP servers, registered in Magertron and governed by the same policies as your internal servers.

Server Management

Full lifecycle control for every MCP server

Deploy from any container image, monitor real-time CPU and memory metrics, and scale with a slider. Every action is audited.

  • Live metrics charts polling every 5 seconds
  • Real pod logs from Kubernetes API
  • One-click rollback from deployment history
  • Rolling restart with zero downtime
Server Detail Panel
Governance

Enforce policy before anything reaches production

Namespace-scoped governance policies evaluate every deployment at deploy time. Error-severity rules block non-compliant servers. Warnings flag for review.

  • Different policies for prod vs dev environments
  • Resource limits, transport rules, naming standards
  • Dry-run evaluator for pre-flight checks
  • Export/import policies across clusters
Governance Policies
Capabilities
The full MCP lifecycle —
in your Kubernetes cluster
Deploy, registry, gateway, governance, observability. One Helm chart. Apache 2.0. Most platforms cover one or two of these. Magertron covers all five.

Server Lifecycle

Deploy, scale, restart, and roll back MCP servers from a single console.

MCP Server Registry

Central catalog of every MCP server in your organization. Most MCP platforms don't have a registry — Magertron does, in your cluster.

Governance Engine

Policies for resource limits, transport, naming, and security. Namespace-scoped for prod vs dev.

Multi-Tenant RBAC

Role-based access with namespace isolation. Admins, deployers, operators, viewers.

Enterprise Identity

OIDC and SAML SSO. SCIM 2.0 provisioning. Just-in-time accounts. Your IdP is the source of truth.

Audit & Compliance

OCSF-aligned audit events. SIEM-ready, validated with Splunk Cloud. Built for regulated environments.

Envoy Gateway

Dynamic xDS-powered Envoy. Sub-second route updates. HTTPS termination built in.

Developer Experience
A CLI that gets out
of your way
Single binary, zero dependencies. Deploy, scale, and evaluate governance from your terminal. Ships for macOS and Linux.
$ mcpctl login https://mcp.acme.internal admin
Logged in as admin (system:platform-admin)

$ mcpctl deploy code-assistant mcp-prod ghcr.io/acme/code-assistant --tag v2.1 --team platform
Deploying code-assistant to mcp-prod...
Server deployed (state: Running)

$ mcpctl governance evaluate spec.json --namespace mcp-prod
ALLOWED
⚠ Mutating tools detected — review required before production use

$ mcpctl servers
NAME NAMESPACE STATE REPLICAS IMAGE
code-assistant mcp-prod Running 2/2 ghcr.io/acme/code-assistant:v2.1
search-tool mcp-prod Running 3/3 ghcr.io/acme/search:latest
doc-retriever mcp-staging Running 1/1 ghcr.io/acme/docs:v1.4
Homebrew macOS · Linux
Cleanest install if you have brew:
$ brew install magertron/tap/mcpctl
curl one-liner macOS · Linux
No package manager required:
$ curl -fsSL https://magertron.com/install-mcpctl.sh | sh
Debian / Ubuntu apt · amd64 · arm64
One-time setup
$ curl -fsSL https://magertron.com/apt/magertron-archive-keyring.gpg | sudo tee /etc/apt/trusted.gpg.d/magertron-archive-keyring.gpg > /dev/null
$ echo "deb [signed-by=/etc/apt/trusted.gpg.d/magertron-archive-keyring.gpg] https://magertron.com/apt stable main" | sudo tee /etc/apt/sources.list.d/magertron.list
$ sudo apt update
Install
$ sudo apt install mcpctl
RHEL / Fedora / Rocky dnf · x86_64
One-time setup
$ sudo curl -fsSL https://magertron.com/yum/magertron.repo -o /etc/yum.repos.d/magertron.repo
Install
$ sudo dnf install mcpctl
Or download a binary directly
macOS arm64 · macOS amd64 · Linux amd64 · Linux arm64
View latest release →
Apache 2.0 licensed. Source at magertron/orchestrator/mcpctl. Free for all customers. Commands that hit Pro or Enterprise features will return a clear license error unless your orchestrator is licensed for them.
Pricing
Choose your plan
Start free with core server management. Scale to Pro for a single team running their own MCP servers — or Enterprise for identity, compliance, and platform-team needs.
Open Source
Free
Free forever · Apache 2.0
Up to 20 MCP servers · No signup · No credit card
  • Deploy and manage MCP servers
  • Health monitoring & metrics
  • Envoy gateway with xDS
  • Helm chart deployment
  • CLI tool (mcpctl) — Apache 2.0
  • Basic RBAC (admin + viewer)
  • Community support via GitHub
  • Live metrics charts
  • Namespace isolation
  • SSO & SCIM provisioning
  • Governance policies
  • Webhooks & audit trail
Get started on GitHub →
Subscription
Pro
$499/mo · billed annually
Up to 50 MCP servers · For a single team running their own servers
  • Everything in Free, plus:
  • Live metrics charts
  • Deployment history & rollback
  • Multiple namespaces
  • Webhook notifications (Slack, email)
  • Audit trail
  • Custom RBAC roles
  • Rug-pull protection
  • Priority email & Slack support
  • SSO (OIDC & SAML)
  • SCIM 2.0 & JIT provisioning
  • Governance policy engine
  • Multi-tenant namespace isolation
  • Advanced telemetry (SIEM/Datadog/Splunk)
Schedule a Demo →
Commercial
Enterprise
Contact us for pricing
Unlimited servers · For identity, compliance & platform teams
  • Everything in Pro, plus:
  • SSO (OIDC & SAML) — Okta, Azure AD, Google
  • SCIM 2.0 automated user provisioning
  • Just-in-time user provisioning on first login
  • Governance policy engine
  • Quarantine kill switch & bulk approvals
  • Multi-tenant namespace isolation
  • Advanced telemetry (SIEM, Datadog, Splunk)
  • Governance policy export/import
  • Multi-cluster federation
  • Air-gapped deployment
  • Priority support with SLA
  • Dedicated onboarding & custom integrations
  • Custom procurement (PO, MSA, security review)
Contact sales →

Ready to manage MCP
at enterprise scale?

Start free on GitHub, or talk to us about Pro and Enterprise.

Schedule a Demo → View on GitHub →