Skip to content

๐Ÿ“Š Metadata Tracking & Audit Trailsยถ

MCP Gateway provides comprehensive metadata tracking for all entities (Tools, Resources, Prompts, Servers, Gateways) to enable enterprise-grade audit trails, compliance monitoring, and operational troubleshooting.


๐ŸŽฏ Overviewยถ

Every entity in MCP Gateway now includes detailed metadata about: - Who created or modified the entity - When the operation occurred - From where (IP address, user agent) - How it was created (UI, API, bulk import, federation) - Source tracking for federated entities and bulk operations


๐Ÿ“Š Metadata Fieldsยถ

All entities include the following metadata fields:

Category Field Description Example Values
Creation created_by Username who created entity "admin", "alice", "anonymous"
created_at Creation timestamp "2024-01-15T10:30:00Z"
created_from_ip IP address of creator "192.168.1.100", "10.0.0.1"
created_via Creation method "ui", "api", "import", "federation"
created_user_agent Browser/client info "Mozilla/5.0", "curl/7.68.0"
Modification modified_by Last modifier username "bob", "system", "anonymous"
modified_at Last modification timestamp "2024-01-16T14:22:00Z"
modified_from_ip IP of last modifier "172.16.0.1"
modified_via Modification method "ui", "api"
modified_user_agent Client of last change "HTTPie/2.4.0"
Source import_batch_id Bulk import UUID "550e8400-e29b-41d4-a716-446655440000"
federation_source Source gateway name "gateway-prod-east"
version Change tracking version 1, 2, 3โ€ฆ

๐Ÿ–ฅ๏ธ Viewing Metadataยถ

Admin UIยถ

Metadata is displayed in the detail view modals for all entity types:

  1. Navigate to any entity list (Tools, Resources, Prompts, Servers, Gateways)
  2. Click "View" on any entity
  3. Scroll down to the "Metadata" section

Example metadata display:

โ”Œโ”€ Metadata โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ Created By:      admin                           โ”‚
โ”‚ Created At:      1/15/2024, 10:30:00 AM        โ”‚
โ”‚ Created From:    192.168.1.100                  โ”‚
โ”‚ Created Via:     ui                              โ”‚
โ”‚ Last Modified By: alice                          โ”‚
โ”‚ Last Modified At: 1/16/2024, 2:22:00 PM        โ”‚
โ”‚ Version:         3                               โ”‚
โ”‚ Import Batch:    N/A                             โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

API Responsesยถ

All entity read endpoints include metadata fields in JSON responses:

# Get tool with metadata
curl -H "Authorization: Bearer $TOKEN" \
     http://localhost:4444/tools/abc123

{
  "id": "abc123",
  "name": "example_tool",
  "description": "Example tool",
  "createdBy": "admin",
  "createdAt": "2024-01-15T10:30:00Z",
  "createdFromIp": "192.168.1.100",
  "createdVia": "ui",
  "createdUserAgent": "Mozilla/5.0...",
  "modifiedBy": "alice",
  "modifiedAt": "2024-01-16T14:22:00Z",
  "version": 3,
  "importBatchId": null,
  "federationSource": null,
  ...
}

๐Ÿ” Metadata by Source Typeยถ

Manual Creation (UI/API)ยถ

  • created_via: "ui" or "api"
  • created_by: Authenticated username
  • created_from_ip: Client IP address
  • federation_source: null
  • import_batch_id: null

Bulk Import Operationsยถ

  • created_via: "import"
  • import_batch_id: UUID linking related imports
  • created_by: User who initiated import
  • federation_source: null

Federation (MCP Server Discovery)ยถ

  • created_via: "federation"
  • federation_source: Source gateway name
  • created_by: User who registered the gateway
  • import_batch_id: null

Legacy Entities (Pre-Metadata)ยถ

  • All metadata fields: null
  • UI displays: "Legacy Entity", "Pre-metadata"
  • version: 1 (automatically assigned)

๐Ÿ›ก๏ธ Authentication Compatibilityยถ

Metadata tracking works seamlessly across all authentication modes:

With Authentication (AUTH_REQUIRED=true)ยถ

# Example: User "admin" creates a tool
{
  "createdBy": "admin",
  "createdVia": "api",
  "createdFromIp": "192.168.1.100"
}

Without Authentication (AUTH_REQUIRED=false)ยถ

# Example: Anonymous creation
{
  "createdBy": "anonymous",
  "createdVia": "api",
  "createdFromIp": "192.168.1.100"
}

JWT vs Basic Authenticationยถ

  • JWT Authentication: Extracts username from token payload (username or sub field)
  • Basic Authentication: Uses provided username directly
  • Both formats handled gracefully by the extract_username() utility

๐Ÿ”„ Version Trackingยถ

Each entity maintains a version number that increments on modifications:

# Initial creation
POST /tools -> version: 1

# First update
PUT /tools/123 -> version: 2

# Second update
PUT /tools/123 -> version: 3

Version tracking helps identify: - Configuration drift between environments - Change frequency for troubleshooting - Rollback points for recovery scenarios


๐Ÿ“ˆ Use Casesยถ

Security Auditingยถ

  • Track who created/modified sensitive configurations
  • Identify unauthorized changes by IP address
  • Monitor bulk import operations for compliance

Operational Troubleshootingยถ

  • Trace entity origins during incident response
  • Identify batch operations that may have caused issues
  • Understand federation dependencies between gateways

Compliance Reportingยถ

  • Generate audit reports for regulatory requirements
  • Track change management processes
  • Demonstrate access controls and change attribution

Development & Testingยถ

  • Identify test vs production entities
  • Track deployment-specific configurations
  • Monitor cross-environment migrations

๐Ÿ”ง Configurationยถ

No Additional Setup Requiredยถ

Metadata tracking is automatically enabled for all new installations and upgrades:

  • Database migration runs automatically on startup
  • Existing entities show graceful fallbacks for missing metadata
  • No environment variables needed - uses existing AUTH_REQUIRED setting

Proxy Supportยถ

Metadata capture automatically handles reverse proxy scenarios:

# Respects X-Forwarded-For headers
X-Forwarded-For: 203.0.113.1, 192.168.1.1, 127.0.0.1
# Records: created_from_ip = "203.0.113.1" (original client)

Privacy Considerationsยถ

The system captures IP addresses and user agents for audit purposes:

  • IP addresses: Consider GDPR/privacy implications for EU deployments
  • User agents: May contain personally identifiable information
  • Data retention: Define policies for metadata archival
  • Access control: Metadata follows same permissions as parent entity

๐Ÿš€ Migration Guideยถ

Upgrading Existing Deploymentsยถ

  1. Automatic Migration

    # Migration runs automatically on startup
    # Or run manually:
    alembic upgrade head
    

  2. Verify Migration

  3. Check admin UI - all entities show metadata sections
  4. API responses include new metadata fields
  5. Legacy entities display gracefully

  6. No Downtime Required

  7. All metadata columns are nullable
  8. Existing functionality unmodified
  9. Gradual adoption of metadata features

Metadata Backfill (Optional)ยถ

For enhanced audit trails, optionally backfill known metadata:

-- Backfill system-created entities
UPDATE tools SET
    created_by = 'system',
    created_via = 'migration',
    version = 1
WHERE created_by IS NULL;

-- Similar for other entity tables
UPDATE gateways SET created_by = 'system', created_via = 'migration', version = 1 WHERE created_by IS NULL;
UPDATE servers SET created_by = 'system', created_via = 'migration', version = 1 WHERE created_by IS NULL;
UPDATE prompts SET created_by = 'system', created_via = 'migration', version = 1 WHERE created_by IS NULL;
UPDATE resources SET created_by = 'system', created_via = 'migration', version = 1 WHERE created_by IS NULL;

๐Ÿ”ฎ Future Enhancementsยถ

Enhanced Audit Featuresยถ

  • Change history tracking - Before/after state comparison
  • Metadata-based filtering - Search entities by creator, date, source
  • Audit log export - Generate compliance reports
  • Custom metadata fields - User-defined entity attributes

Cross-Gateway Featuresยถ

  • Metadata synchronization across federated gateways
  • Trust scoring based on metadata quality
  • Provenance tracking for complex federation scenarios

Analytics Integrationยถ

  • Usage pattern analysis from metadata
  • Creator activity dashboards
  • Import/export trend monitoring

๐Ÿ“‹ API Examplesยถ

Creating Entities with Metadataยถ

Metadata is captured automatically - no additional parameters needed:

# Create tool - metadata captured automatically
curl -X POST http://localhost:4444/tools \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "example_tool",
    "url": "http://example.com/api",
    "integration_type": "REST",
    "request_type": "GET"
  }'

# Response includes metadata
{
  "id": "abc123",
  "name": "example_tool",
  "createdBy": "admin",
  "createdAt": "2024-01-15T10:30:00Z",
  "createdVia": "api",
  "version": 1,
  ...
}

Filtering by Metadata (Future)ยถ

# Future enhancement - filter by creator
GET /tools?created_by=admin

# Filter by creation method
GET /tools?created_via=federation

# Filter by date range
GET /tools?created_after=2024-01-01&created_before=2024-01-31

โ“ FAQยถ

Q: Will this affect existing deployments?ยถ

A: No breaking changes. Existing entities show graceful fallbacks, all APIs work unmodified.

Q: What happens if authentication is disabled?ยถ

A: Metadata still works - created_by will be "anonymous" instead of a username.

Q: How much storage does metadata require?ยถ

A: Minimal - approximately 13 additional nullable text columns per entity.

Q: Can I disable metadata tracking?ยถ

A: Not currently - metadata is core to the audit system. All fields are optional and backwards compatible.

Q: How do I export metadata for compliance?ยถ

A: Use the standard export functionality - metadata is included in all entity exports.

This comprehensive metadata system provides enterprise-grade audit capabilities while maintaining full backwards compatibility and operational simplicity.