ENTERPRISE · SOVEREIGN · ON YOUR INFRASTRUCTUREDocsTrust centerAboutContact sales →

← Developers§ MCP Server · Bidirectional · Governed both ways

Developers · MCP · 8 tools · 240+ inbound servers

One protocol.
Both directions.

Katonic speaks Model Context Protocol both ways. Eight tools out to Claude Desktop, ChatGPT, and Cursor. The same gateway calls 240+ external servers.

Whichever way the call flows, governance fires. The protocol changes - the controls don't.

Connect from Claude Desktop →Read MCP docs

8 Katonic tools exposed 240+ external servers reachable stdio · SSE · HTTP transports Same governance both ways

§ 01 · The problemCustom tool plumbing per AI client

Every AI client wants tools.
None of them speak the same dialect.

OpenAI function calling. Claude tools. Gemini extensions. Every model provider invents their own tool format. Each one wants you to wrap your enterprise data behind a different glue layer. Same business logic, three integrations. No shared audit. No shared governance. Three places to break when you need to revoke access.

PROBLEM 01INTEGRATION SPRAWL

Three integrations, one job

Want your enterprise knowledge in Claude AND ChatGPT AND your IDE? Three custom integrations. Three rate limit configs. Three audit trails. Three places to update when the schema changes.

PROBLEM 02POLICY BYPASS

Tools without governance

Most ad-hoc tool integrations skip permissions, skip audit, skip safety checks. The chatbot can answer questions because the tool ran with elevated privileges. The compliance review never sees the tool calls.

PROBLEM 03SUPPLY CHAIN

External tools, internal risk

Pulling MCP tools from the public internet means fetching code from somewhere unknown. No allow-list. No version pinning. No security scan. Your agents end up calling untrusted servers with your data.

§ 02 · Client AND serverWe expose · We consume · Same protocol

Tools flow in.
Tools flow out.

External AI systems use Katonic as a tool source - chat with our agents, search our knowledge, generate documents. Our agents use external systems as tool sources - hit Salesforce, file a Jira, post to Slack. Both directions speak the same protocol. Both directions hit the same governance.

INBOUND · KATONIC AS SERVER← they call us

Your enterprise data, in any AI client

Katonic publishes 8 MCP tools that any compliant client can call. Claude Desktop, ChatGPT with custom GPTs, Cursor, your team's internal agent platform - they all see the same Katonic capabilities. Configure once in Katonic, every client gets the update.

WHAT EXTERNAL CLIENTS CAN DO

+Chat with any of your published agents

+Permission-aware search across your sources

+Generate documents in your brand voice

+Trigger evals from external CI

+Execute governed tools through approval flow

OUTBOUND · KATONIC AS CLIENT→ we call them

Any external system, callable by your agents

Connect Katonic to 240+ MCP tool servers covering Salesforce, Jira, GitHub, Slack, Snowflake, and more. Your agents browse a curated catalogue, request approval where needed, and call tools through a governance proxy that enforces policy and audits every call.

WHAT YOUR AGENTS CAN DO

+Query Salesforce records

+Read and update Jira tickets

+Post to Slack channels

+Run Snowflake queries

+Call internal tools you've registered yourself

The shared layer

Both directions go through the governance proxy: identity check, policy match, PII scan, approval routing, audit log. Doesn't matter if Claude Desktop is asking your agent for HR data or your agent is asking Salesforce for an account record. The controls fire either way.

§ 03 · The 8 tools we exposeKatonic capabilities · As MCP tools

Eight tools.
Every Katonic capability.

Eight tools cover what external agents actually need: talk to a Katonic agent, search knowledge, create documents, analyse data, discover what's available, evaluate quality, and call governed tools. Pure protocol translation. No new business logic behind them.

#ToolInput schemaMaps toPurpose

01katonic_chat{ agent, message, session_id? }agentsChat with a published Katonic agent by name or ID. The external AI embeds the response in its own reasoning loop.

02katonic_knowledge_search{ query, sources?, top_k? }knowledgePermission-aware hybrid search across your enterprise knowledge. Results respect the user's source permissions.

03katonic_create_document{ instruction, format }documentsGenerate DOCX, PDF, PPTX, or XLSX from a natural-language instruction. Returns a download URL.

04katonic_analyze_data{ query, data_source? }analyticsQuery data, generate charts, run SQL. The data analysis capability exposed as a tool.

05katonic_list_agents{}discoveryDiscovery: list published agents so the calling AI knows which ones it can chat with.

06katonic_run_evaluation{ agent_id, suite_id, evaluators? }evaluationTrigger an evaluation run against a test suite. External CI agents can gate promotions this way.

07katonic_search_tools{ query?, category? }discoveryDiscover tools available on the platform. Enables composition across the catalogue.

08katonic_execute_tool{ tool_id, arguments }governanceExecute any governed tool. Passes through governance with policy check, PII scan, and approval if required.

§ 04 · Inside the platformThree real surfaces · Server · Catalog · Test

Three surfaces.
Both ends of MCP.

Manage the 8 tools Katonic exposes at /developer/mcp. Browse the 240 external MCP servers Katonic can consume at /marketplace/mcp-servers. Test any tool live before exposing it.

app.your-org.katonic.ai/developer/mcpControl Room

MCP Server

Katonic as an MCP server. 8 tools exposed to any external AI agent (Claude Desktop, Copilot Studio, OpenAI Assistants).

SERVER ONLINE

ToolsConnectTest

SSE ENDPOINTConnection URL for external clients

https://app.your-org.katonic.ai/mcp/sse?token=kapi_live_b71d...

Auth via API key. Same key used for the Public API. Same scopes apply. Works with any MCP-compatible client.

Tool calls today

55,311

across 8 tools

Connected clients

Claude Desktop · 18

Governance pass

100%

all calls audited

P95 latency

184ms

tool execution + governance

Exposed tools · 8

katonic_chat● GOVERNED

Chat with a published agent

routes to agent-api18,421 calls

katonic_knowledge_search● GOVERNED

Permission-aware knowledge search

routes to knowledge-engine14,826 calls

katonic_create_document

Generate document from natural language

routes to agent-runtime3,421 calls

katonic_analyze_data● GOVERNED

Query data, generate charts, run SQL

routes to agent-runtime2,184 calls

katonic_list_agents

List published agents with descriptions

routes to admin-api8,921 calls

katonic_run_evaluation

Trigger an agent evaluation run

routes to eval-engine412 calls

katonic_search_tools

Discover available tools on the platform

routes to mcp-gateway6,184 calls

katonic_execute_tool● GOVERNED

Execute a governed tool

routes to governance-proxy942 calls

This is the actual productThe screens above are /developer/mcp and /marketplace/mcp-servers in your sandbox today. The 8 exposed tools, the 240+ catalog, the live test bench - same chrome, real data.

§ 05 · From Claude Desktop, end-to-endTool call · Governance · Audit · All firing

Same controls.
Different protocol.

An employee using Claude Desktop asks a question that needs enterprise context. Claude reaches for the Katonic MCP tool, the tool runs as that employee, the knowledge engine filters by their source permissions, the answer comes back with citations, and your audit log records the call - just like it does when the same employee uses Workroom in the browser.

Claude Desktop · sarah's MacMCP: katonic ●

Can you summarise the Q3 remote work policy update for me? Pull from our HR docs.

Tool callkatonic_knowledge_search{ query: "Q3 remote work policy" }

✓ Tool result3 documents · permission-filtered for sarah@your-org

Q3 added two changes to the remote work policy in HR-2024-08 amendment:

Per-team override - managers can require additional in-office days during launches^[1]
International remote increased from 14 to 30 days/year with HR pre-approval^[2]

[1] HR-2024-08 amendment · p.1 · [2] HR FAQ · International Remote · Confluence

Reply to Claude...|

KATONIC · BEHIND THE SCENESsame audit as Workroom

STEP 01 · IDENTITY

caller: Claude Desktop (mcp_key_8a3...)

acting as: sarah@your-org

permissions: HR group, Legal group

STEP 02 · TOOL DISPATCH

tool: katonic_knowledge_search

policy match: rbac.search_internal

verdict: ✓ ALLOW

STEP 03 · KNOWLEDGE ENGINE

hybrid search · 3 docs returned

filter: sarah's source permissions applied

Connect once.
Discover everything.

An external AI client connects to mcp.your-org.katonic.ai with a key. The protocol negotiation reveals the 8 tools available. The AI picks the right tool based on the user's request. The call goes through governance, gets an audit trace, and the result comes back. Five steps, all standard MCP.

The five steps · annotated

§ 07 · Governance paritySix controls · Identical to the UI

Six controls.
None of them care which protocol called.

The MCP server isn't a separate path with separate controls. It's a protocol translation layer in front of the same governance proxy. Anything you can do in the UI, with the controls that govern it, you can also do via MCP - with the same controls, in the same audit, against the same approvals queue.

✓

Identity inheritance

The MCP key is bound to a user. Every tool call runs as that user. Permissions on knowledge sources are enforced per-call.

✓

Policy enforcement

The same policy engine that gates UI tool calls also gates MCP tool calls. Same six actions × five risk levels.

✓

Guardrails on output

Eight rail types check responses before they leave Katonic. Whether the response goes to the Workroom or to Claude Desktop, the rails fire.

✓

Audit trace IDs

Every MCP call gets a trace_id that links to the same audit table as the UI. Filter by source to see all MCP traffic separately if needed.

✓

Per-key rate limits

MCP keys carry their own rate limits. Claude Desktop usage doesn't compete with the chat widget's quota.

✓

Approval flow

High-risk tool calls (writes, deletes, sends) route through the same approval queue regardless of caller. Manager approves once.

§ 08 · By roleFour conversations · Four answers

The questions you'll be asked.
The answers, on hand.

AI LeadQ1

How do we let internal users use Claude Desktop without leaking data?

Connect Claude Desktop to the Katonic MCP server. Each user gets their own scoped key. Knowledge searches run with their permissions. Data they're not authorized to see never reaches Claude. Audit logs every tool call by user.

DeveloperQ2

Can I expose my custom tool through this?

Yes. Register your tool in the platform - URL, schema, auth. It joins the catalogue of 240+ external tools your agents can call, and it shows up under katonic_search_tools so external AI clients can discover it too. Same governance applies.

SecurityQ3

What stops Claude Desktop from calling random tool servers?

An allow-list. Your team approves which external MCP servers your agents can reach. Unknown servers are blocked at the gateway. Outbound calls are logged with the same trace IDs as inbound, so you can correlate.

ComplianceQ4

Same audit log as the UI?

Same audit table, same schema, same retention. Each row records the source - whether the call came from Workroom, Claude Desktop, ChatGPT, or your CI pipeline. Filter the audit log by source to slice MCP traffic specifically.

§ 09 · vs the alternativesThree ways to do tools · Only one is governable

Three ways to expose tools.
One survives audit.

✗ GAP01

Custom integration per client

N integrations. N audit logs. Forever.

Build a custom Claude tool, a custom GPT, a Cursor extension. Each one has its own auth, its own rate limits, its own glue layer. Same business logic, three implementations. Update breaks two of them.

+Three+ implementations to maintain
+Three+ audit logs to correlate
+No shared governance
+Provider lock-in compounds
+Ad-hoc tool security

○ PARTIAL02

Public MCP catalogue

Free tools. Unknown supply chain.

Pull MCP servers from the public ecosystem. Most don't respect enterprise permissions. None integrate with your audit. No version pinning, no allow-list, no security scan. Your data flows through whoever wrote them.

+No enterprise permission model
+No audit integration
+Unknown code provenance
+No allow-list / version pin
+Rate limits per server, no aggregation

✓ COMPLETE03

Katonic MCP

Same protocol. Same governance. Day one.

8 tools expose every Katonic capability. 240+ vetted external tool servers reachable from your agents. Bidirectional, governed, audited. Same proxy, same trace IDs, same audit log as the UI.

+8 tools cover every capability
+240+ external servers · vetted catalogue
+Same governance proxy both ways
+Allow-list controls outbound calls
+Per-key scopes, rate limits, identity binding

§ 10 · The positionTools speak one protocol now

Three years from now, every AI client will speak Model Context Protocol. The companies that built around proprietary tool formats will be the ones doing rewrites. We bet early on MCP because the alternative was custom plumbing per client, custom audit per integration, and custom governance for each one. The protocol is the bet. Governance is the moat.
Prem Naraindas
Founder & CEO, Katonic AI
Read the founder\'s letter →

§ 11 · ExploreAdjacent surfaces

Beyond the protocol,
where it connects.

§ A→

Public API

Same capabilities exposed as REST. OpenAI-compatible. SSE streaming. Identity-aware. Same governance.

§ B→

Governance

8-level RBAC, dual-destination audit, eight framework mappings. Both protocols hit the same proxy.

§ C→

Knowledge Engine

What katonic_knowledge_search calls under the hood. Hybrid search with permission-aware retrieval.

§ 12 · Next stepsConnect Claude Desktop · Test a tool call

Connect once.
Use everywhere.

Sandbox access in 24 hours. Comes with an MCP key, copy-paste config for Claude Desktop, and a sample agent that exercises three of the eight tools so you can see the audit log update in real time.

Same controls. Different protocol. Both governed.

Request sandbox →Read MCP docs

Ready to get started?

Deploy sovereign AI on your infrastructure - in weeks, not months.

Book a demo →