Deploy Anthropic MCP Tunnels in Production

Tunnel out to Anthropic and protect your sensitive systems and data. Stacklok completes the picture with authentication, RBAC, observability and Kubernetes-native scale.

Stacklok has helped large, complex enterprises deploy Anthropic MCP Tunnels in production.

Talk with an MCP Tunnels expert

With MCP Tunnels + Stacklok:

  • Connect every Claude agent (Code, Cowork, Design, etc.) to your internal resources
  • More context, smarter actions, real results
  • Outbound-only connections, zero firewall holes
  • Triple-layered encryption built in

Let’s explore how Tunnels can unlock your use of Claude.

MCP Tunnels give Claude a clean path into your network. Stacklok governs what happens once the traffic arrives.

— Craig McLuckie, Stacklok CEO

Connectivity from Anthropic.
Control from Stacklok.

Anthropic MCP Tunnels solve connectivity. Stacklok’s control plan is the essential complement when you’re deploying MCP Tunnels in production. 

Capability
Anthropic-Only
Recommended: Anthropic + Stacklok
Identity & authentication
Per-developer token management
Integrate with your IdP (Okta, Entra, Keycloak, etc.)
Access control
None. All users see all MCP servers
Full control. Access defined by vMCP layer
Observability
No audit logs or health checks
Full audit logs, health checks and policy-as-code
AI gateway
None
Govern agent-to-model flows

We’re the experts in deploying Anthropic MCP Tunnels. Our platform fills in critical capability gaps, and our team embeds with you until you are live in production. Want to learn more about how we’re deploying MCP Tunnels? Check out the Stacklok blog.

Frequently asked questions

Anthropic MCP Tunnels create outbound-only encrypted connections between Claude agents (Claude Code, Claude Cowork, and others) and internal enterprise resources. Because the connection is outbound-only with three layers of encryption, organizations can give Claude agents access to internal systems without opening inbound holes in their firewall.

Anthropic MCP Tunnels handles connectivity and encryption. It does not include identity federation, access control, audit logging, or policy enforcement. Each developer manages their own token, and all users see all MCP servers. For production deployments, enterprises require a control plane layer to fill these gaps.

Stacklok adds the enterprise control plane that MCP Tunnels does not provide: IdP integration with Okta, Entra, and Keycloak for per-user identity; RBAC via the vMCP layer so access is defined by role, not by individual token; full audit logs and health checks; and policy-as-code enforcement for agent-to-model flows. Stacklok governs what happens once tunnel traffic arrives in your environment.

Yes. Stacklok’s embedded authorization server integrates with OIDC/OAuth-compatible identity providers including Okta, Microsoft Entra ID, Keycloak, and Google. This replaces per-developer token management with centralized, IdP-issued identity, enforced per request through the vMCP access control layer.

Anthropic MCP Tunnels can be deployed without Stacklok for simple use cases. However, organizations with compliance requirements, multiple users, or sensitive internal resources will encounter gaps in access control, observability, and audit logging that Tunnels alone does not address. Stacklok fills those gaps and is designed specifically for production-grade MCP Tunnel deployments at enterprise scale.