The Control Plane is where governance happens. It’s the single pane of glass for configuring policies, viewing audit logs, and managing access across your entire organization—regardless of how many gateways you deploy.
The Questions You Need to Answer Without centralized governance, your security team can’t answer basic questions:
Visibility
Which AI agents are employees using?
Which internal systems do those agents connect to?
What data flows through those connections?
Control
Is there an approval process for new integrations?
Can you revoke access across all agents at once?
Do you control which tools are available to which roles?
Compliance
Can you produce an audit log of all agent activity?
Are you confident PII isn’t flowing to model providers?
Do your DLP policies cover agent connections?
Incident Response
If credentials were compromised, what did the attacker access?
What did this agent do between 2pm and 4pm last Tuesday?
Could a departing employee exfiltrate data through agent integrations?
The Control Plane lets you answer all of these.
Architecture Hosting Options The Control Plane can be deployed wherever your organization requires:
Managed by Golf
Hosted and operated by Golf
Zero infrastructure management
Automatic updates and scaling
SOC 2 Type II compliant
Full on-premises deployment
Complete data residency control
Deploy to your cloud
Kubernetes deployment via Helm charts
Requirements:
PostgreSQL database
Redis cache
Kubernetes cluster
Both options provide identical functionality. Your gateways connect to the Control Plane URL you configure—whether that’s Golf Cloud or your own infrastructure.
Organizations Organizations are the top-level tenant boundary in Golf. Each organization has its own:
Gateways
MCP Servers
Identity Providers
Exporters
Members and RBAC groups
Member Roles Role Capabilities Owner Full access, cannot be removed from organization Admin Full access, can manage members and invitations Member Dev Portal access only
Gateway Manager The Gateway Manager handles the lifecycle of all gateway instances.
Gateway Lifecycle Status Description Pending Created but not yet activated Active Running and sending heartbeats Draining Graceful shutdown, rejecting new connections Stopped Intentionally deactivated Unresponsive Missed 3+ heartbeats (90s timeout)
Creating a Gateway
Navigate to Gateways > Create Gateway
Enter gateway name and external URL
Save the API key immediately (only shown once)
Configure gateway with ID, API key, and Control Plane URL
Save your API key immediately when creating a gateway. You won’t be able to view it again.
MCP Server Management Server Types Type When to Use In-house Servers managed by your organization Third party External servers requiring OAuth or API key authentication
Third-Party Server Authentication When MCP servers require authentication to external services (GitHub, Notion, Slack), Golf Gateway manages per-user credentials.
How It Works:
User clicks “Authorize” on a third-party server card in the Dev Portal
Gateway initiates OAuth flow with the external service
User grants permissions
Gateway stores encrypted access + refresh tokens
On each MCP request, gateway injects the user’s token
Credential Security:
Tokens are encrypted at rest and at transport
Per-user scoping: each user has their own credentials
Automatic token refresh when access tokens expire
Credentials never sent to client, only injected by gateway
Supported Auth Types: Type Description OAuth Full OAuth 2.0 flow, supports token refresh API Key User provides static API key, stored encrypted None Server doesn’t require authentication
For Developers (Dev Portal) The Dev Portal is where you discover available MCP servers and get connection instructions for your AI tools.
Finding and Connecting to Servers
Sign in to Golf Control Plane
Browse available servers on the MCP Servers page
Click a server to view its URL and capabilities
Copy the gateway URL to your MCP client configuration
You only see servers you have access to based on your group memberships. Contact your administrator if you need access to additional servers.
Troubleshooting
Server not appearing : Verify the gateway URL is correct, check that the server is enabled, restart your MCP clientAuthentication errors : Re-authorize the server through the OAuth flow or re-enter your API keyConnection timeouts : Check network connectivity to the gateway, verify gateway status is greenCan’t see expected servers : Server may need admin approval or be in a different organization
For Administrators (Admin Portal) The Admin Portal provides comprehensive tools to manage MCP servers, gateways, security policies, and monitor system activity.
Configuration Sections Section Purpose MCP Servers Add, configure, and manage MCP servers with RBAC and capability controls Gateways Deploy, monitor, and manage gateway instances Connections Configure data exporters and identity providers Settings Organization configuration, members, and default policies
Monitoring The Admin Portal provides three monitoring views:
Analytics : View usage metrics and system health including request volume, token consumption, error rates, and latency metrics.Security Incidents : Investigate detected security threats including prompt injection attempts, jailbreak attempts, and PII redaction events.Logs / Sessions : Search and investigate audit logs with graph view for MCP message flow visualization and timeline view for chronological events.Governance Capabilities Integration Inventory See every MCP server your organization uses:
Which gateways it’s assigned to
Which groups can access it
What capabilities it exposes
Access Control Enforce least privilege by default:
Server RBAC (which teams can access which servers)
Capability RBAC (which roles can use which tools)
Approval workflows for new integrations
Audit & Visibility Log every request across all gateways: you can see WHO did WHAT and WHERE.
Search and filter. Export to your SIEM. Answer auditor questions.
Policy Enforcement Golf Gateway uses a 3-layer policy hierarchy for flexible governance:
Layer Where Configured Scope Organization Control Plane > Settings > Policies All gateways & servers Gateway Control Plane > Gateway > Policies All servers on this gateway Server Control Plane > Server > Policies Single MCP server
