> ## Documentation Index > Fetch the complete documentation index at: https://docs.golf.dev/llms.txt > Use this file to discover all available pages before exploring further. # Golf Control Plane > Single pane of glass for configuring policies, viewing audit logs, and managing access across your organization The Control Plane is where governance happens. It's the single pane of glass for configuring policies, viewing audit logs, and managing access across your entire organization—regardless of how many gateways you deploy. ## The Questions You Need to Answer Without centralized governance, your security team can't answer basic questions: * Which AI agents are employees using? * Which internal systems do those agents connect to? * What data flows through those connections? * Is there an approval process for new integrations? * Can you revoke access across all agents at once? * Do you control which tools are available to which roles? * Can you produce an audit log of all agent activity? * Are you confident PII isn't flowing to model providers? * Do your DLP policies cover agent connections? * If credentials were compromised, what did the attacker access? * What did this agent do between 2pm and 4pm last Tuesday? * Could a departing employee exfiltrate data through agent integrations? The Control Plane lets you answer all of these. ## Architecture Control Plane architecture: Admin/Dev Portal connects to API, which manages Database and Config Distribution to multiple Gateways ## Hosting Options The Control Plane can be deployed wherever your organization requires: **Managed by Golf** * Hosted and operated by Golf * Zero infrastructure management * Automatic updates and scaling * SOC 2 Type II compliant **Full on-premises deployment** * Complete data residency control * Deploy to your cloud * Kubernetes deployment via Helm charts **Requirements:** * PostgreSQL database * Redis cache * Kubernetes cluster Both options provide identical functionality. Your gateways connect to the Control Plane URL you configure—whether that's Golf Cloud or your own infrastructure. ## Organizations Organizations are the top-level tenant boundary in Golf. Each organization has its own: * Gateways * MCP Servers * Identity Providers * Exporters * Members and RBAC groups ### Member Roles | Role | Capabilities | | ------ | ------------------------------------------------ | | Owner | Full access, cannot be removed from organization | | Admin | Full access, can manage members and invitations | | Member | Dev Portal access only | ## Gateway Manager The Gateway Manager handles the lifecycle of all gateway instances. ### Gateway Lifecycle | Status | Description | | ------------ | -------------------------------------------- | | Pending | Created but not yet activated | | Active | Running and sending heartbeats | | Draining | Graceful shutdown, rejecting new connections | | Stopped | Intentionally deactivated | | Unresponsive | Missed 3+ heartbeats (90s timeout) | ### Creating a Gateway 1. Navigate to Gateways > Create Gateway 2. Enter gateway name and external URL 3. Save the API key immediately (only shown once) 4. Configure gateway with ID, API key, and Control Plane URL Save your API key immediately when creating a gateway. You won't be able to view it again. ## MCP Server Management ### Server Types | Type | When to Use | | ----------- | ---------------------------------------------------------- | | In-house | Servers managed by your organization | | Third party | External servers requiring OAuth or API key authentication | ### Third-Party Server Authentication When MCP servers require authentication to external services (GitHub, Notion, Slack), Golf Gateway manages per-user credentials. **How It Works:** 1. User clicks "Authorize" on a third-party server card in the Dev Portal 2. Gateway initiates OAuth flow with the external service 3. User grants permissions 4. Gateway stores encrypted access + refresh tokens 5. On each MCP request, gateway injects the user's token **Credential Security:** * Tokens are encrypted at rest and at transport * Per-user scoping: each user has their own credentials * Automatic token refresh when access tokens expire * Credentials never sent to client, only injected by gateway **Supported Auth Types:** | Type | Description | | ------- | ---------------------------------------------- | | OAuth | Full OAuth 2.0 flow, supports token refresh | | API Key | User provides static API key, stored encrypted | | None | Server doesn't require authentication | ## For Developers (Dev Portal) The Dev Portal is where you discover available MCP servers and get connection instructions for your AI tools. ### Finding and Connecting to Servers 1. Sign in to Golf Control Plane 2. Browse available servers on the **MCP Servers** page 3. Click a server to view its URL and capabilities 4. Copy the gateway URL to your MCP client configuration You only see servers you have access to based on your group memberships. Contact your administrator if you need access to additional servers. ### Troubleshooting * **Server not appearing**: Verify the gateway URL is correct, check that the server is enabled, restart your MCP client * **Authentication errors**: Re-authorize the server through the OAuth flow or re-enter your API key * **Connection timeouts**: Check network connectivity to the gateway, verify gateway status is green * **Can't see expected servers**: Server may need admin approval or be in a different organization ## For Administrators (Admin Portal) The Admin Portal provides comprehensive tools to manage MCP servers, gateways, security policies, and monitor system activity. ### Configuration Sections | Section | Purpose | | ----------- | ------------------------------------------------------------------------ | | MCP Servers | Add, configure, and manage MCP servers with RBAC and capability controls | | Gateways | Deploy, monitor, and manage gateway instances | | Connections | Configure data exporters and identity providers | | Settings | Organization configuration, members, and default policies | ### Monitoring The Admin Portal provides three monitoring views: **Analytics**: View usage metrics and system health including request volume, token consumption, error rates, and latency metrics. **Security Incidents**: Investigate detected security threats including prompt injection attempts, jailbreak attempts, and PII redaction events. **Audit Logs**: Search and investigate audit logs with graph view for MCP message flow visualization and timeline view for chronological events. ## Governance Capabilities ### Integration Inventory See every MCP server your organization uses: * Which gateways it's assigned to * Which groups can access it * What capabilities it exposes ### Access Control Enforce least privilege by default: * Server RBAC (which teams can access which servers) * Capability RBAC (which roles can use which tools) * Approval workflows for new integrations ### Audit & Visibility Log every request across all gateways: you can see WHO did WHAT and WHERE. Search and filter. Export to your SIEM. Answer auditor questions. ### Policy Enforcement Golf Gateway uses a 3-layer policy hierarchy for flexible governance: | Layer | Where Configured | Scope | | ---------------- | ----------------------------------- | --------------------------- | | **Organization** | Control Plane > Settings > Policies | All gateways & servers | | **Gateway** | Control Plane > Gateway > Policies | All servers on this gateway | | **Server** | Control Plane > Server > Policies | Single MCP server | ## Related * [Gateway](/gateway/overview/golf-gateway) - The runtime component that routes traffic * [Deploy in Centralized Mode](/gateway/guides/getting-started/deploy-control-plane) - Setup guide