# MCP

<Message variant="red" title="Not production-ready">
  Be aware that when enabled, this endpoint does not require any authentication.
  Tools can be called by anyone. However, GraphQL requests still go through any
  configured authentication & authorization. Furthermore there is no header
  forwarding of any form, so any headers your subgraph expect should be
  hardcoded with a [header
  rule](/docs/reference/gateway/configuration/header-rules).
</Message>

The gateway can start an MCP server endpoint with:

```toml
[mcp]
enabled = true # defaults to false
# Path at which to expose the MCP service
path = "/mcp"
# Whether mutations can be executed
execute_mutations = false
```