Wiring a tool to an agent stopped being interesting a year ago. The Model Context Protocol standardized how a tool announces itself and how a model calls it; function-calling is in every SDK. So if the hard part is solved, why did Arcade just raise a $60M Series A on tool-calling, and why did Composio raise $25M on integrations?
Because the call was never the hard part. The hard part is the login. An agent that can call the Gmail API is useless until it can call it as a specific user — with that user's consent, a scoped and revocable token, and a credential the language model is never allowed to see. MCP standardized the handshake. It said almost nothing about the trust. That gap is the product.
What MCP punted on
Base MCP shipped with no built-in authentication at all. The June 2025 spec reclassified MCP servers as OAuth 2.1 Resource Servers and required clients to use Resource Indicators (RFC 8707) so a token is scoped to one server and can't be replayed against another. That closed part of the hole. But two things stayed open: an agent acting on its own behalf, and a clean on-behalf-of-user flow where a human logs in through a browser and the credential never passes through the model.
The tell that auth was MCP's unsolved problem: the canonical fix for it — the November 2025 URL Elicitation OAuth flow — was co-authored by Arcade and Anthropic, not shipped in the base protocol.
That is the space these three platforms occupy. None of them is merely a gateway routing servers someone else built; they provide the integrations and own the credential vault. They just make very different bets about how much of that you run yourself.
Composio: the open-source catalog with a vault
Composio is the most-adopted of the three and the most open. The core is MIT-licensed and sits around 29k stars (28.9k on 2026-06-23), with a managed cloud on top.
Its auth model is "connected accounts": when a user authorizes an app, Composio stores that user's OAuth tokens against your user ID and hands the agent a scoped, revocable, per-user credential instead of one master key. It runs the OAuth flows, refresh, rotation, and revocation, encrypts at rest, and carries SOC 2 Type II. The catalog is the other half of the pitch — a company-claimed 850–1,000+ toolkits and 500+ managed MCP servers — which is really a bet on maintenance: keeping the Salesforce connector working as Salesforce's API drifts is a cost MCP never addressed. Composio is the pick when you want the biggest catalog and an open core you can read.
Arcade: auth is the entire thesis
Arcade is the purest auth play, and it is the one to study if you want to understand the category. It calls itself the MCP runtime for production agents, and its architecture is organized around a single rule: the model must never see or perform the credential exchange.
When the agent calls a tool, it sends a high-level request to the Arcade Engine. The Engine checks whether the user granted the required scopes; if not, it runs the OAuth2 flow with the provider, injects the credential server-side, and returns only the response payload to the model. The secret lives in the runtime, never in the prompt or the agent code. Founder Alex Salazar's framing is that without this, teams "are forced to choose between dangerous super-user access or limiting AI to public data" — and that dichotomy is exactly what the vault dissolves.
The honest caveat: the MIT framework is open, but the Engine that does the auth magic is the commercial product (self-hostable in your VPC, but proprietary). You're buying the runtime, not just the SDK. Arcade is the pick when authenticating as a specific human is the problem — and the Arcade+Anthropic URL Elicitation SEP that patched MCP's own auth gap is the strongest evidence they understand it better than anyone.
Toolhouse: the hosted end of the spectrum
Toolhouse optimizes for a different verb: ship. It's an agentic backend-as-a-service — describe an agent in natural language, deploy it on their cloud in one click, and call its 1,000+ integrations (claimed, via MCP servers). It is the most convenient of the three and the least open: its public repos are client SDKs and examples (the Python SDK is in the low double-digit stars), not the platform itself. On auth specifically, I could not verify a dedicated per-user token-vault product the way Composio and Arcade document one — it bundles auth into the managed cloud, but don't credit it with vaulting depth it hasn't published. Toolhouse is the pick when you want hosted agents fast and the auth layer is a convenience, not the point.
How to choose
The spectrum is openness-against-convenience, and it maps cleanly: Composio if you want an open core and the broadest catalog, Arcade if acting on behalf of a user with the model walled off from the secret is the whole job, Toolhouse if you want a hosted backend and one-click deploy. The decision underneath all three is how much you trust a third party with your users' tokens — a self-hostable Engine and an open core read very differently than a hosted black box when the credential in the vault is your customer's Gmail.
And keep the layers straight: this is not the same problem as governing servers someone else built. If you're routing and securing a fleet of existing MCP servers, that's the MCP gateway decision; if you're weighing the protocol against raw tool definitions, that's MCP vs function calling. These three sit one layer lower — they are where the agent actually logs in as you.
