# Curate the tools an upstream exposes

<CurateToolsPicker
  mode="portal"
  alternateLink="/mcp-gateway/how-to/curate-tools-local"
/>

When an upstream MCP server exposes more capabilities than belong in front of an
AI client, curate the subset that passes through. In the Portal, the **MCP
Gateway Virtual Server** wizard does this on its **Tools** step: choose
**Curate** instead of **Passthrough** and pick exactly what to expose. The
wizard writes an `mcp-capability-filter-inbound` policy and attaches it to the
route for you.

For the conceptual model behind capability filtering, including what it filters
and how projections work, see
[Capability filtering](../capability-filtering.mdx).

Prefer working in code? The [code version](./curate-tools-local.mdx) configures
the same policy directly in your project files.

## Curate on the Tools step

The **Tools** step appears while you add or edit an MCP Gateway Virtual Server.
For a full walkthrough of creating one, see the
[Portal quickstart](../quickstart.mdx).

1. **Open the Virtual Server wizard.** On the **Code** tab, click **Add Route**
   and choose **MCP Gateway Virtual Server**, then work through the wizard to
   the **Tools** step. (To curate an existing server, open its route and reopen
   the wizard.)

2. **Choose Curate.** The Tools step offers two modes:
   - **Passthrough** federates the upstream's full catalog live. Zero config,
     and the safest default when you want to expose everything.
   - **Curate** lets you select the specific tools, prompts, and resources to
     expose. Everything you don't select is hidden from clients.

   Select **Curate**.

   <ModalScreenshot size="md">

   ![Choose Passthrough or Curate on the Tools step](../../../public/media/mcp-gateway-quickstart/04-tools.png)

   </ModalScreenshot>

3. **Pick what to expose.** Choosing Curate prompts you to sign in to the
   upstream service so the wizard can read its catalog. After you sign in, the
   **Upstream catalog** lists the upstream's tools, prompts, and resources,
   grouped by category (for example, a **Read-only** group for tools that don't
   modify state), each with its description and a checkbox.

   Clear the checkbox next to anything clients shouldn't see, or toggle a whole
   group at once with its group checkbox. For example, keep the **Read-only**
   group and clear the write or destructive tools. Anything left unselected is
   blocked at the gateway.

   <ModalScreenshot size="md">

   ![Curate the upstream catalog by selecting tools to expose](../../../public/media/mcp-gateway-quickstart/07-curate-tools.png)

   </ModalScreenshot>

4. **Finish the wizard and save.** The wizard adds the
   `mcp-capability-filter-inbound` policy to `config/policies.json` and wires it
   into the route. **Save** the project to deploy the change.

:::note

Passthrough needs no upstream sign-in, since it federates the catalog live
instead of reading it up front.

:::

## What curation does at the gateway

Only what you select is exposed. Clients can't see or call anything else, so
unselected tools are blocked at the gateway before the request reaches the
upstream.

## Go further in code

The wizard covers the common case: pick what to expose. For finer control, edit
the generated `mcp-capability-filter-inbound` policy directly. In code you can
also:

- **Override a tool's description or annotations** while keeping the upstream's
  schemas and name.
- **Re-project a resource's** downstream-facing `name`, `description`, or
  `mimeType`.
- **Block an entire capability type** as a temporary kill switch.

See the [code version](./curate-tools-local.mdx) for these projections and the
full policy reference.

## Verify the filter

After saving (and the deploy completes), confirm the filter is active:

1. Connect a test client (the [MCP Inspector](../test-clients.mdx#mcp-inspector)
   is the fastest option) to the curated route.
2. Call `tools/list`. Only the tools you selected should appear.
3. Call `tools/call` with a tool you didn't select. The gateway returns a
   JSON-RPC `MethodNotFound` error before the request reaches the upstream.

If a tool you expected is missing, reopen the wizard's Tools step and confirm it
is selected.

## Related

- [Curate tools in code](./curate-tools-local.mdx): configure the policy
  directly, with description and annotation overrides.
- [Capability filtering](../capability-filtering.mdx): the conceptual model
  behind curation.
- [Portal quickstart](../quickstart.mdx): create a Virtual Server end to end.
- [Connect a gateway to an upstream OAuth provider](./connect-upstream-oauth.mdx):
  pair curation with per-user upstream OAuth.