| title | Architecture Overview |
|---|---|
| description | Complete architectural overview of DeployStack's Control Plane / Data Plane system for enterprise MCP management |
| sidebar | Architecture |
| icon | Network |
import { Callout } from 'fumadocs-ui/components/callout'; import { Card, Cards } from 'fumadocs-ui/components/card'; import { Zap, Shield, Monitor, Cloud, Settings, Users } from 'lucide-react';
DeployStack transforms MCP from individual developer tools into enterprise-ready infrastructure through a sophisticated Control Plane / Satellite architecture. Our platform eliminates installation friction, provides secure credential management, and offers complete organizational visibility for teams of any size.
Traditional MCP implementation creates significant organizational challenges:
- Manual Setup: Developers spend hours configuring each MCP server with complex JSON files
- Environment Variables: API keys and tokens scattered across local
.envfiles and shell configurations - Inconsistent Environments: "Works on my machine" problems due to configuration drift across team members
- Credential Sprawl: API keys shared via Slack, email, or committed to version control
- Zero Visibility: Organizations have no insight into which MCP tools are being used or by whom
- No Access Control: Anyone can run any MCP server locally without oversight
- Onboarding Friction: New team members need days to set up all required MCP tools
- Tool Discovery: Developers waste time finding and configuring tools individually
- No Standardization: No central catalog or approved tool list for organizational use
DeployStack introduces a Control Plane / Satellite architecture that brings enterprise-grade management to the MCP ecosystem with zero installation friction through managed satellite infrastructure.
} title="Control Plane" > **cloud.deploystack.io** - Centralized management platform for teams, credentials, and MCP server configurations<Card icon={} title="Satellite Infrastructure"
**Global & Team Satellites** - Managed MCP infrastructure providing instant access with zero installation
<Card icon={} title="Developer Interface"
**Simple URL Configuration** - VS Code, Claude, and other MCP clients connect via HTTPS URL with OAuth
The cloud-based control plane provides centralized management for all MCP infrastructure:
- Role-Based Access Control: Define teams, roles, and permissions for MCP server access
- Centralized User Management: Single source of truth for team membership and access rights
- Policy Enforcement: Granular control over which teams can access which MCP servers
- Encrypted Storage: All API keys and tokens stored with enterprise-grade encryption
- Zero-Exposure Model: Developers never directly handle credentials
- Configuration Management: Store and manage all MCP server configurations including commands, arguments, and environment variables
- Version Control: Track changes to MCP server configurations over time (coming soon)
- Usage Analytics: Track which developers use which MCP servers and how frequently
- Cost Tracking: Monitor expensive API usage across teams and optimize spending
- Audit Trails: Complete logging of all MCP server interactions for compliance
The satellite infrastructure provides managed MCP services through two deployment models:
- Zero Installation: Access via simple HTTPS URL configuration
- Auto-Scaling: Handles traffic spikes automatically
- Multi-Region: Low-latency global availability
- Fully Featured: Complete MCP server access and team management
- On-Premise Deployment: Within corporate networks for internal resource access
- Complete Team Isolation: Linux namespaces and cgroups for security
- Internal Resources: Connect to company databases, APIs, file systems
- Enterprise Security: Full compliance and governance controls
- Standard OAuth Flow: Client credentials generated in dashboard
- Secure Token Exchange: Standard Bearer Token authentication
- Team-Aware Access: Credentials scoped to specific teams and permissions
- Zero Credential Storage: No local credential management required
- Developer creates OAuth client credentials in cloud.deploystack.io dashboard
- Client ID and Secret generated for secure satellite access
- No software installation or local authentication required
Simple URL Configuration:
{
"mcpServers": {
"deploystack": {
"url": "https://satellite.deploystack.io/mcp",
"oauth": {
"client_id": "deploystack_mcp_client_abc123def456ghi789",
"client_secret": "deploystack_mcp_secret_xyz789abc123def456ghi789jkl012"
}
}
}
}Connection Flow:
- OAuth Authentication: Client credentials validated against control plane
- Team Resolution: User's team memberships and permissions retrieved
- Tool Discovery: Available MCP tools based on team configuration
- Request Processing: All tool requests processed through managed satellite infrastructure
Client Request → OAuth Validation → Team Authorization → Satellite MCP Processing → Response
DeployStack implements enterprise-grade security across all components of the platform. For comprehensive security details including credential management, access control, and compliance features, see our Security Documentation.
Key security principles:
- OAuth Bearer Token Authentication: Standard OAuth flow with secure credential management
- Team Isolation: Complete separation between team resources and data
- Managed Infrastructure: Enterprise-grade security controls in satellite infrastructure
Unlike local installations, DeployStack uses managed satellite infrastructure:
- Instant Availability: All tools immediately available without local setup
- Auto-Scaling: Satellite infrastructure scales automatically with demand
- Global Distribution: Multiple regions for low-latency access worldwide
- Zero Maintenance: No local processes to manage or update
DeployStack implements sophisticated caching mechanisms in satellite infrastructure for optimal performance. Caching is managed transparently by the satellite infrastructure with no local configuration required.
- Real-Time Analytics: Live dashboard showing MCP server usage across the organization
- Cost Optimization: Track expensive API usage and identify optimization opportunities
- Resource Planning: Understand which tools drive the most value for different teams
- Audit Logging: Complete trails of all MCP server interactions
- Policy Enforcement: Centralized policies automatically enforced at the satellite level
- Access Reviews: Regular reviews of team access to sensitive MCP servers
- Centralized Updates: Push MCP server configuration changes to all team members
- Emergency Disable: Instantly disable problematic MCP servers across the organization
- Health Monitoring: Real-time monitoring of MCP server performance and availability
DeployStack supports multiple team memberships with instant context switching:
Team Switch Process (via dashboard):
- Select Team: Choose different team in cloud.deploystack.io dashboard
- Generate New OAuth Credentials: Create new client credentials for the team
- Update Configuration: Replace OAuth credentials in VS Code configuration
- Instant Access: New team's MCP tools immediately available
- Control Plane: Hosted at cloud.deploystack.io
- Satellite Infrastructure: Managed global satellites with optional team satellites
- Benefits: Zero installation friction, automatic updates, shared team configurations
- Control Plane: Deployed in customer's infrastructure
- Team Satellites: Customer-deployed satellites within corporate networks
- Benefits: Complete data sovereignty, custom compliance requirements, air-gapped environments
# Developer manually configures each MCP server
1. Find MCP server documentation
2. Install server individually (npm install @github/mcp)
3. Obtain API credentials from various sources
4. Configure complex JSON in VS Code settings
5. Debug configuration issues
6. Repeat for each team member# Zero installation setup for entire team
1. Register at cloud.deploystack.io
2. Create OAuth client credentials
3. Add URL to VS Code configuration
4. # Done! All authorized tools available immediatelyVS Code Configuration:
{
"mcpServers": {
"deploystack": {
"url": "https://satellite.deploystack.io/mcp",
"oauth": {
"client_id": "your_client_id",
"client_secret": "your_client_secret"
}
}
}
}- Infrastructure Health: Real-time status of satellite infrastructure
- Request Throughput: Performance metrics for tool usage
- Error Rates: Failure detection and automatic recovery
- Resource Usage: Satellite resource consumption and scaling
- Team Activity: Organization-wide usage patterns and trends
- Cost Analysis: API usage costs and optimization recommendations
- Security Events: Authentication, authorization, and policy violations
- Performance Analytics: Satellite performance across teams and regions
- Zero Installation: One URL configuration, then everything works
- Instant Access: All team tools immediately available
- Consistent Environment: Identical setup across all team members
- No Credential Management: OAuth handles all authentication securely
- Complete Visibility: Know what MCP tools are used, by whom, and how often (coming soon)
- Security Control: Centralized credential management and access policies
- Cost Optimization: Track and optimize expensive API usage (coming soon)
- Compliance Ready: Full audit trails and governance controls (coming soon)
- Central Management: Single dashboard for entire MCP ecosystem
- Policy Enforcement: Granular control over tool access by team and role
- Instant Deployment: Push configuration changes to all team members (coming soon)
- Operational Insights: Real-time monitoring and analytics (coming soon)
Next Steps: Explore our Quick Start Guide to experience the architecture in action, or dive into the Development Documentation to understand implementation details.

