DeployStack Architecture

Understanding how DeployStack manages MCP servers at scale with Control Plane, Satellite Infrastructure, and hierarchical token optimization.

System Architecture

How DeployStack Works

Three-tier architecture: MCP Clients connect to Satellites for execution, while the Control Plane manages configuration, teams, and monitoring

Control Plane

cloud.deploystack.io

Team Management
  • • OAuth 2.1 authentication
  • • Role-based access control
  • • Team & user isolation
MCP Catalog
  • • Official registry sync
  • • Team & global servers
  • • Version management
Configuration
  • • 3-tier config system
  • • Encrypted credential vault
  • • Per-user customization
Monitoring
  • • Usage analytics
  • • Real-time satellite health
  • • Audit logging

DeployStack Satellite

Edge execution infrastructure

stdio MCP Servers
filesystem-team-alice-abc123
context7-team-alice-abc123
postgres-team-bob-xyz789
Running as subprocesses
HTTP/SSE Servers
github.com/api
slack.com/api
figma.com/api
Proxied remote endpoints
Per-user instance isolation (each user gets own process)
Hierarchical router: 2 meta-tools (discover, execute)
OAuth token validation & team/user context resolution

MCP Clients

VS Code, Claude Desktop, Cursor, etc.

VS Code+
AI
+
CLI
Connect via MCP Protocol (SSE, Streamable HTTP)
Authenticate with OAuth 2.1 tokens
See only 2 meta-tools (hierarchical router)
1

MCP Clients Connect

VS Code, Claude Desktop, or any MCP client connects to the satellite via standard MCP protocol over HTTPS. No local processes, no installation required.

2

Satellite Executes

Each user gets isolated MCP server processes with merged configuration. The hierarchical router exposes 2 meta-tools instead of hundreds, saving 95%+ of context window.

3

Control Plane Manages

Backend coordinates everything: team management, MCP catalog, configuration delivery, credential encryption, and real-time monitoring across all satellites.

Control Plane (cloud.deploystack.io)

Centralized management platform for all satellite infrastructure.

Team & User Management

Role-based access control

Comprehensive team and user management with role-based access control and OAuth2 authentication.

Satellite Registration

Global and team satellites

Manages both global satellites (operated by DeployStack) and team satellites (customer-deployed).

MCP Server Catalog

Approved servers and configurations

Centralized catalog of approved MCP servers and configurations available across all satellites.

Secure Credential Vault

Encrypted API keys and secrets

Stores encrypted API keys and environment variables for secure satellite deployment.

MCP Usage Analytics

Track tool usage across organization

Tracks which tools are used, by whom, and how often across your organization.

Token Usage Monitoring

Context window optimization

Shows context window consumption per team and user for optimization insights.

Real-Time Monitoring

Satellite health and performance

Provides satellite health, process status, and performance metrics in real-time.

Audit Logging

Complete compliance trails

Complete audit trails of all MCP tool interactions for compliance and security.

Satellite Infrastructure (Edge Execution)

Managed MCP server infrastructure with flexible deployment options.

Per-User Instance Isolation

Private MCP server processes

Each team member gets their own MCP server process with independent lifecycle (e.g., filesystem-team-alice-abc123, context7-team-bob-xyz789). Your instance crashes don't affect teammates, and your configuration remains completely private.

Enterprise Data Security

Complete data sovereignty

Deploy satellites inside your corporate network for complete data sovereignty. Internal databases, APIs, and file systems never leave your network. Data stays within your security perimeter while MCP servers run on your infrastructure with full compliance.

Hierarchical Router Pattern

95%+ token reduction

Instead of exposing 100+ tools that consume 75,000 tokens, satellites expose just 2 meta-tools (discover_mcp_tools, execute_mcp_tool) reducing context window consumption by 95%+ while maintaining full functionality.

Dual Transport Support

stdio and HTTP/SSE protocols

stdio subprocess servers run locally on satellite with process isolation (filesystem, postgres, context7), while HTTP/SSE remote servers proxy to external endpoints (GitHub API, Slack API, Figma API) with credential injection.

Deploy Anywhere

Cloud, on-premise, or local

Satellites can run in the cloud (managed by DeployStack), on-premise within your corporate network, or even on individual client machines. Think of them like GitHub Actions runners, but for MCP servers.

Global & Team Satellites

Flexible deployment options

DeployStack-operated satellites serving all teams with complete resource isolation, or customer-deployed satellites within corporate networks for accessing internal databases, APIs, and file systems not exposed to the internet.

Zero Installation Access

Standard HTTPS endpoints

Standard HTTPS endpoints, just add a URL to VS Code. No CLI tools, no local processes, no port management. Automatic scaling, health monitoring, and idle process management (inactive processes terminated after 3 minutes, respawned on-demand).

Traditionally, MCP servers run locally on the developer's PC. DeployStack shifts this execution to managed servers - our 'Satellites'. Just like GitHub Actions doesn't run code locally but on GitHub runners, we don't run MCP servers locally but on our Satellite infrastructure. This provides instant access without installation friction while enabling enterprise-grade security, per-user isolation, and organizational visibility.

How It All Connects

This creates instant MCP access without installation friction while providing enterprise-grade security, per-user isolation, and organizational visibility.

Satellite Registration & Polling

Satellites register with backend and poll for configuration updates and commands.

OAuth 2.1 Authentication

Users authenticate with backend, access satellites with JWT tokens containing team and user context.

Direct MCP Access

VS Code connects via HTTPS with hierarchical router exposing 2 meta-tools for per-user instance routing.

Usage Analytics & Monitoring

Satellites report usage data, process health, and audit logs to backend.

Enterprise Data Security

Team satellites deployed in corporate networks keep sensitive data isolated without internet exposure.

Token Optimization

Solving the Context Window Problem

When you install 10 MCP servers with 15 tools each, that's 150 tools consuming around 75,000 tokens - 37.5% of your context window gone before you start working. LLM accuracy drops significantly after 20-40 tools are loaded. Cursor enforces a 40-tool hard limit for this reason.

This creates a fundamental scaling problem: the more MCP servers you add, the worse your AI coding assistant performs. Teams hit this wall fast, forced to choose between breadth (many servers) and depth (AI effectiveness).

DeployStack's hierarchical router solves this by reducing token consumption by 95%+. Instead of loading 150 tools into context, we expose just 2 meta-tools: discover_mcp_tools and execute_mcp_tool. That drops consumption from 75,000 tokens to around 1,400 tokens.

This means you can scale from 3 to 100+ MCP servers without hitting performance walls or tool limits. The hierarchical router is fully operational and available today.

Token Reduction
95%+
Tools Exposed
2
Original Consumption
75K
New Consumption
1.4K
Technical Deep Dive

Ready to explore DeployStack?

See how our architecture solves MCP management at scale.

Try It FreeView Documentation