Arcade MCP vs Unified.to MCP: which one is easier to self-host and pass a security review?

Most teams comparing Arcade MCP and Unified.to MCP are trying to answer two questions: can we run this on our own infrastructure, and will our security team sign off without a fight? The short version: both approaches can work, but Arcade’s MCP runtime and open-source servers are purpose-built for self-hosting, zero token exposure to LLMs, and enterprise controls, whereas Unified.to’s strengths are on the “unified API” side, not on deep authorization models for multi-user agents.

Quick Answer: Arcade MCP is generally easier to self-host and easier to walk through a security review if your priority is secure, multi-user AI agents acting across systems like Google Workspace, Slack, GitHub, and Salesforce. Unified.to can complement this as a unified data/API layer, but it isn’t a drop-in replacement for an MCP runtime with user-level authorization, auditability, and air-gapped deployment options.

Frequently Asked Questions

Which is easier to self-host for MCP: Arcade or Unified.to?

Short Answer: Arcade MCP is easier to self-host end to end because it gives you an open-source MCP server framework (arcade-mcp), a CLI (arcade new …, uv run server.py), and a managed runtime you can mirror in your own cloud, VPC, or on‑premise environment. Unified.to can be self-hosted at the API layer, but doesn’t give you a full MCP-native runtime focused on multi-user agent authorization.

Expanded Explanation:
Arcade is designed as the MCP runtime between AI and action. That means you can run:

• Open-source MCP servers locally or on your own infra (MIT-licensed, offline-friendly).
• Arcade’s hosted runtime, or deploy the same patterns inside your VPC/on‑prem, with managed secrets and tenant isolation.

The self-hosting path is intentionally low-ceremony:

# Install the MCP server framework
uv tool pip install arcade-mcp

# Create a new MCP server
arcade new my_server
cd my_server

# Run it locally
uv run server.py

Servers are just Python projects you own. You decide where to run them (laptop, Kubernetes, air‑gapped network), and Arcade’s runtime connects to them via MCP—compatible with Cursor, Claude, LangGraph, and more.

Unified.to, by contrast, is fundamentally a unified API for SaaS integrations. You can run its components self-hosted, but you’ll still need to build:

• The MCP server that exposes Unified.to as structured tools.
• The authorization model so agents act with user-specific permissions, not a monolithic service account.
• A runtime that keeps tokens out of the LLM and enforces permission gates.

Key Takeaways:

• Arcade gives you a self-hostable MCP server framework and runtime designed for agents from day one.
• Unified.to is a strong SaaS abstraction layer, but you’ll still be building the MCP runtime and auth story yourself.

---

How do self-hosting and deployment look different between Arcade MCP and Unified.to MCP?

Short Answer: With Arcade, self-hosting looks like running MCP servers and the Arcade runtime in your own environment (cloud/VPC/on‑prem/air‑gapped) using a standard pattern; with Unified.to, you’re self-hosting an API layer and then bolting on your own MCP server and agent runtime around it.

Expanded Explanation:
Think of the stack in layers:

• Layer 1: Tools / Integrations (Google, Slack, Salesforce, etc.)
• Layer 2: Runtime / Authorization (who can do what, with which tokens)
• Layer 3: Agent / Client (Claude, Cursor, LangGraph, custom apps)

Arcade ships the Layer 2 runtime and an open-source framework for Layer 1 tools, all MCP-native. You can:

• Run tools locally with uv run server.py (fully local and offline-friendly).
• Use .env locally and managed secrets in production.
• Attach those MCP servers to your favorite IDEs and clients with arcade configure.
• Deploy Arcade’s runtime in your cloud, VPC, or on-prem and keep all credentials inside your boundary.

A minimal self-hosted path looks like:

1. Sign up for Arcade and decide: fully hosted, VPC, or on‑prem.
2. Install the arcade-mcp CLI and scaffold an MCP server (arcade new my_server).
3. Deploy the MCP server (Docker, Kubernetes, bare metal) and point Arcade’s runtime at it.

Unified.to’s self-hosting path is different:

1. Deploy Unified.to as a unified API (again, Docker/Kubernetes).
2. Write an MCP server that wraps Unified.to’s endpoints as tools (e.g., CRM.ListContacts, Email.Send).
3. Implement your own runtime that:
   • Manages OAuth flows and token refresh.
   • Maps end users to Unified.to connections.
   • Ensures tokens never leak into the LLM.
   • Logs and governs tool calls.

Steps:

1. Decide what “self-hosted” really means for you (VPC-only vs true on‑prem vs air‑gapped).
2. Map your layers: tools, runtime, agents.
3. With Arcade, use arcade-mcp + the Arcade runtime to cover tools and runtime; with Unified.to, be prepared to build and maintain that runtime yourself.

---

How do Arcade MCP and Unified.to MCP compare on security review readiness?

Short Answer: Arcade MCP tends to be easier to pass a security review because it centers on user-specific authorization, scoped OAuth, zero token exposure to LLMs, RBAC/SSO/SAML, and audit logs. Unified.to can be secured, but you’ll need to design and document most of that yourself.

Expanded Explanation:
Security reviews for AI agents focus on the ugly questions:

• Whose permissions does the agent use?
• Where are the tokens stored?
• Can the LLM ever see, leak, or exfiltrate secrets?
• What happens when someone leaves the company?
• Can we see who did what, when?

Arcade’s posture is built for this:

• User-specific permissions, not service accounts. Agents act as the actual user, with their scopes and group memberships.
• Scoped OAuth and IDP integration. OAuth flows and SSO/SAML tie straight into your identity provider.
• Zero token exposure to LLMs. The LLM never sees credentials; tokens are injected at runtime inside Arcade’s MCP runtime.
• Audit logs and governance. Every tool call (e.g., Google.SendEmail, Google.CreateEvent, Gmail.ListEmails, Slack.PostMessage) can be traced and controlled.
• Tenant isolation and RBAC. Clear boundaries between teams and environments.

This is why teams like LangChain describe Arcade as what “makes MCP enterprise-ready… connects to identity providers, enforces agent authorization,” and why security-focused teams like Snyk call out the “sweet spot between AI, auth, and developer experience.”

Unified.to’s security advantages are at the unified API layer—consistent API keys, some token handling, and scopes for connected apps. But in a security review for agents, you’ll need to explain:

• How your MCP server enforces user-level auth instead of a single integration account.
• How you isolate tokens and prevent the LLM from ever handling them.
• Where logs live, how long you retain them, and how you respond to “right to be forgotten” and offboarding.
• How RBAC applies across agents, tools, and environments.

Comparison Snapshot:

• Arcade MCP: Authorization-focused runtime with user-specific permissions, zero token exposure to LLMs, audit trails, RBAC/SSO/SAML, and flexible deployment (cloud, VPC, on‑prem, air‑gapped).
• Unified.to MCP (DIY): Unified integration API that you can wrap with MCP, but you must implement your own runtime, auth model, token isolation, and governance.
• Best for:
  • Arcade: teams shipping multi-user, action-taking agents that must survive security reviews and scale.
  • Unified.to + custom MCP: teams primarily solving “too many SaaS APIs” and willing to own the agent runtime and security model.

---

How would I actually implement a self-hosted, security-review-ready setup with Arcade MCP?

Short Answer: You’d use Arcade as your MCP runtime, deploy your MCP servers where you want (local, VPC, on‑prem), plug into your OAuth/IDP flows, and let Arcade handle user-specific authorization, token storage, and audit logging.

Expanded Explanation:
The goal is straightforward: let agents send emails, create calendar events, touch CRM data, and post to Slack, without ever handing them raw tokens or over-privileged service accounts.

With Arcade, the implementation usually looks like this:

• MCP servers as your integration layer. Use arcade new to spin up servers that expose tools like Google.SendEmail, Gmail.ListEmails, Slack.PostMessage, Salesforce.UpdateRecord.

• Arcade runtime as the authorization gate. Use SDK patterns like:

  const session = await client.auth.start({ userId: currentUser.id });
  await client.auth.wait_for_completion(session.id);
  

  Once a user completes OAuth/SSO, the agent can call tools, but only with their scopes.

• Secrets and tokens never touch the LLM. Arcade stores tokens in managed secrets or your own secret manager. Tokens are injected server-side when tools are executed; the model only sees structured input/output.

• Deploy where your security team is comfortable. Cloud, your own VPC, on‑prem, or fully air‑gapped. Evals can run locally (BYOC—bring your own credentials), and the open-source MCP servers are MIT-licensed, so there’s no vendor lock-in.

What You Need:

• An Arcade account and the arcade-mcp CLI to scaffold and run MCP servers.
• Access to your OAuth providers / IDP (Google Workspace, Okta, Azure AD, etc.) and a deployment target (Kubernetes, VMs, or on‑prem servers) that your security team already trusts.

---

Strategically, when should I choose Arcade MCP over Unified.to MCP (or combine them)?

Short Answer: Choose Arcade MCP when your main challenge is getting multi-user agents safely from “chat to action” across real systems with clean authorization; consider pairing Arcade with Unified.to when your main pain is juggling dozens of SaaS APIs but you still want Arcade’s runtime and security model to govern agent actions.

Expanded Explanation:
Most “agent projects” don’t fail because the LLM is dumb; they fail because auth is brittle:

• Service accounts don’t match real user permissions.
• Refresh tokens break in production.
• Security teams veto rollouts when there’s no authorization model or audit trail.

Arcade is opinionated about this: your agents are only as good as your tools and the runtime enforcing authorization. Its MCP runtime plus agent-optimized tools turn “our agent can talk about doing things” into “our agent can safely take actions in Gmail, Calendar, Slack, GitHub, HubSpot, Salesforce, and Linear—under the user’s identity, with a clear audit trail.”

Unified.to fits in a different strategic role: it normalizes APIs across SaaS platforms. If you already rely on Unified.to to simplify integration sprawl, you can:

• Keep using Unified.to as your API abstraction.
• Wrap it with MCP servers built using Arcade’s framework.
• Let Arcade’s runtime handle user-specific permissions, token isolation, RBAC, SSO/SAML, and observability.

Why It Matters:

• Picking the right MCP runtime determines whether you can move from hacky demos to production agents that survive security, compliance, and scale.
• A clean authorization model (user-specific permissions, scoped OAuth, zero token exposure, audit logs) avoids re-building the same brittle auth layer every time you add a new tool or agent.

---

Quick Recap

If your question is “Arcade MCP vs Unified.to MCP: which one is easier to self-host and pass a security review?” the practical answer is: Arcade. It gives you an MCP runtime designed for agents, an open-source MCP server framework, and all the enterprise controls—user-specific permissions, scoped OAuth, zero token exposure to LLMs, audit logs, RBAC/SSO/SAML, and deployment flexibility across cloud, VPC, on‑prem, and air‑gapped. Unified.to can still play a valuable role as a unified API behind your tools, but you’ll be building and defending your own runtime and security story, which is usually where projects bog down.

Next Step

Get Started