Introduction
As we all know MCP has become the standard for connecting AI agents to external tools, APIs, and data sources. It enables a new class of systems where language models can directly interact with real-world environments. So knowing the risks isn’t enough.
MCP systems fail not because teams don’t know about attacks, but because they don’t implement enforcement layers correctly.
Let’s fix that.
The core principle
The LLM decides. The system enforces.
Never let the model directly execute anything.
The production-grade architecture
1. Identity Layer (OAuth + DPoP)
Tokens should include:
User identity
Scoped permissions
Proof of possession
This ensures:
- Tokens can’t be reused
- Identity is verifiable
2. Permission Layer — RBAC + Scoped Access
Define roles:
- Admin → full access
- Analyst → read-only
- Support → limited tools
Map roles → tool permissions.
3. Tool Registry (Critical)
Each tool must have:
- Canonical ID (not just name)
- Approved manifest
- Stored hash
Tools are never discovered dynamically, only allowlisted.
4. Tool Gateway (The most important component)
Before ANY tool executes:
- Validate user token
- Check tool allowlist
- Verify manifest hash
- Match scope → tool
If any check fails:
Block execution
5. Request-Scoped Tokens
Never use:
- Long-lived service credentials
Instead:
- Generate short-lived tokens per request
- Scoped to exact permissions needed
This prevents:
- Confused deputy attacks
6. Per-Hop Authentication
In agent chains:
- Every hop must re-authenticate
- No trust inheritance
- A new scoped token
7. Input & Output Validation
Treat everything as untrusted:
- User input
- Tool output
- External Data
Sanitize before feeding back to model.
8. Sandboxed Tool Execution
Each tool:
- Runs in isolation
- Has restricted network access
- Uses short-lived credentials
- Has execution time limits
9. Observability
Log everything:
- Tool calls
- Inputs/outputs
- User identity
- Execution results
Do this asynchronously.
10. Rate Limiting & Cost Controls
Limit:
- Per user
- Per tool
- Per tenant
Track:
- Token usage
- Execution Cost
The architecture in one line
The model suggests actions. The system verifies and enforces them.