Security & Privacy

Even though there are known vulnerabilities with the protocol, the addition of remote MCP server authentication will push its adoption in Corporate-level applications.

Protocol Revision: 2025-03-26 adds OAuth 2.1 to the MCP protocol: See Authorization - Model Context Protocol and OAuth 2.0 Authorization Server Metadata (RFC8414) is used for the client to discover the identity provider that the MCP server is using. All official frameworks are starting to implement the support for OAuth 2.1.

However, Authentication remains challenging in a multi agent scenario where 1 remote agent is an autonomous agent (with no user context) or works in a multi-tenant system.

• See Authorization - Model Context Protocol
• See Diving Into the MCP Authorization Specification
• How should an MCP client know what scopes to request during the OAuth flow? Specification (.well-known/oauth-authorization-server MCP server endpoint) has the scopes_supported field but this is not at the tool function level?
• See Diving Into the MCP Authorization Specification

There are also several known vulnerabilities:

• See Security Best Practices - Model Context Protocol
• Prompt injection/corruption
• Tool poisoning: [Session] Securing MCP in an Agentic World with Arjun Sambamoorthy from Cisco

Ultimately it is about trusting the MCP servers that we want to use:

Can we have a Market Place ecosystem to guarantee some level of trust?