MCP Security¶
The Model Context Protocol (MCP) enables powerful tool access for AI agents. CapiscIO's MCP Guard brings trust infrastructure to MCP with two complementary specifications.
The Problem¶
MCP servers expose powerful tools to autonomous agentsβfile systems, databases, APIs, code execution. But MCP itself doesn't define:
- Who is calling a tool (authentication)
- Whether they should have access (authorization)
- What happened for post-incident review (audit)
The Solution: Two RFCs¶
MCP Guard implements two CapiscIO specifications:
RFC-006: MCP Tool Authority and Evidence¶
Server-side protection. Define trust level requirements for individual tools.
from capiscio_mcp import guard
@guard(min_trust_level=2)
async def read_database(query: str) -> list[dict]:
"""Only Level 2+ agents can query the database."""
return await db.execute(query)
@guard(min_trust_level=3)
async def write_database(table: str, data: dict):
"""Only Level 3+ (org-validated) agents can write."""
return await db.insert(table, data)
Key features:
- Trust level enforcement β Require minimum verification level
- Evidence logging β Cryptographic audit trail for every call
- Parameter hashing β PII-safe evidence records
- Async and sync β Both decorator styles supported
RFC-007: MCP Server Identity Disclosure¶
Client-side verification. Verify MCP server identity before connecting.
from capiscio_mcp import verify_server, ServerState
result = await verify_server(
server_did="did:web:mcp.example.com",
server_badge="eyJhbGc...",
transport_origin="https://mcp.example.com",
)
if result.state == ServerState.VERIFIED_PRINCIPAL:
print(f"β Trusted server at Level {result.trust_level}")
else:
print("β Server identity not verified")
Key features:
- Server identity verification β Confirm who you're connecting to
- Transport binding β Verify server controls the transport endpoint
- Trust level inspection β Check server's verification level
- Three states β VERIFIED_PRINCIPAL, DECLARED_PRINCIPAL, UNVERIFIED_ORIGIN
How They Work Together¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β MCP Security Flow β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β MCP CLIENT MCP SERVER β
β βββββββββββββββ βββββββββββββββ β
β β Agent A β β File Tool β β
β β (Level 2) β β Server β β
β βββββββββββββββ βββββββββββββββ β
β β β β
β β 1. Verify server identity β β
β β (RFC-007) β β
β β βββββββββββββββββββββββββββββββββββββ>β β
β β β β
β β 2. Call tool with badge β β
β β βββββββββββββββββββββββββββββββββββββ>β β
β β β β
β β 3. Guard evaluates β β
β β (RFC-006) β β
β β βΌ β
β β βββββββββββββββ β
β β β @guard(2) β β
β β β β ALLOW β β
β β β β log audit β β
β β βββββββββββββββ β
β β β β
β β 4. Return result β β
β β <ββββββββββββββββββββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
- Client verifies server using RFC-007 before connecting
- Client calls tool with their trust badge attached
- Server guard evaluates the caller's trust level (RFC-006)
- Evidence logged regardless of allow/deny decision
Trust Levels in MCP Context¶
| Level | Server Use | Client Use |
|---|---|---|
| 0 | Development servers | Anonymous tool access |
| 1 | Personal project servers | Registered agents |
| 2 | Production read-only tools | Domain-verified agents |
| 3 | Write operations | Org-verified agents |
| 4 | Admin tools | Enterprise agents |
Next Steps¶
-
Add
@guardto your MCP server tools -
Implement server verification in your MCP client
-
Set up cryptographic audit trails
-
Complete MCP Guard API documentation