Ch 8: Security, Authorization & OAuth

Ch 8 — Security, Authorization & OAuth

Protecting users, gating actions, and authenticating remote servers

Index Under the Hood →

High Level

Click play or press Space to begin...

Step- / 8

AThe Threat ModelWhy MCP needs security at every layer

warning

ThreatsMalicious servers,
prompt injection, data leak

mitigated by

shield

Defense LayersIsolation, consent,
least privilege

enforced by

hub

HostThe security
gatekeeper

arrow_downward User consent: the human stays in control

BUser ConsentHumans approve sensitive actions before they happen

smart_toy

LLM WantsModel decides to
call a tool

asks

person

User ApprovesHost shows what
the tool will do

then

check_circle

ExecutedOnly after
user says yes

arrow_downward Tool annotations: metadata for consent decisions

CTool AnnotationsHints that help the host decide what needs consent

visibility

readOnlyHintTool only reads,
no side effects

delete

destructiveHintTool may delete
or modify data

public

openWorldHintTool interacts with
external entities

arrow_downward Local vs remote: different security models

DLocal vs Remote ServersDifferent trust levels require different security

computer

Local (stdio)Runs on your machine
inherits your perms

cloud

Remote (HTTP)Runs elsewhere
needs authentication

arrow_downward OAuth 2.1: authenticating with remote servers

EOAuth 2.1 for Remote ServersStandard authentication for HTTP-based MCP servers

User Logs InBrowser-based
OAuth flow

gets

token

Access TokenBearer token for
API requests

sent in

lock

Auth HeaderEvery HTTP request
includes token

arrow_downward Security principles: the big picture

FSecurity PrinciplesThe foundational rules of MCP security

lock

Least PrivilegeMinimum access
needed

shield

Defense in DepthMultiple layers
of protection

person

Human in LoopUser approves
sensitive actions