Problem Statement
As a platform developer integrating with MCP, we've encountered challenges around tool authentication and authorization. While our platform handles high-level access control, we need a standardized way for tools to manage their own security requirements, especially for privileged operations like Git pushes or database queries.
Current Challenges
- Tools often have their own auth requirements (tokens, roles, etc.)
- No standard way to pass user/team identity to tools
- Each tool requires custom auth integration
- Difficult to handle fine-grained permissions within tools
Potential Solutions
1. Auth Protocol Extension
Add standardized JSON-RPC methods to handle authentication between clients and tool servers. This would allow platforms to manage authentication state consistently.
2. Auth Metadata Standard
Define a standard structure in request metadata for passing authentication and identity information to tools. This could include user tokens, identifiers, and team context.
3. Scope Declaration
Enable tools to declare their required permission scopes in metadata, allowing platforms to validate access before attempting operations.
Discussion Points
-
Token Format: Should MCP recommend specific formats (JWT/OAuth2) or stay format-agnostic?
-
Error Handling: Could standardize on HTTP-style codes (401/403) for auth failures
-
Implementation: Optional but standardized auth layer vs tool-specific approaches
Use Cases
In our platform, we need to:
- Pass user identity to tools for permission checks
- Cache auth tokens when possible
- Handle tool-specific login flows
- Support team-based access control
Would love to hear the community's thoughts on standardizing these patterns within MCP.
Problem Statement
As a platform developer integrating with MCP, we've encountered challenges around tool authentication and authorization. While our platform handles high-level access control, we need a standardized way for tools to manage their own security requirements, especially for privileged operations like Git pushes or database queries.
Current Challenges
Potential Solutions
1. Auth Protocol Extension
Add standardized JSON-RPC methods to handle authentication between clients and tool servers. This would allow platforms to manage authentication state consistently.
2. Auth Metadata Standard
Define a standard structure in request metadata for passing authentication and identity information to tools. This could include user tokens, identifiers, and team context.
3. Scope Declaration
Enable tools to declare their required permission scopes in metadata, allowing platforms to validate access before attempting operations.
Discussion Points
Token Format: Should MCP recommend specific formats (JWT/OAuth2) or stay format-agnostic?
Error Handling: Could standardize on HTTP-style codes (401/403) for auth failures
Implementation: Optional but standardized auth layer vs tool-specific approaches
Use Cases
In our platform, we need to:
Would love to hear the community's thoughts on standardizing these patterns within MCP.