MP-101 · Module 3
Security and Trust
3 min read
MCP gives AI models the ability to take real actions in the real world — reading files, querying databases, sending messages, modifying infrastructure. That power requires a security model that takes the risks seriously. The protocol addresses this at multiple layers: transport security, authentication, authorization, and user consent.
For remote servers, MCP uses OAuth 2.0 for authentication. The client redirects the user to the server's authorization endpoint, the user approves the requested permissions, and the server issues an access token. This is the same flow you use when connecting a third-party app to your Google or GitHub account. The AI model never sees the user's credentials. The token scopes limit what the model can do. This is standard, well-understood security — not a new invention.
User consent is the final layer. MCP clients are designed to show the user exactly what an AI model wants to do before it does it. When the model wants to call a tool, the client shows the tool name, the parameters, and asks for approval. This is why Claude Code and Claude Desktop show permission prompts — the human stays in the loop for sensitive operations. You can configure auto-approval for tools you trust, but the default is explicit consent for every action.
Do This
- Use official servers from known organizations when available — GitHub's official server, not a random fork
- Start with read-only servers before granting write access to any system
- Review what tools a server exposes before connecting — use /mcp to inspect capabilities
- Use scoped credentials with minimum necessary permissions when configuring server auth
Avoid This
- Do not install MCP servers from untrusted sources without reviewing the code
- Do not grant database write access through MCP for production databases without strict controls
- Do not disable permission prompts for destructive tools — the consent flow exists for a reason
- Do not share MCP configuration files that contain credentials or tokens