Key Points
- 53% of deployed MCP servers still rely on insecure long-lived API keys, even though the MCP specification mandates OAuth 2.1 with PKCE for HTTP-based transports .
- MCP introduces attack surfaces that traditional API security does not address.Tool descriptions that reach the model's context window are an active attack vector.
- Hardening an MCP server requires controls at four distinct layers: transport, identity, authorization, and application.No single layer is sufficient on its own.
AI teams are deploying new capabilities at a rapid speed, and many security operations are struggling to keep up. In many cases, AI developers now ship MCP servers into production faster than security teams can audit them. This creates vulnerabilities that can lead to significant issues down the line.
The Model Context Protocol (MCP) gives AI agents access to tools, data sources, and APIs. When those servers are misconfigured, that access extends to attackers too. A compromised MCP server does not just expose data. It can silently manipulate what an AI agent does, believes, and reports to users.
This guide covers MCP server security and the process of MCP server hardening. We’ll talk about MCP access control, securing MCP servers, and how authentication and authorization work in the current MCP specification. We’ll also explain how transport security applies at each deployment boundary, what attack vectors specifically target MCP servers, and what a hardened production deployment looks like.
What Is MCP Server Security?
Model Context Protocol (MCP) is an open standard, originally developed by Anthropic and now maintained by the broader AI ecosystem, that defines how AI agents connect to external tools and data sources. An MCP server delivers capabilities, or tools. that an AI client (such as Claude, or a custom agent) can invoke. Those capabilities, or tools, might include querying a database, calling an external API, reading files, or executing code.
MCP server security refers to the controls that govern who can connect to an MCP server, what they are allowed to do once connected, how communications are protected in transit, and how the server defends against manipulation or abuse of its tools.
This is not a simple extension of standard API security. MCP introduces a structural difference: tool descriptions and responses flow into the model’s context window. That means attacks targeting tool metadata, not just data payloads, can influence AI behavior directly.
The current MCP specification version is 2025-11-25. The June 2025 update formalized OAuth 2.1 as the authentication standard for HTTP-based transports and classified MCP servers as OAuth Resource Servers under RFC 8707. These changes are the baseline for any production deployment.
How MCP Server Authentication Works
Authentication answers one question: is this client who they claim to be? In MCP, the answer depends on transport type.
Stdio Transport: Local Processes
An MCP server typically communicates over stdio (Standard Input/Output) when the client and server run as processes on the same machine. For stdio transport, authentication relies on the OS-level process boundary.
The host application (such as Claude Desktop) launches the server as a child process. Access control is handled by the host, not by the MCP server itself.
stdio does not require OAuth. But it does require that the host application is hardened and that servers launched this way run with the minimum privileges needed.
HTTP-Based Transports: Remote Servers
For any MCP server reachable over a network, including Streamable HTTP and the older SSE transport, the MCP specification mandates OAuth 2.1 with PKCE (RFC 7636). This applies to any server the client connects to over HTTP, regardless of whether the deployment is on a public network or an internal one.
The June 2025 spec update added two requirements that matter for security:
- MCP servers are OAuth Resource Servers. They expose a /.well-known/oauth-protected-resource metadata endpoint. Clients use this to discover the authorization server and supported scopes before requesting tokens.
- Clients must implement Resource Indicators (RFC 8707). When requesting an access token, the client specifies the target MCP server URL as the resource parameter. The authorization server issues a token audience-bound to that server. A stolen token cannot be replayed against a different MCP server, or else the audience check fails.
The OAuth 2.1 flow for MCP
The Oath 2.1 flow for MCP acts as a transport-level security mechanism, rather than a transport. Here’s how it works.
- Discovery. The MCP client calls /.well-known/oauth-protected-resource on the server to retrieve the authorization server metadata.
- Authorization request. The client redirects the user or agent to the authorization server with response_type=code, code_challenge (PKCE), and resource (the MCP server URL).
- Code exchange. After authorization, the client exchanges the code for an access token using code_verifier. There is no implicit flow andno client credentials without PKCE.
- Token use. The client includes the access token as a Bearer token in each MCP request. The MCP server validates the token signature, expiry, and audience claim.
- Refresh. Short-lived access tokens are refreshed using a refresh token without requiring the user to re-authorize.
This flow means the MCP server itself never handles the user’s credentials. The authorization server does. That separation is the point.
Transport Security: TLS, mTLS, and Trust Boundaries
Authentication establishes identity of the user or AI agent seeking access to the MCP server. Transport security protects the channel carrying that identity across a network.
Transport Layer Security (TLS), Mutual Transport Layer Security (mTLS), and trust boundaries are all critical elements in the authentication process. Here’s how to set them up.
TLS 1.3 for All Remote Connections
Every MCP server reachable over a network must serve HTTPS with TLS 1.3. Configure cipher suites that provide forward secrecy. For most operations, TLS_AES_256_GCM_SHA384 and TLS_CHACHA20_POLY1305_SHA256 are the standard choices.
Disable TLS 1.0 and 1.1 entirely. Enforce HSTS to prevent protocol downgrade attacks.
Certificate validation must be strict. MCP clients should reject self-signed certificates in production and verify the server’s certificate chain against a trusted CA.
Failing to follow this protocol can lead to major security breaches. In July 2025, for example, hackers targeted CVE-2025-6514, a remote code execution vulnerability in the mcp-remote npm package. The code execution was exploitable precisely because OAuth redirect URLs were forwarded without sanitization, a failure compounded by weak transport validation.
mTLS for Server-to-Server Communication
When one MCP server calls another, or when an AI agent runtime connects to an MCP server as a machine client, consider implementing mutual TLS (mTLS).
mTLS authenticates both parties at the transport layer using client certificates. No bearer token is required to prove the client’s identity. The server presents a certificate, and so does the client. Both verify against a trusted CA.
SecureW2 managed PKI infrastructure supports issuing and auto-renewing client certificates for machine identities, making mTLS viable at scale without manual certificate management. For AI workloads running in Kubernetes or cloud environments, SecureW2 certificate-based authentication integrates with MDM and IdP workflows to keep machine credentials current.
| Transport Mode | Auth Mechanism | Use Case |
| stdio (local) | OS process boundary | Local agent, Claude Desktop |
| HTTP + OAuth 2.1 | Bearer token (audience-bound) | Remote human-delegated access |
| HTTP + mTLS | Client certificate | Machine-to-machine, agent-to-server |
| HTTP + mTLS + OAuth 2.1 | Both | High-assurance production deployments |
mTLS and OAuth are complementary. mTLS proves transport-layer identity; OAuth scopes constrain what that identity can do.
DPoP Token Binding
Demonstrating Proof of Possession (DPoP) is an emerging hardening technique for OAuth-based MCP deployments. With DPoP, the access token is cryptographically bound to the client’s private key. Even if a token is intercepted, it cannot be used by an attacker who does not control the corresponding key.
The MCP specification does not yet mandate DPoP, but it is a meaningful upgrade for deployments with high-value tool access.
MCP Authorization: Scopes, RBAC, and Least Privilege
Authorization defines what a verified identity is allowed to do. In MCP, authorization operates at two levels: token scopes and tool-level access control.
Token Scopes
When an OAuth access token is issued for an MCP server, it should carry scopes that map to specific tool capabilities. It’s a good practice to avoid issuing tokens with wildcard or administrative scopes. An agent that only needs to query a read-only database tool should hold a token scoped to that tool, not to all tools on the server.
The MCP specification allows servers to advertise tool lists, but it does not mandate scope-to-tool mapping. That design is left to the server developer. Operators should build this mapping explicitly.
Tool-Level Access Control
Beyond token scopes, developers should enforce access control at the tool invocation layer:
- Set allowlist by identity. If the OAuth token carries a sub (subject) claim identifying the calling agent or user, check it against an allowlist before executing a tool.
- Apply parameter validation. Reject tool calls with parameters outside expected ranges. Treat tool input as untrusted — apply the same validation you would apply to HTTP request bodies.
- Implement rate limiting per token. Prevent credential abuse by limiting how many tool invocations a single token can make in a time window.
- Apply context-based controls. For sensitive tools, check whether the request context matches expected patterns. A tool that writes to a database should not be invokable from an unauthenticated path.
MCP Security Risks: Attack Vectors Specific to MCP
Understanding what can go wrong is a prerequisite for hardening. MCP servers face both traditional API threats and attack classes unique to AI-mediated tool use.
Tool Poisoning
Tool poisoning occurs when an attacker controls or tampers with a tool’s description, or the text that the MCP server sends to the AI client to explain what a tool does. Because tool descriptions enter the model’s context window, a malicious description can instruct the model to take unauthorized actions, exfiltrate data, or ignore safety constraints. The attack surface is the tool description itself, not just the tool’s output.
Defenders should treat tool descriptions as untrusted input from third-party MCP servers, verify tool registries cryptographically (Ed25519 or RSA signatures on tool manifests), and pin tool schema versions so that changes require explicit approval.
Rug Pull Attacks
A rug pull attack is a specific variant of tool poisoning. The attacker registers a legitimate-looking MCP tool, waits for an AI agent to grant it access, and then silently updates the tool’s description or behavior after the agent has approved it. The agent continues to trust the tool based on its original evaluation, but the tool now behaves differently.
Mitigation requires version-pinning tool schemas at install time and re-validating tool descriptions on each session start. The ETDI (Enhanced Tool Definition Interface) proposal, currently in draft, provides a protocol-level mechanism for tool identity and schema integrity by binding tool versions to OAuth tokens.
Prompt Injection via Tool Responses
A tool response that contains adversarial text can inject instructions into the AI model’s reasoning. If an MCP tool reads a file, queries a database, or retrieves a web page, its response might contain embedded instructions designed to manipulate the model. This is indirect prompt injection at the MCP layer.
Defense requires output sanitization and clear separation between tool-returned data and the model’s instruction context. Agents should treat tool responses as data, not instructions.
Confused Deputy and Token Passthrough
An MCP server should never forward the access token it received from a client to a downstream service. If server A receives a token scoped to server A and uses it to call service B, it has created a confused deputy vulnerability.
As a result, service B now acts on credentials it was never meant to receive. Each downstream call should use a separately scoped credential.
Supply Chain Attacks on MCP Packages
Third-party MCP packages can carry exploitable vulnerabilities. Developers should vet dependencies carefully, pin package versions with cryptographic hashes, and audit dependencies for known CVEs before deploying a new MCP server.
| Attack Class | Vector | Primary Defense |
| Tool poisoning | Malicious tool description in context | Signed tool manifests, schema pinning |
| Rug pull | Post-approval tool schema change | Version pinning, session re-validation |
| Prompt injection | Adversarial content in tool output | Output sanitization, data/instruction separation |
| Confused deputy | Token forwarding to downstream services | Per-service credentials, no passthrough |
| Supply chain | Malicious third-party MCP package | Dependency pinning, hash verification, CVE scanning |
| Credential theft | Long-lived API key exposure | Rotate to OAuth 2.1, short-lived tokens |
Hardening a Production MCP Server
The controls below apply to any remotely deployed MCP server. Apply them at deployment time, not after an incident.
Input Validation and Output Sanitization
Validate all tool invocation parameters against a strict schema before executing any logic. Reject requests with unexpected fields, oversized payloads, or parameter values outside defined ranges. Apply the same rigor to tool outputs before returning them to the client bystrip ping or encoding content that could be interpreted as instructions.
Session Management
The Mcp-Session-Id header identifies a client session but must not be used as an authorization mechanism. Instead, developers should tie authorization to the validated access token, not to the session identifier.
Always regenerate session identifiers on authentication events, and invalidate sessions server-side on logout or token revocation.
Credential Lifecycle Management
According to Astrix Security research, 53% of production MCP servers still use API keys or personal access tokens, which are single-point-of-failure credentials. This is a risky practice.
Instead of using long-lived static secrets, migrate to OAuth 2.1 access tokens with short expiry (hours, not days). For machine-to-machine authentication via mTLS, use certificates with defined validity periods and automate renewal. Set a maximum credential lifetime policy: rotate any static secret that cannot be eliminated within 90 days.
The SecureW2 JoinNow Platform provides automated certificate enrollment and renewal workflows that remove the operational overhead of managing machine credentials at scale — covering the lifecycle from issuance through revocation.
Rate Limiting and Abuse Prevention
Enforce per-token and per-IP rate limits on tool invocations. Log rate limit events. Sudden spikes in tool call frequency from a single token are a signal of credential compromise or automated abuse.
Dependency Management
Ensure consistency and reliability by pinning all MCP server package versions. Use a hash-verified lockfile to track the dependencies and sub-dependencies used in each project.
It’s a good practice to run automated CVE scanning on dependencies as part of your CI pipeline. Do not pull latest versions in production without verification.
Principle of Least Privilege for the Server Process Itself
Run the MCP server process with the minimum OS-level permissions it needs. If the server only reads from a specific database, it should not have write access to the filesystem. Use container security contexts or system service hardening to enforce resource limits and restrict sys calls.
Monitoring and Audit Logging for MCP Servers
Hardening and monitoring are complementary processes. Hardening prevents known attack patterns, and monitoring detects whatever hardening misses. Here’s how the monitoring and logging process works.
What to Log
Every MCP server should emit structured audit logs for:
- Authentication events: token validation, success, failure, expiry
- Tool invocations: caller identity, tool name, parameters (sanitized), response code, execution time
- Authorization failures: access denied events with context
- Session lifecycle: creation, renewal, termination
- Configuration changes: any change to tool definitions or server configuration
Always log to a centralized SIEM, not to local files. Local logs are inaccessible during a container restart and can be cleared by an attacker with filesystem access.
Anomaly Detection Baselines
Establish normal baselines for:
- Tool invocation frequency per token
- Parameter value distributions per tool
- Response times (spikes may indicate server-side injection attacks)
- Tool discovery request patterns (excessive enumeration may signal reconnaissance)
Set the system to generate automaticalerts in response to deviations from the baseline. Behavioral anomalies in tool invocation patterns are often the earliest detectable signal of a compromised agent credential.
Incident Containment
If developers suspect that a token is compromised, they should revoke it at the authorization server immediately. MCP clients that use OAuth 2.1 can handle token revocation through the authorization server’s revocation endpoint (RFC 7009).
If a tool schema has been tampered with, take the tool offline and re-validate its definition before restoring service. Log the full event chain for forensic review.
MCP Server Security Limitations
Even a well-hardened MCP server has boundaries that the protocol itself does not fully address. Those boundaries include:
- No standardized tool integrity mechanism in the current spec. The MCP 2025-11-25 protocol mandates OAuth 2.1 for transport auth but does not yet include a built-in mechanism for signing tool definitions. ETDI is a draft proposal, not a ratified standard. Until it is adopted, tool integrity requires implementation-specific controls.
- Trust delegation is complex in multi-agent pipelines. When one AI agent calls another through an MCP server, the trust chain can span multiple OAuth tokens across multiple servers. Auditing end-to-end authorization in these chains is not yet standardized.
- OAuth 2.1 does not address tool-level semantics. A valid OAuth token proves identity and grants scopes. It does not prove that the tool the agent is about to invoke is the same tool the human authorized. Closing that gap requires application-layer controls beyond what the spec provides.
- Monitoring is not standardized. There is no MCP specification for what servers must log. Every deployment makes independent decisions about event schema, log destination, and alerting. This creates inconsistency across multi-server deployments.
As MCP deployments mature, the gap between transport-layer authentication and application-layer trust will require new standards and tooling, not just tighter configuration.
From MCP Authentication to Machine Identity Infrastructure
There is one guiding principle behind all the controls in this article: every MCP server interaction must be tied to a verified, scoped, revocable identity.
OAuth 2.1 handles this well for human-delegated flows, when implemented correctly. When it comes to machine-to-machine and agent-to-server flows, though, the infrastructure demands more. For those workflows, you need PKI-backed certificate identities with automated lifecycle management.
Traditional PKI deployments are operationally heavy. Managing certificate enrollment, renewal, and revocation across a fleet of AI workloads and MCP servers requires the same automation that enterprise Wi-Fi and VPN deployments have needed for years.
At SecureW2, we have already built that automation for network identity. Now, we are applying the same PKI infrastructure to securing MCP server communications via mTLS.
When an AI agent connects to an MCP server using a client certificate issued by a managed CA, the server can verify the agent’s identity at the transport layer without depending on a separate OAuth flow. Certificate revocation happens in real time through OCSP or CRL, so a compromised agent identity can be invalidated immediately, not at the next token refresh cycle.
Secure Your MCP Infrastructure With Certificate-Based Identity
Passwords and long-lived API keys are the weakest link in any MCP deployment. Replacing them with certificate-based authentication at the transport layer eliminates the credential theft attack surface entirely.
SecureW2 Managed PKI and JoinNow Cloud RADIUS provide the identity infrastructure to issue, deploy, and revoke machine certificates for AI workloads. That’s the same approach that secures enterprise Wi-Fi and VPN access at thousands of organizations. For MCP deployments running in cloud or Kubernetes environments, SecureW2 auto-enrollment integrations with Intune, Jamf, and Google Workspace reduce certificate management overhead to near zero.
If your team is building or hardening an MCP server deployment, start with the transport layer. A certificate-based identity model that prevents unauthorized connections is harder to bypass than any application-layer control alone.
Schedule a demo to see how SecureW2 PKI infrastructure applies to securing MCP server communications, or contact SecureW2 to discuss your specific deployment architecture.
