MCP Authorization Conformance
The product bet
SecurityRecipes is positioned as the secure context layer for agentic AI. Context trust, egress controls, and run receipts are not enough if MCP authorization is loose. A production buyer will ask:
- Is the token bound to the MCP resource, not a generic upstream API?
- Does the MCP server validate audience, issuer, expiry, and scope?
- Are raw user tokens ever passed through to downstream tools?
- Is the scope tied to workflow, namespace, access mode, agent, and run?
- Can the gateway prove consent, session binding, and audit correlation?
- Which new MCP servers fail before promotion?
The MCP Authorization Conformance pack answers those questions in a machine-readable artifact and exposes a runtime evaluator for pre-call authorization decisions.
What was added
- Source profile:
data/assurance/mcp-authorization-conformance-profile.json - Generator:
scripts/generate_mcp_authorization_conformance_pack.py - Evidence pack:
data/evidence/mcp-authorization-conformance-pack.json - Runtime evaluator:
scripts/evaluate_mcp_authorization_decision.py - MCP tools:
recipes_mcp_authorization_conformance_packandrecipes_evaluate_mcp_authorization_decision
Regenerate and validate the pack:
python3 scripts/generate_mcp_authorization_conformance_pack.py
python3 scripts/generate_mcp_authorization_conformance_pack.py --checkEvaluate a runtime authorization request:
python3 scripts/evaluate_mcp_authorization_decision.py \
--workflow-id vulnerable-dependency-remediation \
--connector-id repository-contents \
--namespace repo.contents \
--requested-access-mode write_branch \
--resource-indicator https://mcp.security-recipes.ai/mcp \
--token-audience https://mcp.security-recipes.ai/mcp \
--token-scope repo.contents:write_branch \
--expect-decision allow_authorized_mcp_requestDecision model
| Decision | Meaning |
|---|---|
allow_authorized_mcp_request | The request is bound to the expected MCP resource and stays inside the connector and workflow scope. |
hold_for_authorization_evidence | The connector or candidate server still needs authorization metadata, gateway evidence, or conformance controls. |
deny_token_passthrough | The request would pass raw user or upstream tokens through the agent/tool path. |
deny_unbound_token | The token is missing the expected resource indicator or audience binding. |
deny_scope_drift | The workflow, namespace, connector, or access mode is outside the approved authorization scope. |
kill_session_on_secret_or_signer_scope | The request includes credential, signer, deploy, publish, or live-funds authority. |
What the pack proves
The generated pack joins:
- the MCP connector trust pack,
- the MCP connector intake pack,
- the workflow control plane,
- the gateway policy pack,
- and the authorization conformance profile.
For production connector namespaces, it records the gateway attestation controls that must exist: per-client consent, short-lived workload identity, token-passthrough denial, audit, session binding, and write or approval controls where applicable.
For candidate MCP servers, it evaluates the detailed intake profile for resource indicators, audience validation, PKCE, short-lived tokens, private-network exposure, token passthrough, session binding, and audit evidence before promotion.
Industry alignment
This feature follows current primary guidance:
- Model Context Protocol Authorization for protected-resource metadata, resource indicators, audience-bound bearer tokens, HTTPS, PKCE, and token validation.
- MCP Security Best Practices for confused-deputy prevention, token-passthrough avoidance, SSRF, session safety, scope minimization, and audit trails.
- OWASP Top 10 for Agentic Applications 2026 for tool misuse, identity abuse, agentic supply-chain risk, context poisoning, cascading failures, and rogue-agent containment.
- CISA AI Data Security for provenance, integrity, access control, monitoring, third-party data handling, and incident evidence.
- NIST AI RMF and the NIST Generative AI Profile for governed, mapped, measured, and managed AI risk.
Commercial path
The open pack is the proof model. The premium production opportunity is a hosted MCP authorization scanner:
- discover live protected-resource and authorization-server metadata,
- diff resource indicators, audiences, scopes, and redirect policy,
- alert on scope drift and token-passthrough regressions,
- replay confused-deputy and unbound-token tests,
- attach signed authorization receipts to agent run receipts,
- export fleet-wide evidence for AI platform review and procurement.
That is the path from open knowledge to a production MCP security platform that a model provider, AI platform vendor, or security company would understand.
MCP examples
Inspect the overall pack:
recipes_mcp_authorization_conformance_pack()Review one connector:
recipes_mcp_authorization_conformance_pack(
connector_id="repository-contents"
)Evaluate one runtime request:
recipes_evaluate_mcp_authorization_decision(
workflow_id="vulnerable-dependency-remediation",
connector_id="repository-contents",
namespace="repo.contents",
requested_access_mode="write_branch",
resource_indicator="https://mcp.security-recipes.ai/mcp",
token_audience="https://mcp.security-recipes.ai/mcp",
token_scopes=["repo.contents:write_branch"]
)See also
- MCP Connector Intake Scanner for pre-promotion MCP server review.
- MCP Connector Trust Registry for namespace tiers and connector evidence.
- MCP Gateway Policy Pack for default-deny tool access decisions.
- Agentic Run Receipts for run-level proof objects that can carry authorization evidence.