Guide
Secure MCP: building AI apps on tooling you can trust
The security of an AI app is rarely about the model. It is about what the toolsyou wire in can do on a user’s behalf — and whose permissions they carry. Get that wrong and a helpful assistant becomes an over-privileged one. Here is what to demand from secure MCP tooling, and how to verify it before you connect.
The real security question
MCP is the shared tool-calling standard across Claude, ChatGPT/OpenAI and the rest, so the risk surface is the same everywhere: a tool call runs with someone’s rights. The only questions that matter are whose and how much. A secure setup answers both precisely: this action runs as this user, with exactly the access that user already has, and nothing more. An insecure one answers vaguely — a shared key, a service account, “the app can do everything, we trust the agent.”
What to demand from secure AI-app tooling
Six properties, each of which you can check rather than take on faith:
1. OAuth 2.1, not a shared API key
Per-user tokens, least-privilege scopes, standard revocation, and an audit trail that names the real person. A shared API key is long-lived, coarse, and a broad blast radius when it leaks. See how MCP’s OAuth discovery works in practice.
2. No permission flattening
The single most common serious regression: tools behind one over-privileged service account, so every user’s agent inherits admin access to everything. Secure tooling propagates the real user’s identityso each app’s own permission model applies — the agent gets exactly the user’s rights, no more.
3. Verify before you trust
A sensitive tool should force an OAuth challenge, not trust the network. The whole chain is walkable without a token, so you can confirm a server’s posture before connecting. Don’t take a claim on faith — probe it.
4. Least-privilege, scope-filtered tools
The agent should only see and be able to call the tools its token scopes allow. A catalog that exposes every tool to every caller is both a security and a context problem.
5. Audit and central revocation
One line per call recording who did what, and a single revocation that cuts access everywhere at once. If you cannot answer “what did this agent do, and how do I stop it,” the tooling is not secure enough for real users.
6. Encrypted storage for linked third-party tokens
When a tool holds credentials to another service on a user’s behalf, those live encrypted and per-user — so the downstream provider sees the user’s own account, seat and limits, not a shared bot.
Do
- +Front your tools with an OAuth 2.1 perimeter and propagate the real user identity.
- +Scope the tool catalog to the token; expose only what the user may call.
- +Log one audit line per call and wire central revocation.
- +Verify a server’s OAuth and discovery chain before connecting.
Don’t
- −Wire tools behind one broad service account ("permission flattening").
- −Hand agents a long-lived shared API key for multi-user access.
- −Trust a server because it says it is secure — probe it instead.
- −Store third-party credentials in plaintext or share them across users.
Why MCP + a gateway is the secure pattern
Put the six properties together and you get a specific architecture: an OAuth-protected MCP layer in front of your apps that propagates identity to each one, filters tools by scope, and keeps the audit and revocation central. Because the layer enforces nothing itself — each app keeps its own permission model — there is nothing new to trust. That is exactly what Cortex Gatewayimplements: a self-hosted, open-source MCP gateway where the agent’s access equals the user’s, by construction. For the trust dimension specifically, see our earlier note on building AI apps on verifiable trust.
Verify it
Security you cannot check is a slogan. Run any domain through the agent-readiness checker: it walks the MCP OAuth challenge, the discovery chain and the crawler posture, and shows the curl behind every verdict — so you can confirm a tool is what it claims before you wire it into an AI app.
FAQ
What makes an MCP server or tool secure?
How do I build a secure ChatGPT or Claude AI app?
Are MCP servers safe to connect to?
What is the biggest security mistake in AI-app tooling?
Should AI tools use OAuth or API keys?