Proposal: Permission Specification for MCP Tool Calls #2498
Replies: 13 comments 8 replies
This comment was marked as spam.
This comment was marked as spam.
-
|
The 71% F-score finding across MCP servers is not surprising but it is useful to have quantified. The structural problem is that MCP defaults to "all tools available to all callers" and the spec provides no opt-in mechanism for restriction. On the design questions:
The chain depth constraint type is underrated. Most real exploits in agent systems come from deep delegation chains where no single hop looks dangerous but the cumulative capability is. |
Beta Was this translation helpful? Give feedback.
-
|
The issue we are having is that there is no provision for e.g. "ACLs" on individual tools. It can be driven by the tool metadata map, however this then becomes implementation-specific, and not portable. When aggregating many servers on a gateway, right now the only options is to name-match the backend tool to an ACL defined in the gateway config, and apply it per-request. This is not so scalable, if MCP is to implement a whole discovery mechanism whereby tool servers can be discovered and loaded in dynamically, and the developer does not need to change anything at the "gateway", then per-tool scope-definitions are needed in the tools list response. Under the {
...
"conditions": {
"scopes": { "enum": ["admins", "financial_read"] } # or "roles"
}
...
}This would deliver to the agent the idea that the current context does not have the scope to execute this tool. Then the server must enforce this restriction but at least there is an early feedback loop to the user/agent that they need higher privilege. |
Beta Was this translation helpful? Give feedback.
This comment was marked as spam.
This comment was marked as spam.
-
|
Strong proposal. The per-tool authorization gap is real. I want to raise a related problem that compounds it: what happens to permissions when content flows through derivation chains? |
Beta Was this translation helpful? Give feedback.
-
|
@AmanSharma2609 the derivation chain problem is real and I keep seeing it come up independently across these discussions — which means it's a real gap, not a theoretical one. The composition rules you landed on (max sensitivity, intersect access, union regulatory) are the same ones you described in #2493. The fact that you arrived at them through deployment testing rather than theory is the strongest validation. For the permission spec specifically: tool-level permissions + output governance composition are two different enforcement points that both need to exist. The permission spec handles the first. Your composition rules handle the second. Proof-of-behavior can enforce both and log the evidence for each decision. The enforcement middleware could evaluate two constraint sets per action:
Both decisions go into the same hash-chained log. Auditor replays both. This is converging with the work in cxp-protocol — would be worth formalizing the composition rules as part of the governance vocabulary crosswalk happening in agent-governance-vocabulary. |
Beta Was this translation helpful? Give feedback.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
-
|
The overlap I see with this permission-spec proposal is the verifiable part of authorization: per-tool authorization, parameter constraints, delegation, and audit trails only become dependable if an approval or grant can be checked against the exact tool call being made. Limitation: a request-binding invariant is narrower than a full MCP permission language. It does not define every policy primitive, OAuth shape, or UI workflow. It is more like a conformance property: the runtime must reject stale, replayed, or widened approvals. For that piece, would you want it to be something implementations depend on, a library, a spec/conformance test-kit, or something each MCP client/server project implements directly? |
Beta Was this translation helpful? Give feedback.
-
|
Hi, I wonder whether you have considered existing authorization standards for this. It looks like your architecture follows the PEP/PDP model (as defined in NIST ABAC 800-162) which means you could consider going down the path of OpenID AuthZEN. That would let you delegate the definition of permissions to existing Policy Decision Points (PDP). These could be:
That would solve your AuthZ problem and make it repeatable, i.e. use the same mechanisms in MCP but also A2A and other parts of the AI architecture. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Summary
I would like to propose a standard format for expressing, evaluating, and auditing permission rules for MCP tool calls — the AgentsID Permission Specification v1.0.
The full spec is published at agentsid.dev/spec and github.com/stevenkozeniesky02/permission-spec. This post summarizes the motivation, design, and asks for feedback from MCP maintainers.
Motivation
MCP gives agents unrestricted access to every tool a server exposes by default. The spec delegates authentication to the transport layer and provides no mechanism for:
We recently scanned 100 MCP servers using an open-source scanner (
@agentsid/scanner) and published the results in "The State of MCP Server Security 2026".Key findings:
server-githubandserver-filesystem)We filed two issues on this repo:
push_filesscope constraintsThe root cause in both cases is not buggy code — it is the absence of a standard way to express what an agent is permitted to do.
The Proposal
A permission policy is a JSON document attached to an agent. A pure-function evaluation engine decides allow/deny at tool call time. An audit log records every decision with cryptographic integrity.
Permission Rule Format
{ "version": "1.0", "agentId": "agent_abc123", "expiresAt": "2026-04-29T00:00:00Z", "rules": [ { "tools": ["github.push_files"], "action": "allow", "conditions": { "owner": { "pattern": "^myorg$" }, "branch": { "enum": ["main", "develop"] } }, "constraints": [ { "type": "rateLimit", "max": 10, "windowSeconds": 3600 } ] }, { "tools": ["**"], "action": "deny" } ] }Core Principles
Constraint Types (12 built-in)
Schedule, Rate Limit, Data Classification, Budget, Sequence, Session Limit, Risk Score, IP Allowlist, Chain Depth, Cooldown, Anomaly Detection, Approval Gate — plus
x-prefixed extensions.Delegation Protocol
Agents can delegate a subset of their permissions to sub-agents. Scope can only narrow, never expand. Revoking a delegation cascades to all sub-delegations immediately.
Audit Log
Every evaluation decision produces an append-only audit entry with SHA-256 hash chaining. Any tampering with a historical entry invalidates all subsequent hashes.
Relationship to Existing MCP Auth Work
This proposal is a complement to, not a replacement for, the MCP auth spec (OAuth 2.1 / transport-level authentication). The auth spec answers "who is this agent?" This proposal answers "what is this agent allowed to do, with what parameters, under what conditions?"
These are orthogonal problems. You need both.
What I Am Asking
Links
npx @agentsid/scannerBeta Was this translation helpful? Give feedback.
All reactions