MCP

5 Articles

Closing the Gaps in Least-Privilege MCP Tool Calls

AuthZEN, ARAP, and the Task Neither Names

Series Least-Privilege MCP Tool Calls Part 2 of 2

Part one laid out two ways to lock down a single tool call an agent makes through the Model Context Protocol: carry a narrow token, or let the resource decide each call. This part walks the standards that close the gaps. AuthZEN gives a standard way to ask the policy question, the Access Request and Approval Profile turns a denial into a governed request for approval, and a set of proposals carries that approval over the wire. Each makes one call’s authorization more interoperable, and none gives a multi-step task a shared identity. So a string of individually correct calls can still drift from what the user approved. The missing piece is a durable, governed record of the approved task, the object I call a Mission.

OAuth Authorization MCP AuthZEN Fine-Grained Authorization Agentic Identity RAR

Two Models for Least-Privilege MCP Tool Calls

Carry Authority in a Token, or Decide at the Resource

Series Least-Privilege MCP Tool Calls Part 1 of 2

There are two natural ways to lock an agent’s Model Context Protocol (MCP) tool calls down to least privilege. The agent can carry a narrow token scoped to the action, or the server can decide each call as it happens. Carrying a token gives portable proof of what the agent may do, but pushes domain knowledge onto the authorization server and token management onto the client. Deciding at the resource keeps the meaning where it lives, but the decision is not portable. MCP makes the tool boundary first-class for both. This part compares the two models and how to choose. Part two covers the standards that close the per-call gaps and the task object neither names.

OAuth Authorization MCP AuthZEN Fine-Grained Authorization Agentic Identity RAR

Sessions Are Not Missions

Why Agent Harnesses Cannot Own the Mission Layer

Modern agent harnesses make work durable across restarts, devices, background jobs, and sub-agents. That durability is a runtime property, not a governance property. A session answers where the agent can continue working. A mission answers why the agent is allowed to keep working. Conflating them is a central failure mode of long-running autonomous agent systems.

Agentic Identity Delegated Authority IAM OAuth Authorization Security Architecture Sessions MCP