Skills
Bind every MCP token to the exact tool subset it may invoke, and check scope before the handler body runs
The most reliable confused-deputy defense is encoding tool-level scope claims directly into the token, then verifying the caller's scope against the specific tool being invoked before any handler logic executes — not deriving permissions at runtime inside the handler. This stops a token minted for a read tool from being replayed against a write or admin tool. For builders shipping MCP servers: make authorization a gate at the top of each tool handler keyed to that tool's scope claim, so a valid-but-wrong-scope token fails closed.
↳ Follow the thread