Tool use & MCP
Why is authorization the hard part of MCP?
Connecting a model to your real tools means connecting it to your real data and actions. MCP's authorization rests on OAuth 2.1, but confused-deputy attacks, token leakage, and prompt injection through poisoned tool descriptions are specific risks to contain.
Connecting a model to your real tools means connecting it to your real data and actions, so access control matters. MCP’s authorization model is built on OAuth 2.1, separating the server that holds your data from the server that grants access.[1] The risks here are specific: a confused-deputy problem where the model is tricked into using its access on someone else’s behalf, tokens being passed where they should not be, and prompt injection arriving through a poisoned tool description. The rules and guardrails page covers how to contain these.