Applicability
When to Use
✓When MCP servers access sensitive data
✓When compliance requires access audit trails
✓When implementing least-privilege access
Overview
How It Works
The Zero-Trust pattern requires every MCP server interaction to be authenticated and authorized, regardless of network location. Each request includes a token that is validated against the identity provider, scopes are checked against the requested operation, and every access is logged.
In an MCP architecture, the agent middleware validates tokens before forwarding requests to MCP servers. Vault MCP Server manages the tokens, while an audit log captures every access for compliance. No MCP server trusts another by default.
Implementation
Code Example
typescript
async function authenticatedRequest(server, tool, args) {
// Get short-lived token from Vault
const token = await vault.kvGet({ path: `tokens/${server}` });
if (isExpired(token)) {
const newToken = await vault.generateToken({ policies: [server] });
await vault.kvPut({ path: `tokens/${server}`, data: newToken });
}
// Verify scope
const scopes = await getTokenScopes(token);
if (!scopes.includes(`${server}:${tool}`)) {
throw new Error(`Insufficient scope for ${server}:${tool}`);
}
// Execute with audit
const result = await executeWithAudit(server, tool, args, token);
return result;
}
async function executeWithAudit(server, tool, args, token) {
const auditEntry = { server, tool, timestamp: new Date(), principal: token.sub };
await postgres.query("INSERT INTO audit_log (data) VALUES ($1)", [JSON.stringify(auditEntry)]);
return await mcpServers[server][tool](args);
}Quick Info
Categorysecurity
ComplexityHard