Designing Secure Multi-Tenant MCP Servers
This article discusses the challenges of building a multi-tenant MCP (Model Context Protocol) server that safely isolates tenants from each other, and the key isolation layers required to achieve this.
Why it matters
Securely architecting multi-tenant MCP servers is critical for enterprises deploying AI/ML platforms at scale, to prevent security vulnerabilities and operational complexity.
Key Points
- 1MCP servers surface tools, not just endpoints, which creates a different security surface than typical multi-tenant HTTP APIs
- 2Three key isolation layers are needed: request-level credential isolation, tool-level authorization, and resource scoping
- 3Failure modes include session state bleed, shared upstream rate limits, and credential bleed across tenants
Details
The article explains that the default approach of one MCP server per tenant leads to operational complexity at scale. Instead, a single multi-tenant MCP server can be built, but requires careful isolation to prevent security issues. Unlike multi-tenant HTTP APIs, MCP servers need to isolate not just data access, but also the tools and schemas that agents can access. The three key isolation layers are: 1) Authenticating each MCP tool call with credentials specific to that call's principal, not the server's own credentials; 2) Providing a tenant-specific tool manifest to limit which tools each agent can access; and 3) Scoping all resource access (reads and writes) to the tenant identity, not the global namespace. The article also outlines four potential failure modes to watch out for, including session state bleed, shared upstream rate limits, and credential bleed across tenants.
No comments yet
Be the first to comment