> ## Documentation Index
> Fetch the complete documentation index at: https://docs.promptguard.co/llms.txt
> Use this file to discover all available pages before exploring further.

# MCP Server Security

> Validate Model Context Protocol tool calls in agent architectures

<Info>
  MCP (Model Context Protocol) security validates tool calls before execution in agent workflows, preventing unauthorized tool use, argument injection, and resource access violations.
</Info>

## Overview

As AI agents gain the ability to call external tools via the Model Context Protocol, new attack surfaces emerge. PromptGuard's MCP security layer validates every tool call against configurable policies before execution.

There are two ways to apply it:

1. **Inline on gateway traffic** — when your requests flow through the PromptGuard gateway (`/api/v1/chat/completions` or `/api/v1/messages`), tool calls in the message stream are checked against your project's MCP security configuration automatically.
2. **Explicitly via the API** — call [`POST /api/v1/agent/validate-tool`](/api-reference/agent-security) before executing any tool, regardless of how your agent talks to its LLM.

## Capabilities

### Server Allow/Block-listing

Restrict which MCP servers your agents can call tools from. When MCP security is enabled for a project, each tool call's server (derived from the namespaced tool name, e.g. `filesystem__read_file`) is checked against the project's server allowlist and blocklist — calls to servers not on the allowlist, or on the blocklist, are blocked before execution. Argument payloads are also capped in size to prevent oversized-argument abuse.

This is configured per project as part of your guardrails setup — [contact support](mailto:support@promptguard.co) to enable and tune MCP server allow/block-listing for your project.

### Argument Schema Validation

Validate tool call arguments against expected schemas to prevent injection:

```json theme={"system"}
{
  "tool": "database_query",
  "expected_schema": {
    "type": "object",
    "required": ["table", "query_type"],
    "properties": {
      "table": { "type": "string", "enum": ["users", "orders"] },
      "query_type": { "type": "string", "enum": ["select", "count"] }
    }
  }
}
```

Arguments that don't match the schema are rejected before reaching the tool.

### Resource Access Policies

Define which resources tools can read or modify:

* File system paths (allow-list / deny-list)
* Database tables and operations
* Network endpoints and protocols
* Environment variables and secrets

### Tool Injection Detection

Identifies attempts to inject unauthorized MCP tool calls through:

* Prompt-based tool invocation attempts
* Argument manipulation to access restricted resources
* Chained tool calls designed to escalate privileges

## Validating Tool Calls

Validate any tool call explicitly before execution with the Agent Security API:

```python theme={"system"}
from promptguard import PromptGuard

pg = PromptGuard(api_key="pg_live_xxxxxxxx")

result = pg.agent.validate_tool(
    agent_id="agent-123",
    tool_name="file_read",
    arguments={"path": "/etc/passwd"},
    session_id="session-456",
)

if not result["allowed"]:
    print(f"Blocked: {result['reason']}")
    print(f"Risk score: {result['risk_score']}")
```

## Best Practices

1. **Default deny**: Only allow-list the MCP servers your agents need
2. **Schema validation**: Define schemas for all tool arguments
3. **Least privilege**: Restrict resource access to the minimum required
4. **Monitor tool calls**: Review tool call patterns in the security dashboard
5. **Version policies**: Use policy-as-code to track MCP security changes in git

## Next Steps

<CardGroup cols={2}>
  <Card title="Agent Security API" icon="robot" href="/api-reference/agent-security">
    Tool validation API reference
  </Card>

  <Card title="Policy-as-Code" icon="file-code" href="/security/policy-as-code">
    Manage MCP policies in YAML
  </Card>
</CardGroup>
