Reference Brief / MCP Enterprise Platform

Production deployment of the Model Context Protocol

spec 2025-11-25OAuth 2.1JSON-RPC 2.0 Centralized portal, identity-brokered, audit-centralized, DLP-enforced. Streamable HTTP transport only in production; stdio retired except development.

5
platform components
7
phases to production
10
OWASP MCP Top 10 entries
94%
Code Mode token reduction
Architecture path

Components

MCP server portal
aggregation + policy
Single endpoint per user. Discovery, DLP, audit, rate limits, scope.
Remote MCP servers
tool providers
Long-lived HTTPS services; one per upstream. Inherit from monorepo template.
Identity broker
oauth + posture
SSO, MFA, device posture. Short-lived tokens, scope claims, audience binding.
AI Gateway
cost + provider
Client-to-LLM proxy. Per-user budgets, switching, prompt logging.
SWG / network egress
shadow detection
Outbound inspection for unauthorized MCP via JSON-RPC patterns.

Architecture path

Centralized portal

Platform team owns deployment via monorepo template. New servers inherit CI/CD, secrets, default-deny writes, audit, rate limits, kill switch. Approval through AI governance.

Federated by team

Each team owns its servers; consumes shared identity + audit + DLP. Risk: low-investment team degrades posture for every consumer.

Vetted marketplace

Servers reviewed, listed, subscribed. Reasonable externally; internally collapses back to portal model unless paired with one.

Local-only (deprecated)

Acceptable for development inner loops, individual experimentation, MCPs requiring developer-machine filesystem. Not in production.

Transport (Streamable HTTP)

methodpathpurpose
POST/mcpclient → server JSON-RPC; response application/json or text/event-stream
GET/mcplong-lived SSE for server-initiated messages; resume via Last-Event-Id
DELETE/mcpterminate session by Mcp-Session-Id
headerdirectionpurpose
Mcp-Session-Idbothsession id; server issues on initialize, client echoes
MCP-Protocol-Versionclientprotocol revision; e.g. 2025-11-25
Last-Event-IdclientSSE resume cursor on reconnect
Originclientrequired; server returns 403 on invalid Origin (added 2025-11-25)
WWW-Authenticateserveron 401, points to PRM document; carries scope challenges (SEP-835)
AuthorizationclientBearer token; audience-bound per RFC 8707
aspectstdiostreamable HTTP
shapesubprocess per clientlong-lived service
cacheresets per sessionsteady state, multi-client share
authimplicit, process boundaryexplicit via Authorization
auditfragmented per usercentralized to SIEM
updatesuser must rebuilddeploy once
resumenot supportedLast-Event-Id

Authorization (OAuth 2.1)

  • OAuth 2.1 mandatory for MCP servers as resource servers. Clients implement DCR (RFC 7591) or OAuth Client ID Metadata Documents (SEP-991, added 2025-11-25).
  • RFC 9728 (Protected Resource Metadata) mandatory for servers. 401 response carries WWW-Authenticate with resource_metadata URL pointing to /.well-known/oauth-protected-resource; document declares authorization_servers.
  • RFC 8707 (Resource Indicators) mandatory for clients. resource parameter on token requests binds the access token to a specific MCP server URL; without it tokens are ambient and leak across resources.
  • AS metadata via RFC 8414 at /.well-known/oauth-authorization-server. OpenID Connect Discovery 1.0 also supported (added 2025-11-25).
  • Per-tool scopes: mcp:read, mcp:write, mcp:exec. Validate signature, audience (RFC 8707 §2), expiry every call.
  • Incremental scope consent via WWW-Authenticate (SEP-835). Client steps up scope mid-session without full re-auth.
  • URL Mode Elicitation (2025-11-25): server sends user to external OAuth flow in browser; credentials never transit MCP client. Enables PCI-compliant payment, third-party authorization without token passthrough.
  • Token rotation under 24h. Insufficient authentication / authorization is OWASP MCP07; privilege escalation via scope creep is MCP02.

Wire format

# initialize POST /mcp HTTP/1.1 Content-Type: application/json Accept: application/json, text/event-stream MCP-Protocol-Version: 2025-11-25 {"jsonrpc":"2.0","id":1,"method":"initialize","params":{...}} HTTP/1.1 200 OK Content-Type: application/json Mcp-Session-Id: 7a3f9c-... # server-initiated SSE stream (sampling, notifications) GET /mcp HTTP/1.1 Mcp-Session-Id: 7a3f9c-... Last-Event-Id: 42 HTTP/1.1 200 OK Content-Type: text/event-stream event: message id: 43 data: {"jsonrpc":"2.0","method":"sampling/createMessage",...} # 401 with PRM pointer (RFC 9728) HTTP/1.1 401 Unauthorized WWW-Authenticate: Bearer realm="mcp", resource_metadata="https://srv/.well-known/oauth-protected-resource"

Observability

  • Per-call audit: caller, tool, params (sensitive fields redacted), outcome, latency, policy decisions (rate limit, deny list, kill switch). Lack of audit and telemetry is OWASP MCP08.
  • Real-time ship to SIEM via OpenTelemetry / Vector / fluentd. Append-only on receiver. Cryptographic chaining for high-stakes audit.
  • DLP at portal: per-tool rules block PII / PHI / secrets / source-with-keys. Context injection & over-sharing is OWASP MCP10.
  • Token-shape regex redaction at log layer; token mismanagement is MCP01. No long-lived tokens in logs.

Multi-tenancy

  • Portals are the policy boundary; upstream servers stay group-unaware.
  • One upstream MCP behind multiple portals with different scopes, policies, audit streams.
  • Cache keys must include tenant identity to prevent cross-tenant leakage.

Code Mode novel

  • Code Mode collapses upstream tool catalogs to 2 portal tools: portal_codemode_search, portal_codemode_execute.
  • Model writes JS against discovery + execution proxies in sandboxed runtime (Cloudflare Dynamic Workers in their reference implementation).
  • Reported: 52 tools / 9,400 tokens to 2 / 600 (94% reduction); cost fixed regardless of MCP count.
  • Trade-off: model-written code is itself an injection surface. Command injection & execution is OWASP MCP05.
  • Phase 6 optimization. Pilot after base platform stable.

Shadow MCP

  • Shadow MCP servers = OWASP MCP09. Unsanctioned servers accessed outside the portal.
  • SWG detection: /mcp and /mcp/sse paths, JSON-RPC method strings (tools/call, tools/list, initialize, sampling/createMessage), Mcp-Session-Id header presence.
  • DLP regex on body: "method"\s*:\s*"tools/(call|list)"; "protocolVersion"\s*:\s*"202[5-6]-[0-9]{2}-[0-9]{2}".
  • Action: block at egress, log to investigation queue.

First-party policy

  • Mandate: every internal service exposed via MCP ships a first-party server. No community packages of unknown provenance.
  • Vendors publish official MCPs to prevent customer consumption of third-party packages. Supply chain attacks & dependency tampering is OWASP MCP04.
  • SBOM scanned every build. Tool poisoning (MCP03) sub-techniques: rug pulls, schema poisoning, tool shadowing.

Threat model: OWASP MCP Top 10 (2025)

idcategoryprimary control surface
MCP01token mismanagement & secret exposurevault-backed creds, log redaction, rotation under 24h
MCP02privilege escalation via scope creepscope minimization, periodic review, JIT elevation
MCP03tool poisoningsigned manifests, code review of descriptions, no runtime templating
MCP04supply chain attacks & dependency tamperingSBOM, internal mirror, signed releases, first-party only
MCP05command injection & executioncommand allowlist at schema, sandbox, syscall filter
MCP06prompt injection via contextual payloadsoutput sanitization, structured envelopes, instruction-pattern stripping
MCP07insufficient authentication & authorizationOAuth 2.1 + RFC 9728 + RFC 8707, validate every call
MCP08lack of audit and telemetryper-call SIEM shipping, append-only, chained logs
MCP09shadow MCP serversSWG detection, egress blocking, audit proxy
MCP10context injection & over-sharingDLP at portal, classification tagging, flow analysis

Threat-model deltas (local → shared)

risklocalshared
credential exposure (MCP01)user shell, kubeconfig, netrcservice account, vault-backed
scope creep (MCP02)drift unmanagedportal enforces scope on every call
tool poisoning (MCP03)unmanaged updatessigned manifests, version pin
supply chain (MCP04)unvetted public registrycurated, signed releases
command injection (MCP05)user shell as sandboxisolated runtime + allowlist
prompt injection (MCP06)per-user impactwider blast radius across users
authn/authz (MCP07)implicitexplicit; OAuth 2.1 must be enforced
audit (MCP08)per-user, opaquecentralized to SIEM
shadow MCP (MCP09)undetectableSWG detects + blocks
over-sharing (MCP10)no DLP layerportal-level DLP rules

Transition phases

  1. Inventory existing MCP usage. SWG identifies gaps. visibility
  2. Stand up portal; integrate identity (OAuth 2.1 + RFC 9728 + RFC 8707), audit, DLP. platform
  3. Migrate low-risk MCP. Validate per-call authz, session lifecycle, SSE resume. first server
  4. Migrate high-traffic MCP with full hardening (rate limits, deny lists, response shaping, circuit breaker, cardinality estimation where applicable). operational pattern
  5. Block local at policy + network for migrated upstreams. SWG enforces. enforcement
  6. Roll out remaining servers. High-risk surfaces (shell exec, code exec, fs-write) sit last. remaining surface
  7. Pilot Code Mode. Measure token reduction in production traffic. Default-on if sandbox holds under adversarial input. optimization

Decision points

questionrecommendation
portal stackadopt where possible; portal logic is generic
identity brokerextend existing IdP; no new identity surface
AI Gatewaydefer until LLM cost is material
DLP engineintegrate existing; do not roll your own
Code Modephase 6, not first move
shell-exec / code-exec MCPsrestrict to dev local; do not place behind shared portal without heavy sandbox
first-party policymandate for any service exposed via MCP
OIDC vs OAuth-onlyOIDC Discovery 1.0 supported as of 2025-11-25; use if existing IdP speaks it

References

specMCP specification 2025-11-25URL Mode Elicitation, OIDC Discovery, SEP-835, SEP-991
changelog2025-11-25 changelog
authzMCP authorization (basic/authorization)
RFC 6749OAuth 2.0 framework
OAuth 2.1OAuth 2.1 (IETF draft)mandatory for MCP authz
RFC 7591Dynamic Client Registration
RFC 8414OAuth 2.0 Authorization Server Metadata
RFC 8446TLS 1.3
RFC 8707OAuth 2.0 Resource Indicatorsmandatory for clients
RFC 9728OAuth 2.0 Protected Resource Metadatamandatory for servers
JSON-RPCJSON-RPC 2.0 specification
SSEWHATWG Server-Sent Events
OWASPOWASP MCP Top 10 (2025)
OWASP MCP06Prompt Injection via Contextual Payloads
OWASP MCP09Shadow MCP Servers
OWASP MCP10Context Injection & Over-Sharing
CloudflareCloudflare enterprise MCP reference architecture
roadmap2026 MCP roadmap
OpenTelemetryOpenTelemetry specification
MCP Enterprise Brief · reference architecture · spec rev 2025-11-25 · aligned with OWASP MCP Top 10 (2025) · OAuth 2.1 + RFC 9728 + RFC 8707