You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have verified this would not be more appropriate as a feature request in a specific repository
I have searched existing discussions to avoid duplicates
Your Idea
Can tools/list surface scope requirements to reduce runtime 403s?
The MCP spec (2025-11-25) defines a solid step-up authorization flow in the Authorization section. But the flow is entirely reactive — the client only learns about missing scopes after a tools/call fails with 403 insufficient_scope. In enterprise deployments with 100+ tools, this creates a significant inefficiency.
I wanted to raise a question about whether the spec could enable clients to learn about scope requirements proactively during tools/list, rather than discovering them incrementally through 403s.
For context, here's what the authorization spec provides today — this is well-designed and I'm not questioning it:
Protected Resource Metadata (RFC 9728): The server publishes scopes_supported at the server level via /.well-known/oauth-protected-resource. This tells the client what scopes exist.
Scope Selection Strategy: On initial 401, the client reads the scope parameter from the WWW-Authenticate header, or falls back to scopes_supported from PRM. The spec says:
"This approach accommodates the general-purpose nature of MCP clients, which typically lack domain-specific knowledge to make informed decisions about individual scope selection."
When a tools/call fails with insufficient scopes, the server responds:
HTTP/1.1 403 Forbidden
WWW-Authenticate: Bearer error="insufficient_scope",
scope="files:read files:write user:profile",
resource_metadata="https://mcp.example.com/.well-known/oauth-protected-resource",
error_description="Additional file write permission required"
The client then parses the required scopes, re-authorizes, and retries. The spec also notes:
"The scopes_supported field is intended to represent the minimal set of scopes necessary for basic functionality, with additional scopes requested incrementally through the step-up authorization flow."
This is a clean, standards-compliant design. The question is whether it can be optimized for the tool discovery phase.
Question 1: Could tools/list include scope requirements per tool?
The Tool schema today includes annotations for behavioral hints (readOnlyHint, destructiveHint, idempotentHint, openWorldHint). These help clients and LLMs understand tool behavior before invocation.
Could there be an equivalent for authorization? For example:
Related but distinct question: should tools/list return all tools or only tools the authenticated user/agent can invoke?
Today, the spec says:
To discover available tools, clients send a tools/list request.
There's no mention of whether the response should be filtered by the client/user authorization. The tools/list request has cursor for pagination but no authorization context.
Alice (scopes: incident:read, cmdb:read):
tools/list → 150 tools (including 110 she can't use)
Bob (scopes: incident:*, cmdb:*, change:*, admin:*):
tools/list → 150 tools (can use all of them)
This creates two problems:
For LLMs: 150 tools in the context window when the user can only use 40. The extra 110 are noise — they increase token cost, dilute tool selection quality, and increase the probability of the LLM selecting an unauthorized tool.
For the step-up flow: The spec's incremental step-up pattern assumes the client will hit a few scope boundaries during normal use. But if 70% of the tools are inaccessible, the client is hitting 403s constantly — the exception becomes the norm.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Model Context Protocol
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Pre-submission Checklist
Your Idea
Can tools/list surface scope requirements to reduce runtime 403s?
The MCP spec (2025-11-25) defines a solid step-up authorization flow in the Authorization section. But the flow is entirely reactive — the client only learns about missing scopes after a tools/call fails with 403 insufficient_scope. In enterprise deployments with 100+ tools, this creates a significant inefficiency.
I wanted to raise a question about whether the spec could enable clients to learn about scope requirements proactively during tools/list, rather than discovering them incrementally through 403s.
For context, here's what the authorization spec provides today — this is well-designed and I'm not questioning it:
Protected Resource Metadata (RFC 9728): The server publishes scopes_supported at the server level via /.well-known/oauth-protected-resource. This tells the client what scopes exist.
Scope Selection Strategy: On initial 401, the client reads the scope parameter from the WWW-Authenticate header, or falls back to scopes_supported from PRM. The spec says:
"This approach accommodates the general-purpose nature of MCP clients, which typically lack domain-specific knowledge to make informed decisions about individual scope selection."
Step-Up Authorization Flow (Section: Scope Challenge Handling):
When a tools/call fails with insufficient scopes, the server responds:
HTTP/1.1 403 Forbidden
WWW-Authenticate: Bearer error="insufficient_scope",
scope="files:read files:write user:profile",
resource_metadata="https://mcp.example.com/.well-known/oauth-protected-resource",
error_description="Additional file write permission required"
The client then parses the required scopes, re-authorizes, and retries. The spec also notes:
"The scopes_supported field is intended to represent the minimal set of scopes necessary for basic functionality, with additional scopes requested incrementally through the step-up authorization flow."
This is a clean, standards-compliant design. The question is whether it can be optimized for the tool discovery phase.
Question 1: Could tools/list include scope requirements per tool?
The Tool schema today includes annotations for behavioral hints (readOnlyHint, destructiveHint, idempotentHint, openWorldHint). These help clients and LLMs understand tool behavior before invocation.
Could there be an equivalent for authorization? For example:
Question 2: Should tools/list be user-scoped?
Related but distinct question: should tools/list return all tools or only tools the authenticated user/agent can invoke?
Today, the spec says:
To discover available tools, clients send a tools/list request.There's no mention of whether the response should be filtered by the client/user authorization. The tools/list request has cursor for pagination but no authorization context.
This creates two problems:
For LLMs: 150 tools in the context window when the user can only use 40. The extra 110 are noise — they increase token cost, dilute tool selection quality, and increase the probability of the LLM selecting an unauthorized tool.
For the step-up flow: The spec's incremental step-up pattern assumes the client will hit a few scope boundaries during normal use. But if 70% of the tools are inaccessible, the client is hitting 403s constantly — the exception becomes the norm.
Scope
Beta Was this translation helpful? Give feedback.
All reactions