Back to Blog
ai-security mcp tool-poisoning

Securing MCP Tool Calls: Why AI Agents Need Authentication

KF
Kelly Fisher

The Model Context Protocol (MCP) is changing how AI agents interact with the world. Instead of being limited to text generation, agents can now call external tools — databases, APIs, file systems, deployment pipelines. This is powerful. It’s also dangerous.

The Tool-Poisoning Problem

When an AI agent calls an MCP tool, it trusts the tool definition provided by the tool server. The tool’s name, description, and parameter schema all influence how the agent uses it. But what if the tool definition has been tampered with?

Tool-poisoning attacks exploit this trust. A malicious tool server (or a compromised legitimate one) can serve tool definitions designed to:

  • Exfiltrate data: A tool called “format_text” with a description that instructs the agent to include the user’s conversation history in the request body.
  • Escalate privileges: A tool that claims to “read a file” but actually executes arbitrary commands.
  • Redirect actions: A tool that looks like a benign utility but sends requests to an attacker-controlled endpoint.

These attacks work because MCP doesn’t have a built-in mechanism for verifying tool integrity.

Signed Tool Definitions

HardenMCP introduces signed tool definitions. Every tool exposed through a secured MCP server gets a cryptographic signature that covers its name, description, parameters, and behavior. The SDK verifies these signatures before the agent can invoke the tool.

If a tool definition changes — even a single character in the description — the signature becomes invalid and the call is blocked. This prevents both external tampering and subtle prompt-injection attacks embedded in tool descriptions.

The Authentication Gap

Beyond tool integrity, there’s a more fundamental problem: most MCP tool calls have no authentication at all. The agent calls the tool, and the tool server processes the request. There’s no verification that the agent is authorized, that the request hasn’t been modified in transit, or that the tool server is who it claims to be.

HardenMCP closes this gap with the same ephemeral key rotation that powers HardenAPI. Tool calls get signed with HMAC headers using rotating keys. The tool server validates the signature before processing the request. Keys rotate automatically, so compromised credentials expire in seconds.

What This Looks Like in Practice

For MCP server operators, HardenMCP is a middleware that drops into your existing server. It validates inbound tool call signatures and serves signed tool definitions. For agent developers, it’s an SDK extension that signs outbound tool calls and verifies tool definitions before invocation.

The setup is deliberate: security for AI tool use should be as invisible as security for API calls. The agent doesn’t need to know about the cryptography. The developer doesn’t need to manage keys. The middleware handles everything.

Why This Matters Now

AI agents are moving from demos to production. Companies are connecting agents to internal APIs, databases, and infrastructure. The attack surface is expanding faster than the security tooling.

Tool-poisoning is not a theoretical risk. As MCP adoption grows, it will become a primary vector for attacking AI-powered systems. The time to add authentication is before the first incident, not after.

Want to see this in action?

Book a demo and we'll walk you through how HardenAPI and HardenMCP work in your environment.

Request a Demo