MCP Dev Summit North America

This session will describe the work of the AI Threat Modeling working group within the OpenID Foundation. Security considerations in OAuth were a concern before MCP, and MCP's use of OAuth raises additional concerns including malicious elicitation and code execution requests. I will describe MCP attacks which enable attackers to exfiltrate sensitive data, compromise password-protected accounts, and gain remote control of local machines.

Delivering unstructured file content over MCP introduces various challenges in performance, efficiency, and security. We will explore the questions that arise when building an MCP server for content management and some of the approaches that can be used to tackle them. As enterprise environments require a more conservative security posture, we’ll also break down strategies for mitigating data exfiltration risks and prompt injection attacks through granular, configurable guardrails.

• Why large content operations can fail: latency, data corruption
• Techniques for managing context efficiently and minimizing LLM token usage
• The benefits of programmatic tool calling for MCP tool composability
• Tradeoffs between MCP and CLI for content operations
• Handling safety risks when untrusted content becomes a data exfiltration vector
• Balancing functionality and security when designing tool guardrails

By starting from first principles and reviewing specific examples attendees will leave with techniques for building MCP servers that process unstructured content efficiently and securely in enterprise environments.

Agentic systems adopting MCP face a scalability hurdle: managing interactions with numerous servers exposing dozens or hundreds of tools. Injecting all tools into the model context, or "context bloat," increases latency, inflates context window usage, drives up costs, and degrades reasoning quality.

This session introduces the MCP Gateway pattern, an architectural solution to context bloat. This pattern uses an MCP-aware routing layer to dynamically select and inject only the tools semantically relevant to a user request.

We will detail the design and implementation of semantic tool routing utilizing intent classification, embedding-based search, and lightweight prompt analysis. The talk will cover how this routing layer interacts with multiple MCP servers, maintains protocol correctness, and enables just-in-time tool discovery without overwhelming the model.

Attendees will receive a practical blueprint for building scalable, cost-efficient, and modular agentic systems based on MCP. The session emphasizes reusable patterns and reference architectures applicable across the broader MCP ecosystem, independent of any single vendor or runtime.

At WestJet, our flight schedule is modeled in a Neo4j graph database - airports, routes, aircrafts, seasonal schedules. The data is rich, but accessing it required Cypher expertise most stakeholders don't have.

I built an MCP server to change that. By creating a proxy layer connecting Claude to our Neo4j database, I enabled non-technical colleagues to query complex flight relationships using natural language. No Cypher. No waiting for developers. Just questions and answers.

This talk covers the journey from idea to working pilot: why I chose MCP, how I architected a proxy server wrapping the Neo4j MCP server, and what I learned deploying it internally. I'll give a live demo showing how analysts can explore our flight network conversationally.

This isn't a top-down initiative. It's about individual ownership - recognizing potential in data your team already maintains and using MCP to unlock value for people who couldn't access it before.
Whether you're exploring MCP for enterprise data or graph databases, this talk offers a practical, beginner-friendly blueprint.

With MCP Apps, AI interactions are no longer limited to text. MCP Apps unlock the full power of the web within AI chat, allowing us to build AI-enriched UIs that persist, react and collaborate in real-time.

Through a series of demos and code deep-dives, I’ll showcase foundational patterns that we've found to be effective as MCP Apps gain ubiquity.

Durability: Demo a “text snippet saver” that persists across conversation, thread, and even different AI clients enabling shared memory that follows you everywhere.

Async tasks: Start an async audio transcription job, monitor it with a progress bar, and receive a completion notification in chat, while other work continues.

Realtime sync: See the job we just ran come alive as we play the original audio file with the text transcript rendering in perfect sync.

Multiplayer: Join me in a live collaborative drawing demo accessible through a public MCP server. Draw your best race car in real-time while we watch everyone’s creations come to life. The best drawing wins a prize!

The purpose of these demos is to spark imagination and show a glimpse of the future of intelligent UIs that go beyond the capabilities of the modern web.

Now live on GitHub, gcloud-mcp is the open-source reference implementation bringing agentic power to Google Cloud via the Model Context Protocol. As cloud platforms grow more complex, traditional CLIs struggle to support exploratory, goal-driven interactions. This session shares architectural lessons from building the bridge between AI assistants and enterprise cloud services to enable agent-driven reasoning.

Using the Storage MCP server as a deep dive, we demonstrate how AI assistants interact with Google Cloud Storage via MCP. We’ll show how raw GCS APIs were transformed into high-level Storage Intelligence tools that support meaningful workflows rather than simple command execution.

We focus on the design of the /storage-mcp package, including how we summarize GCS metadata into concise, accurate responses that agents can reason over without hitting context limits. Finally, we discuss how metrics like cost, latency, and task accuracy guided our iteration, helping refine prompt design and tool granularity. Attendees will leave with practical, enterprise-ready patterns for building local MCP servers that enable efficient interaction with complex cloud infrastructure.

As AI agents become more autonomous through the Model Context Protocol (MCP), one question becomes unavoidable => why, when, and how should humans be asked to intervene to provide feedback or approval?

In this talk, we explore MCP elicitation as a core design pattern for agentic systems, not just as a UX or AX (Agent Experience) feature, but as a security, authorization, and trust mechanism.

We will

-Trace how human interaction models evolved across web, APIs, and OAuth, and why MCP requires a new balance

-Break down elicitation patterns in agent workflows

-Show how elicitation integrates with fine-grained authorization, consent, and delegation

-Explore step-up authentication and human-in-the-loop approvals for accountability

-Discuss how proper elicitation improves trust, explainability, and compliance, without harming DX, UX, or AX

The goal is simple but critical: delivering agentic AI that users can trust, by design, not by trade-off.