MCP Dev Summit North America

With the recent specification update, MCP moved away from using DCR as the default in favor of Client ID Metadata Documents (CIMD). It's a new approach to client registration already adopted by such projects like Bluesky, and now making its way to the MCP ecosystem. CIMD is significantly easier to use than DCR while providing the same security guarantees and a much more flexible approach to client governance. In this session, you will learn about the transition from DCR to CIMD, how you should design your MCP servers (and MCP clients) around this new requirement, and what the future holds for broader CIMD adoption.

This session will describe the work of the AI Threat Modeling working group within the OpenID Foundation. Security considerations in OAuth were a concern before MCP, and MCP's use of OAuth raises additional concerns including malicious elicitation and code execution requests. I will describe MCP attacks which enable attackers to exfiltrate sensitive data, compromise password-protected accounts, and gain remote control of local machines.

MCP deployments increasingly involve multiple authorization servers / identity providers across tools, registries, gateways, and enterprise environments. That flexibility introduces a classic but under-discussed class of failures: mix up attacks. A mix-up attack is where a client or intermediary confuses which issuer/authorization server it’s interacting with and misroutes sign-in artifacts, such as tokens, to the wrong party, potentially a malicious one.

This talk gives a clear threat model for mix-up in MCP-style topologies (client↔server↔auth server), then focuses on practical mitigations being discussed in the Auth Mix-Up Attack Prevention WG. I’ll also cover what’s realistic to adopt today in SDKs and servers versus what should be standardized in the MCP Core spec or another standard like OAuth.

MCP makes it easy for AI agents to connect to tools, but authorization hasn't kept up. Users connecting an MCP client to a dozen MCP servers face a dozen separate OAuth flows, one for each server, each with its own login and token lifecycle. If we have Single Sign-On, why are users signing in so many times? It's not just a UX problem. Enterprise environments can quickly run into governance issues with unmanaged or scattered permissions. Security teams can't answer basic questions about which agent can access which system under what policy. Every agent-to-server connection is another point-to-point relationship with no central visibility. Cross-App Access (XAA), built on the Identity Assertion JWT Authorization Grant (ID-JAG), solves both problems. By leveraging the existing trust between the MCP client, MCP server, and the organization's Identity Provider, the IdP can broker token exchanges from the user's initial login. Agents gain access to everything the admin has approved with one sign-in. No additional user interaction required. The IdP becomes the policy decision point for approving, scoping, and auditing delegated access across MCP integrations. In this session, Paul Carleton (Anthropic) and Max Gerber (Twilio) explain the technical underpinnings that enable enterprise admins to enforce policies about which users, clients, and servers can interact. They'll also demo an MCP client completing an XAA flow from beginning to end to obtain access tokens securely and silently. Attendees will leave understanding how Cross-App Access works and how to integrate with it.

The MCP security conversation focuses heavily on prompt injection, tool abuse, and session hijacking. These matter. But if you're running a registry of MCP servers, your most likely breach won't be complicated. It will be a compromised server you trusted too quickly.

Supply chain attacks aren't new, and neither are the defenses. But the speed of MCP adoption has outpaced basic hygiene: validation, provenance, versioning, and review processes that mature package ecosystems learned the hard way.

This talk argues that before you harden against novel agent-based attacks, you need to treat your MCP registry like critical infrastructure. We'll cover practical approaches to vetting servers, establishing trust boundaries, detecting drift, and building review workflows that scale.

Prompt injection is a real threat. But the server you added last week without review is a more immediate one.

Security in the MCP ecosystem has primarily followed a "Henhouse Model": building a perimeter to manage who enters with which keys. While we’ve become adept at granting agents the access they need to be productive, a new challenge is emerging. Because agents often operate with the user’s broad privileges, it is no longer just about managing entry; it is about ensuring that an agent's actions remain consistently aligned with the user’s intent.

While sandboxing is vital for isolation, it cannot "undo" the real world. When an agent uses an MCP tool to send an email, modify a calendar, or trigger a financial API, it steps through a "one-way door." Unlike local code, these actions lack a git revert.

We believe the most sustainable path forward is to move the primary authorization boundary to the Host. In this session, we propose an architectural approach that shifts outbound security to the application layer. By centering protection where context is richest, we can simplify server development and provide a more reliable way to manage the unpredictable nature of autonomous workflows.

Model Context Protocol servers are increasingly granted access to critical infrastructure from observability systems and databases to code repositories. This access introduces new supply chain security challenges for teams operating MCP servers in real-world environments.

In this talk, we share lessons learned from Chainguard’s experience building MCP infrastructure for production. Starting with mcp-grafana, our first hardened MCP server, we reduced known CVEs to 0 at publish time while shrinking image size by 65%. We developed repeatable security patterns for MCP delivery, including automated rebuilds, attack surface minimization, SBOM generation, and SLSA provenance.

We then applied these same patterns to a different use case: a documentation MCP serving over 1,500 container image guides, enabling secure access through AI assistants. These implementations demonstrate how consistent supply chain controls can support both infrastructure-integrated and content-focused MCP servers.

Attendees will learn practical approaches to threat modeling MCP servers. We’ll also share our challenges and failures, along with open-source workflows the community can adopt across the MCP ecosystem.

As MCP evolves from local developer workflows to shared, remote infrastructure, new security & identity challenges emerge. Patterns that work for single-user, local MCP setups often break down when MCP servers become gateways serving thousands of users, agents, and tools. This session explores the architectural patterns required to deploy MCP securely in enterprise environments. We’ll examine common failure modes such as data overexposure, unsafe bulk operations, topic-based disclosure, and weak audit controls, and map them to practical MCP-level mitigations including least-privilege access, tool-level guardrails, and privacy-aware logging. A focus of the talk is the “4-Legged” Identity Challenge: when a user interacts with a web app, which calls an agent, which then calls a remote MCP server. This model is not natively handled by standard OAuth flows. We’ll cover approaches such as token exchange, pre-provisioned trust, and interactive authorization, and discuss how emerging MCP capabilities like protected resource metadata support scalable identity discovery. Attendees will leave with a blueprint for moving from local MCP development to secure, production-ready MCP deployments.

Many MCP servers aren't public - they're internal enterprise deployments where security, compliance, and safety aren't optional. Yet MCP currently lacks standardized middleware patterns, forcing teams into shared libraries and bespoke solutions that recreate the NxM problem.

Context middleware lets us intercept, inspect, and transform MCP traffic at trust boundaries. Just as tools were key to end-user MCP adoption, standardized middleware can unlock it for regulated industries: PII redaction, audit logging, prompt injection defense, hallucination detection - all without vendor lock-in or security gaps.

For the emerging gateway and proxy ecosystem, this opens new market opportunities: standardized integration points that transform MCP infrastructure into a composable, enterprise-grade platform.

This talk presents a working implementation as used at a major financial institution, including demos of attack prevention and real-world findings. You'll leave understanding the architecture, the extension, the trust boundary considerations, and how to start building context-aware middleware today.