MCP Quick Reference: Hosts, Clients, and Security

---

# MCP Cheat Sheet: Hosts and Clients

A one‑page reference for **Model Context Protocol (MCP)** covering hosts, clients, servers, security, and interaction patterns.

---

## Core Components

**Host**
- Runs the LLM + MCP client
- Handles user interaction and UI (confirmations, prompts)

**Client**
- Orchestrates MCP communication
- Discovers servers
- Exposes allowed tools/resources to the LLM
- Enforces `allow / ask / deny`
- Triggers elicitation (user confirmation)

**Server**
- Provides tools and resources
- Enforces authorization and tenant isolation
- Validates inputs
- Executes actions
- Logs and audits

---

## Tools vs Resources

**Tools**
- Active, may cause side effects
- Higher risk
- Example: submit, update, send, approve

**Resources**
- Passive, read‑only data
- Lower risk
- Example: documents, configs, knowledge

---

## Common MCP Topologies

- **1 Client → Many Servers** (most common)
- **Many Clients → 1 Server**
- **Many ↔ Many** (fully modular)

---

## Client Permissions (`permissions.json`)

Controls **what the LLM may attempt** (client‑side only).

| Policy | Meaning |
|------|--------|
| `allow` | Proceed automatically |
| `ask` | Require user confirmation |
| `deny` | Never allow |

```json
{
  "tools": {
    "read_customer_summary": "allow",
    "submit_loan_application": "ask",
    "delete_customer": "deny"
  }
}

Best practice: deny‑by‑default, list tools explicitly.

---

Elicitation (User Confirmation)

Used for high‑impact actions.
Forces explicit, structured input before execution.

Why JSON Schema

• Deterministic

• Strictly validated

• Cannot be faked by the LLM

{
  "type": "object",
  "properties": {
    "confirm": { "type": "boolean" },
    "reason": { "type": "string", "minLength": 10 }
  },
  "required": ["confirm"]
}

If schema validation fails → stop.

---

Server‑Side Tool Policies

Each tool enforces policies such as:

• Required permissions (RBAC)

• Tenant isolation (ABAC)

• Environment rules

• Confirmation required

• Argument validation

• Audit logging

submit_loan_application:
  permissions: [LOAN_SUBMIT]
  tenant_required: true
  confirmation: true
  allowed_environments: [prod]

---

Tenant (Literal Meaning)

Tenant = which data world you belong to

Examples:

• Country (DK, SE)

• Legal entity

• Organization

tenant_required: true

Means:

You may only act inside your own tenant boundary.

---

Responsibility Split

• LLM → reasoning & intent

• Client → consent, exposure, elicitation

• Server → authorization, validation, enforcement

• Backend → actual execution

---

Anti‑Patterns (Avoid)

• Trusting the LLM for security

• Generic “do anything” tools

• Missing tenant checks

• Prompt‑only safeguards

• Free‑text confirmation

---

One‑Line Mental Model

The client decides what may be attempted; the server decides what actually happens.

---

If you want, I can:
- Compress this even further (ultra‑compact exam version)
- Add Mermaid diagrams
- Tailor to **FastMCP (Python)** or **Spring AI**
- Align wording exactly to **Coursera quiz phrasing**

Just say which.