Production checklist
Before exposing tools to AI clients, confirm that execution is governed outside the model.
- Keep upstream API credentials and database connection strings server-side.
- Publish only the tools required for the workflow.
- Use narrow database scopes and column permissions.
- Validate every database executor request in the Gateway.
- Redact sensitive values before log persistence.
- Track usage, latency, failures, and quota pressure.
- Use clear, agent-ready tool descriptions.
- Review public docs and LLM-readable files for accidental private details.
Common risks
Most MCP risk comes from broad tools, unclear descriptions, and misplaced credentials.
| Risk | Mitigation |
|---|---|
| Broad API tool | Hide endpoints that are not needed for the workflow. |
| Unclear tool description | Write agent-ready descriptions with purpose and constraints. |
| Prompt-held credential | Move credentials into the Gateway. |
| Raw database access | Use metadata-only schema tools and validated executor tools. |
Operating model
Treat MCP traffic like production integration traffic.
AI-driven tool calls need observability, rate controls, audit trails, and change control. Teams should be able to pause integrations, hide tools, update descriptions, and adjust database scope permissions without changing client code.
Common questions
Should MCP security live in prompts?
No. Prompts can guide behavior, but validation and enforcement should live in the Gateway or another trusted backend layer.
What is the safest first publish surface?
Start with a narrow OpenAPI operation set or a read-only database scope with only the columns needed for one workflow.
Why do descriptions matter for security?
Clear descriptions reduce accidental tool misuse by helping AI clients choose the intended tool and understand constraints.