MCP Security
MCP Security
verbitas-mcp runs in a privileged position: it reads your API key and submits requests on behalf of an AI agent. This page documents the security model, the constraints enforced, and how to reduce risk.
Trust model
Three principals are involved in every MCP tool call:
| Principal | Controls | Trusted to |
|---|---|---|
| AI agent | Which tools to call, which file paths to sign, which recipes to use | Provide file paths and parameters. Not trusted to handle API keys. |
verbitas-mcp | Authentication, input validation, idempotency, API key never leaving env | Enforce safety rules. Bridge agent intent to API calls. |
api.verbitas.io | Authorization, billing, rate limiting, cryptographic operations | Enforce API key scopes, tenant isolation, and plan limits. |
The agent cannot bypass the MCP server’s safety rules by crafting tool arguments. The safety rules are enforced in the MCP server process, not by the API.
Safety rules enforced by verbitas-mcp
1. API key isolation
The API key is read from VERBITAS_API_KEY in the environment. It is never:
- Accepted as a tool parameter
- Echoed in tool results
- Logged to stdout or stderr
- Passed to the agent in any response field
2. Caller-provided file paths only
The vb_sign, vb_verify, and vb_lookup tools require a file_path parameter. The MCP server:
- Rejects file paths that are not absolute
- Does not infer or suggest file paths from conversation context
- Does not scan or enumerate directories
The agent must explicitly provide the file path for every operation.
3. File size limit
All file operations enforce a 100 MB maximum. Files above this limit are rejected with a descriptive error directing the agent to use the presigned PUT endpoint instead.
4. MIME type allow-list
Each tool has an allow-list of MIME types. vb_sign only accepts types appropriate for the specified recipe. File type is determined by magic bytes, not the file extension.
| Recipe media type | Allowed MIME types |
|---|---|
| image | image/jpeg, image/png, image/webp |
| audio | audio/wav, audio/mpeg, audio/flac, audio/ogg |
| video | video/mp4, video/webm |
| text | text/plain |
5. Admin scope enforcement
vb_recipe_create and vb_get_audit_log check the key scope before making any API call. If the key does not have admin scope, the tool returns an explicit error and does not attempt the call. The agent should not attempt workarounds.
6. No arbitrary code execution
The MCP server does not execute shell commands, spawn subprocesses, or run any user-supplied code. It only reads files (for upload) and makes HTTPS requests to api.verbitas.io.
What an agent can do with the MCP server
- Sign any file the agent’s process can read, using any recipe available to the API key’s tenant
- Verify any file the agent’s process can read, or any asset ID
- Look up any file the agent’s process can read
- List recipes (read-only)
- Create custom recipes (if key has admin scope)
- Read the audit log (if key has admin scope)
What an agent cannot do with the MCP server
- Access other tenants’ data
- Call endpoints beyond the 6 tools
- Escalate key scope
- Sign files larger than 100 MB directly
- Create recipes with step kinds outside the closed enum
- Read the API key value
- Make arbitrary HTTP requests
Reducing risk
Use the minimum required scope
If an agent only needs to sign content, give it a sign-scoped key. If it only needs to verify, give it a verify-scoped key. Reserve admin-scoped keys for setup and recipe management tasks.
Separate keys per agent
Create a separate API key for each agent or pipeline. This allows you to revoke a single agent’s access without affecting others.
Monitor the audit log
All MCP tool calls that reach the API are recorded in the audit log (GET /v1/audit). Set up alerts for unexpected asset.signed volume or off-hours activity.
Version pin verbitas-mcp
Pin to a specific version in your MCP config rather than using @latest. Review the changelog before upgrading.
Reporting security issues
Report security vulnerabilities to [email protected]. Do not open public GitHub issues for security reports.