PERMISSION/PROTOCOL
← Use cases

MCP tool call authorization

MCP gives agents tools. Permission Protocol gives those tools authority boundaries.

As agents gain MCP tools, static permission lists are not enough. Sensitive tool calls need explicit authorization at the moment of action.

MCP tool call authorizationMCP securityAI agent tool approvalagent action authorizationhuman approval gate for MCP

The problem

An agent with a broad MCP tool can delete data, modify infrastructure, message customers, or move money with the same interface it uses for harmless reads.

Tool allowlists describe capability. They do not prove a specific high-risk call was authorized.

Self-policing agents can rationalize risky calls when success metrics reward task completion over governance.

How Permission Protocol handles it

Wrap sensitive MCP tools with an authorization request before execution.

Route approval to the right human based on action type, environment, amount, or blast radius.

Fail closed when no valid receipt exists.

Concrete bad scenario

An agent has an MCP tool that can update Stripe, delete rows, or message customers. The same server also exposes harmless read-only methods, so a broad allowlist cannot distinguish inspection from production mutation.

Policy Permission Protocol applies

Read-only calls auto-clear. Mutations over customer data require approval. Refunds above $500 require a finance signer. Broadcast customer messages require a support or growth owner. Destructive data deletion is denied unless routed through an approved break-glass policy.

Exact enforcement point

The MCP server or tool wrapper calls Permission Protocol before executing high-risk methods. If no valid receipt exists for the exact tool, method, resource, amount, and actor, the call fails closed.

Sample receipt

Actor and agent session
Tool name and MCP method
Resource id or customer scope
Amount, environment, or mutation class
Policy id and decision
Signer role and identity
Timestamp and receipt id

Would Permission Protocol block this?

Blocked

Stripe refund over $500

The agent requests a $1,200 refund. The tool pauses until a finance signer approves the exact customer, amount, and reason.

Cleared

Customer record read

The agent reads a customer status field. Policy treats it as low-risk and clears the call without human interruption.

Denied

Bulk row deletion

The agent requests a broad delete over customer data. Policy denies the call unless it enters a separate break-glass workflow.

Implementation checklist

  1. 1Identify tools that mutate production, customer data, payments, messaging, or infrastructure.
  2. 2Wrap those calls with Permission Protocol before execution.
  3. 3Set policies for auto-clear, approval_required, and denied outcomes.
  4. 4Store receipts with the action logs so audits can prove authorization.
Start with the quickstart

FAQ

Is an MCP allowlist enough?

Not for high-risk tools. An allowlist says the agent can call a tool. Permission Protocol proves this exact call was authorized before it executed.

Does this slow every tool call down?

No. Only sensitive calls need a gate. Read-only and low-risk actions can clear automatically under policy.

What if Permission Protocol is unreachable?

Sensitive actions should fail closed. No receipt means no execution.