Skip to main content

MCP Permissions Architecture

info

This pages describes an upcoming product; details are subject to change. To get early access to MCPermit, contact us via email or via Slack.

What is MCPermit?

MCPermit delivers permissions-as-a-service for any Model Context Protocol (MCP) server-hosted or self-managed. It acts as a proxy/gateway between AI agents and the resources they invoke, providing:

  • Fine-grained ReBAC (relationship-based access control) powered by Permit.io, OPA, and OPAL
  • Five-stage authentication & authorization that binds user, agent, MCP server, and downstream service identities
  • Comprehensive auditing and anomaly detection covering every call, scope, and actor
  • Flexible delivery models that share identical policy semantics

A single URL switch yields consistent enforcement, instant visibility, and human-in-the-loop (HITL) approvals-no code changes to agents or servers.

Core Components

Key components:

  • Gateway: Can be SaaS, self-hosted proxy, or in-process middleware
  • Permit.io PDP: Runs embedded (WASM) for µ-latency or remotely via OPAL
  • Audit Store: Feeds live anomaly detection
  • HITL service: Issues approval links and manages step-up auth

Integration Patterns

MCPermit offers three deployment patterns:

PatternWhen to UseHow It Works
Hosted GatewayFastest rollout; SaaS workloadsPoint agents/servers to https://<org>.mcpermit.io
Side-car / MiddlewareLow-latency, on-prem AIDrop a lightweight proxy library in front of the MCP server
Hosting PlatformBuilding a multi-tenant MCP SaaSMCPermit baked into ingress; tenants consume via hosted endpoints

All patterns share one control plane, policy model, and log format.

Policy Model

Five-Stages of Access Control

MCPermit provides five levels of policy control:

  1. Organization Policy – controls agent-type ↔ server-type pairings
  2. User Policy – user delegates a concrete agent
  3. Agent Permission – coarse scopes (read_emails, create_event)
  4. Operation Approval – per-call HITL step-up
  5. Org-Wide Constraints – DLP masks, region pinning, rate limits

Policy Architecture

MCPermit automatically generates Google-Zanzibar-inspired ReBAC (Relationship based Access Control) policies based on:

  • Defined roles for users and agents
  • MCP Server types (e.g. Personal, Corporate, sensitive, pro-active)
  • Role derivation from user profiles to agents

Authentication & Authorization

Token Taxonomy

StageActorCarrierPurpose
1User (Originator)OIDC JWT (sub)Enterprise identity
2AgentClient creds / mTLS (agent_id)Agent identity
3Agent → GatewayMCPOAuth (azp, scp)Requested scopes
4Gateway → MCPOn-demand service tokenLeast-privilege
5Agent OBO User → ServiceRFC 8693 token exchangeUser context downstream

Sequence Flows

First-Run Delegation

Authorized Call

Deployment Options

Gateway PDP Options

DeploymentLatency (P95)IsolationUpdates
Embedded WASM< 10 msPer-gatewayRego/Data via OPAL
Remote PDP10-30 ms RTTCentralizedHorizontal scale

Choose Embedded for air-gapped or ultra-low-latency; Remote for central governance.

info

With MCPermit hybrid mode, you can start with embedded PDP for low-latency enforcement and then connect it to remote control plane for centralized policy management.

Key Advantages

  • Single control point for authZ, audit, anomaly detection
  • Drop-in-no code changes, SDK optional
  • Fine-grained ReBAC-captures true user-agent-resource relationships
  • Policy-as-code-Rego, GitOps, unit tests
  • Short-lived creds-minimize blast radius
  • HITL safety net-step-up approvals for risky ops
  • DLP hooks-mask/redact before LLM exposure

Future Roadmap

AreaNext Step
DLPClient-side classifiers, inline redaction
Secrets-on-DemandVault-backed token minting
Policy AnalyticsGraph-diff to flag over-permissioned agents
Chain-of-Trust MapReal-time visualization of user → agent → resource

Agent Configuration Examples

Below is an example of how different agents can be configured with various roles and permissions:

AgentAgent RolesOn behalf of (user ids)Agent TypeMCP Servers
Personal Assistantuser_assistant, task_manageruser_123chatgmail_mcp, figma_mcp
Team Botteam_assistant, meeting_schedulerteam_456_usersproactiveteam_mcp_1, team_mcp_2
Security Monitorsecurity_analyst, alert_managersecurity_team_789ambientsecurity_mcp_1, security_mcp_2
Code Review Botcode_reviewer, pr_assistantdev_team_101proactivedev_mcp_1
Data Analystdata_processor, report_generatoranalytics_team_202chatanalytics_mcp_1, analytics_mcp_2
System Monitorsystem_admin, health_checkerops_team_303ambientops_mcp_1, ops_mcp_2, ops_mcp_3

Glossary

TermMeaning
MCPModel Context Protocol (tool/agent interoperability)
OriginatorHuman delegating authority
AgentAutonomous MCP client acting OBO the user
HITLHuman-in-the-loop
ReBACRelationship-based access control
OPALOpen Policy Administration Layer
OPAOpen Policy Agent