Skip to main content
guidesSource-backed

Build MCP Servers with Auth and Least Privilege

A source-backed guide for designing Model Context Protocol servers with explicit authorization boundaries, narrow tools, scoped resources, privacy-aware logging, and least-privilege runtime access.

by MkDev11·added 2026-06-04·
Review first review before installing

Open the source and read safety notes before installing.

Citation facts

Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.

Safety notes
Design every tool as a capability grant: expose only the narrow action the client needs and reject arguments that exceed that boundary., Require explicit human approval or a separate workflow for tools that write files, mutate remote systems, spend money, publish content, or delete data., Do not pass through broad user tokens to downstream services; validate tokens for the MCP server audience and keep credentials revocable.
Privacy notes
Tool arguments, resource URIs, resource contents, prompts, traces, server logs, error reports, and downstream API responses can contain private data., Redact secrets and customer data before logging, tracing, sharing debug output, or storing MCP interaction artifacts., Keep test fixtures synthetic or sanitized until the server's authorization, resource filtering, and log retention behavior are reviewed.
Author
MkDev11
Submitted by
MkDev11
Claim status
unclaimed
Last verified
2026-06-04

Decision playbook

Review trust signals before you adopt

Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.

Compare context
Selected

0

Current score

78

Baseline

Delta

No baseline selected

No major trust-signal divergence detected in the current selection.

Source and provenance checks

Complete

Confirm ownership and provenance before trusting install instructions.

  • Source link availableRequired

    Open the canonical repository and verify ownership.

    Done
  • Source provenance statusRequired

    Marked as source-backed.

    Done
  • Metadata reviewed

    Registry metadata indicates a reviewed listing.

    Done

Safety and privacy checks

Complete

Validate risk disclosures before installation or API wiring.

  • Safety notes presentRequired

    Review the listed safety guidance before running commands.

    Done
  • Privacy notes presentRequired

    Review data handling notes before connecting accounts or secrets.

    Done
  • Trust level risk gateRequired

    Trust level does not block evaluation.

    Done

Package and install checks

Needs review

Check package metadata and artifact integrity signals.

  • Install payload available

    Install or copy payload is available for review.

    Done
  • Package verification flag

    No package verification flag provided.

    Pending
  • Checksum metadata

    No checksum provided for downloaded artifact.

    Pending

Compare-driven decision checks

Needs review

Use compare context to validate trade-offs before adoption.

  • Compare tray has multiple entries

    Add at least one more entry to compare trust differences.

    Pending
  • Baseline comparison available

    No baseline peer selected yet.

    Pending
  • Diverging trust signals identified

    No major trust-signal divergence found.

    Pending

Setup at a glance

Copy & paste

Copy-ready — paste the snippet to get started.

Adoption plan

Balanced adoption plan

Current risk score 16/100. Use staged verification before broader rollout.

Risk 16

Pre-adoption checks

Validate source and review signals before any execution.

  • Confirm source provenanceRequired

    Source URL/provenance metadata is present.

    Done
  • Confirm metadata review state

    Listing has review metadata.

    Done
  • Verify install payload

    Install/config payload exists and can be inspected.

    Done

Security checks

Confirm safety, privacy, and package integrity signals.

  • Review safety notesRequired

    Safety notes are present.

    Done
  • Review privacy notesRequired

    Privacy notes are present.

    Done
  • Verify package integrity metadata

    No package verification/checksum metadata.

    Pending

Rollout

Adopt in controlled steps based on the selected plan.

  • Run in isolated sandbox firstRequired

    Use a constrained sandbox and observe behavior across multiple tasks.

    Pending
  • Roll out graduallyRequired

    Roll out to a small cohort before wider usage.

    Pending
  • Set monitoring and fallback

    Define rollback path and monitor errors after adoption.

    Pending

Evidence readiness

Evidence readiness matrix · balanced

Required evidence gates are covered (5/6 signals complete).

Risk 15

Source provenance

Present

Source repository/provenance is listed.

Required in this preset

Metadata review

Present

Review metadata is present.

Required in this preset

Safety notes

Present

Safety notes are present.

Required in this preset

Privacy notes

Present

Privacy notes are present.

Optional in this preset

Package integrity

Missing

Package integrity metadata is missing.

Optional in this preset

Install payload

Present

Install payload is available.

Required in this preset

Required evidence gates are covered for this preset.

Decision timeline

Decision timeline · balanced

5/6 steps complete with no blocking gaps for this preset.

Risk 14

triage

Confirm source provenanceRequired

Source/provenance metadata is available.

Done

triage

Check metadata review statusRequired

Review metadata is available.

Done

verify

Review safety notesRequired

Safety notes are available.

Done

verify

Review privacy notes

Privacy notes are available.

Done

verify

Validate package integrity metadata

Package integrity metadata is missing.

Pending

rollout

Verify install payload and commandsRequired

Install payload is available.

Done

No required blockers for this timeline preset.

Prerequisite readiness

Prerequisite readiness

4 prerequisites to line up before setup. Have accounts and credentials ready first. Includes a review or approval gate.

0/4 ready
Account & credentials1Install & runtime1Network & hosting1Review & approval1

Safety & privacy surface

Safety & privacy surface

3 safety and 3 privacy notes across 4 risk areas. Review closely: credentials & tokens, permissions & scopes, network access.

4 areas
  • SafetyPermissions & scopesDesign every tool as a capability grant: expose only the narrow action the client needs and reject arguments that exceed that boundary.
  • SafetyNetwork accessRequire explicit human approval or a separate workflow for tools that write files, mutate remote systems, spend money, publish content, or delete data.
  • SafetyCredentials & tokensDo not pass through broad user tokens to downstream services; validate tokens for the MCP server audience and keep credentials revocable.
  • PrivacyData retentionTool arguments, resource URIs, resource contents, prompts, traces, server logs, error reports, and downstream API responses can contain private data.
  • PrivacyCredentials & tokensRedact secrets and customer data before logging, tracing, sharing debug output, or storing MCP interaction artifacts.
  • PrivacyPermissions & scopesKeep test fixtures synthetic or sanitized until the server's authorization, resource filtering, and log retention behavior are reviewed.

Safety notes

  • Design every tool as a capability grant: expose only the narrow action the client needs and reject arguments that exceed that boundary.
  • Require explicit human approval or a separate workflow for tools that write files, mutate remote systems, spend money, publish content, or delete data.
  • Do not pass through broad user tokens to downstream services; validate tokens for the MCP server audience and keep credentials revocable.

Privacy notes

  • Tool arguments, resource URIs, resource contents, prompts, traces, server logs, error reports, and downstream API responses can contain private data.
  • Redact secrets and customer data before logging, tracing, sharing debug output, or storing MCP interaction artifacts.
  • Keep test fixtures synthetic or sanitized until the server's authorization, resource filtering, and log retention behavior are reviewed.

Prerequisites

  • A specific MCP server use case, target client, and list of actions or data sources the server should expose.
  • A chosen transport model such as local stdio for trusted local use or HTTP for remote/protected access.
  • A credential plan that separates development, test, and production access.
  • A review owner who can approve tool scopes, side effects, logging, and rollout.

Schema details

Install type
copy
Reading time
8 min
Difficulty score
66
Troubleshooting
Yes
Breaking changes
No
Full copyable content
## TL;DR

An MCP server should expose the smallest useful set of tools and resources, not
an entire account, filesystem, or internal API. Before writing the first tool,
define the transport, authorization model, credential source, tool scopes,
resource filters, logging policy, and rollback path. For HTTP-based protected
servers, follow the MCP authorization model and validate that presented tokens
were issued for your server. For local stdio servers, treat environment
credentials as powerful secrets and keep the runtime tightly scoped.

## Prerequisites & Requirements

- [ ] {"task": "Capability inventory", "description": "The server has a written list of tools, resources, prompts, side effects, and downstream systems"}
- [ ] {"task": "Transport decision", "description": "The team has chosen local stdio, HTTP, or another transport deliberately"}
- [ ] {"task": "Auth plan", "description": "Protected HTTP access has an authorization plan, and local credentials are separated by environment"}
- [ ] {"task": "Scope matrix", "description": "Every tool and resource maps to a role, scope, account, project, or directory boundary"}
- [ ] {"task": "Review owner", "description": "A maintainer can approve new capabilities and revoke credentials if the server behaves unexpectedly"}

## Core Concepts Explained

### Transport changes the trust boundary

Local stdio servers usually inherit credentials and filesystem access from the
process environment. HTTP servers introduce network exposure, protected
resource metadata, token validation, client registration, and redirect handling
concerns. Pick the transport first because it shapes the rest of the auth
review.

### Tools are capability grants

MCP tools are model-callable actions. Each tool should have a narrow verb,
clear input schema, strict validation, and a documented side effect. Prefer
separate read and write tools over a broad "manage everything" tool.

### Resources are data exposure points

Resources can provide file contents, database records, schemas, project state,
or other context. Scope resource URIs and resource templates so clients can
retrieve only the data they are meant to see.

### Authorization belongs on the server too

Client-side UI prompts and model instructions are helpful, but the MCP server
still needs its own checks. Validate identity, audience, scope, tenant,
project, path, and operation before a tool or resource handler touches data.

## Step-by-Step Server Design

1. **Write the capability inventory.** List each tool, resource, prompt,
   downstream API, file path, database, queue, browser profile, and account the
   server may touch. Remove anything that is not needed for the first release.

2. **Choose the transport and auth model.** Use local stdio only when the server
   is meant to run in a trusted local profile. Use HTTP authorization patterns
   for protected remote servers, and treat the MCP server as a resource server
   that validates tokens instead of blindly forwarding them.

3. **Build a scope matrix.** For every tool and resource, record who can call
   it, which OAuth scope or local credential permits it, which tenant or
   project it can access, and whether it is read-only or mutating.

4. **Split broad tools.** Replace a single admin-style tool with narrower
   operations. A read-only lookup, a draft creation action, and a final publish
   action should usually be separate capabilities with different review
   expectations.

5. **Validate inputs server-side.** Treat tool arguments as untrusted. Check
   enum values, path prefixes, project IDs, tenant IDs, amount limits, allowed
   domains, and maximum result sizes before calling downstream systems.

6. **Filter resources by identity and scope.** Do not expose a generic resource
   template that can read arbitrary paths or records. Bind resource discovery
   and resource reads to the authenticated subject or the configured local
   project boundary.

7. **Constrain the runtime.** Run the server with the smallest filesystem,
   network, process, and environment access that still supports the workflow.
   Use separate service accounts or test credentials instead of a personal
   all-access token.

8. **Make side effects reviewable.** Tools that write, delete, publish, deploy,
   approve, or spend should return a preview when possible and require an
   explicit approval step before the final mutation.

9. **Design logs for privacy.** Log request IDs, tool names, scope decisions,
   and high-level outcomes. Avoid logging raw prompts, secrets, full resource
   bodies, bearer tokens, customer data, or large downstream responses.

10. **Test denial paths.** Verify that missing scopes, wrong tenants, invalid
    resource URIs, oversized requests, expired credentials, and production
    targets are rejected before testing happy paths.

## Auth and Scope Matrix

| Surface | Least-privilege design | Review question |
| --- | --- | --- |
| Tool list | Publish only the tools needed for this workflow | Could any tool be split or removed? |
| Tool call | Check identity, scope, tenant, and argument limits | Can a model broaden the action through arguments? |
| Resource list | Show only discoverable resources for the caller | Does listing reveal private names or IDs? |
| Resource read | Bind reads to allowed paths, projects, or records | Can a crafted URI escape the boundary? |
| Downstream API | Use scoped service accounts or user grants | Can the token modify more than the tool needs? |
| Logs and traces | Store minimal metadata with redaction | Would a debug bundle expose private content? |

## Implementation Review Checklist

- [ ] {"task": "No catch-all tools", "description": "Tools have narrow names, input schemas, and side-effect descriptions"}
- [ ] {"task": "Scopes are mapped", "description": "Each tool and resource has an explicit scope, role, tenant, or local boundary"}
- [ ] {"task": "Audience is validated", "description": "Protected HTTP servers reject tokens that were not issued for this MCP server"}
- [ ] {"task": "Credentials are separated", "description": "Development, staging, and production credentials are not shared"}
- [ ] {"task": "Runtime is constrained", "description": "The process has only the directories, network destinations, and environment variables it needs"}
- [ ] {"task": "Mutation has review", "description": "Dangerous tools preview actions or require a separate human-approved final step"}
- [ ] {"task": "Logs are redacted", "description": "Tokens, prompts, full resources, customer records, and secret values are not retained by default"}
- [ ] {"task": "Revocation is tested", "description": "Tokens can be revoked and the server can be disabled without searching through client state"}

## Troubleshooting

- **The server needs a broad token**: split the downstream integration, create a
  narrower service account, or delay the tool until the provider supports the
  scope you need.
- **A resource template can read too much**: add an allowlist for projects,
  directories, schemas, or record prefixes and test path traversal attempts.
- **Authorization works locally but fails over HTTP**: confirm the client,
  authorization server, and MCP server agree on resource identifiers, scopes,
  redirect URIs, and token audience.
- **Logs contain sensitive data**: switch to metadata-only logs, redact tool
  arguments, and rotate any tokens or customer data that were captured.
- **The tool surface keeps growing**: require a scope-matrix update and review
  for every new tool before publishing the server to shared clients.

## Duplicate Check

This guide focuses on designing and building an MCP server with authorization
boundaries, scoped tools, protected resources, runtime isolation, and privacy
review. Existing entries include individual MCP server listings, Claude workflow
guides that mention least privilege, and a separate pre-installation threat
model guide for third-party MCP servers. They do not provide a focused
source-backed build guide for authoring a new MCP server with auth and
least-privilege design.

## References

- MCP authorization specification - https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization
- MCP security best practices - https://modelcontextprotocol.io/docs/tutorials/security/security_best_practices
- MCP tools specification - https://modelcontextprotocol.io/specification/2025-06-18/server/tools
- MCP resources specification - https://modelcontextprotocol.io/specification/2025-06-18/server/resources
- MCP Python SDK - https://github.com/modelcontextprotocol/python-sdk
- MCP TypeScript server docs - https://github.com/modelcontextprotocol/typescript-sdk/blob/main/docs/server.md

About this resource

TL;DR

An MCP server should expose the smallest useful set of tools and resources, not an entire account, filesystem, or internal API. Before writing the first tool, define the transport, authorization model, credential source, tool scopes, resource filters, logging policy, and rollback path. For HTTP-based protected servers, follow the MCP authorization model and validate that presented tokens were issued for your server. For local stdio servers, treat environment credentials as powerful secrets and keep the runtime tightly scoped.

Prerequisites & Requirements

  • {"task": "Capability inventory", "description": "The server has a written list of tools, resources, prompts, side effects, and downstream systems"}
  • {"task": "Transport decision", "description": "The team has chosen local stdio, HTTP, or another transport deliberately"}
  • {"task": "Auth plan", "description": "Protected HTTP access has an authorization plan, and local credentials are separated by environment"}
  • {"task": "Scope matrix", "description": "Every tool and resource maps to a role, scope, account, project, or directory boundary"}
  • {"task": "Review owner", "description": "A maintainer can approve new capabilities and revoke credentials if the server behaves unexpectedly"}

Core Concepts Explained

Transport changes the trust boundary

Local stdio servers usually inherit credentials and filesystem access from the process environment. HTTP servers introduce network exposure, protected resource metadata, token validation, client registration, and redirect handling concerns. Pick the transport first because it shapes the rest of the auth review.

Tools are capability grants

MCP tools are model-callable actions. Each tool should have a narrow verb, clear input schema, strict validation, and a documented side effect. Prefer separate read and write tools over a broad "manage everything" tool.

Resources are data exposure points

Resources can provide file contents, database records, schemas, project state, or other context. Scope resource URIs and resource templates so clients can retrieve only the data they are meant to see.

Authorization belongs on the server too

Client-side UI prompts and model instructions are helpful, but the MCP server still needs its own checks. Validate identity, audience, scope, tenant, project, path, and operation before a tool or resource handler touches data.

Step-by-Step Server Design

  1. Write the capability inventory. List each tool, resource, prompt, downstream API, file path, database, queue, browser profile, and account the server may touch. Remove anything that is not needed for the first release.

  2. Choose the transport and auth model. Use local stdio only when the server is meant to run in a trusted local profile. Use HTTP authorization patterns for protected remote servers, and treat the MCP server as a resource server that validates tokens instead of blindly forwarding them.

  3. Build a scope matrix. For every tool and resource, record who can call it, which OAuth scope or local credential permits it, which tenant or project it can access, and whether it is read-only or mutating.

  4. Split broad tools. Replace a single admin-style tool with narrower operations. A read-only lookup, a draft creation action, and a final publish action should usually be separate capabilities with different review expectations.

  5. Validate inputs server-side. Treat tool arguments as untrusted. Check enum values, path prefixes, project IDs, tenant IDs, amount limits, allowed domains, and maximum result sizes before calling downstream systems.

  6. Filter resources by identity and scope. Do not expose a generic resource template that can read arbitrary paths or records. Bind resource discovery and resource reads to the authenticated subject or the configured local project boundary.

  7. Constrain the runtime. Run the server with the smallest filesystem, network, process, and environment access that still supports the workflow. Use separate service accounts or test credentials instead of a personal all-access token.

  8. Make side effects reviewable. Tools that write, delete, publish, deploy, approve, or spend should return a preview when possible and require an explicit approval step before the final mutation.

  9. Design logs for privacy. Log request IDs, tool names, scope decisions, and high-level outcomes. Avoid logging raw prompts, secrets, full resource bodies, bearer tokens, customer data, or large downstream responses.

  10. Test denial paths. Verify that missing scopes, wrong tenants, invalid resource URIs, oversized requests, expired credentials, and production targets are rejected before testing happy paths.

Auth and Scope Matrix

Surface Least-privilege design Review question
Tool list Publish only the tools needed for this workflow Could any tool be split or removed?
Tool call Check identity, scope, tenant, and argument limits Can a model broaden the action through arguments?
Resource list Show only discoverable resources for the caller Does listing reveal private names or IDs?
Resource read Bind reads to allowed paths, projects, or records Can a crafted URI escape the boundary?
Downstream API Use scoped service accounts or user grants Can the token modify more than the tool needs?
Logs and traces Store minimal metadata with redaction Would a debug bundle expose private content?

Implementation Review Checklist

  • {"task": "No catch-all tools", "description": "Tools have narrow names, input schemas, and side-effect descriptions"}
  • {"task": "Scopes are mapped", "description": "Each tool and resource has an explicit scope, role, tenant, or local boundary"}
  • {"task": "Audience is validated", "description": "Protected HTTP servers reject tokens that were not issued for this MCP server"}
  • {"task": "Credentials are separated", "description": "Development, staging, and production credentials are not shared"}
  • {"task": "Runtime is constrained", "description": "The process has only the directories, network destinations, and environment variables it needs"}
  • {"task": "Mutation has review", "description": "Dangerous tools preview actions or require a separate human-approved final step"}
  • {"task": "Logs are redacted", "description": "Tokens, prompts, full resources, customer records, and secret values are not retained by default"}
  • {"task": "Revocation is tested", "description": "Tokens can be revoked and the server can be disabled without searching through client state"}

Troubleshooting

  • The server needs a broad token: split the downstream integration, create a narrower service account, or delay the tool until the provider supports the scope you need.
  • A resource template can read too much: add an allowlist for projects, directories, schemas, or record prefixes and test path traversal attempts.
  • Authorization works locally but fails over HTTP: confirm the client, authorization server, and MCP server agree on resource identifiers, scopes, redirect URIs, and token audience.
  • Logs contain sensitive data: switch to metadata-only logs, redact tool arguments, and rotate any tokens or customer data that were captured.
  • The tool surface keeps growing: require a scope-matrix update and review for every new tool before publishing the server to shared clients.

Duplicate Check

This guide focuses on designing and building an MCP server with authorization boundaries, scoped tools, protected resources, runtime isolation, and privacy review. Existing entries include individual MCP server listings, Claude workflow guides that mention least privilege, and a separate pre-installation threat model guide for third-party MCP servers. They do not provide a focused source-backed build guide for authoring a new MCP server with auth and least-privilege design.

References

Source citations

Add this badge to your README

Show that Build MCP Servers with Auth and Least Privilege is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.

Listed on HeyClaude
[![Listed on HeyClaude](https://heyclau.de/badge/guides/mcp-server-auth-least-privilege.svg)](https://heyclau.de/entry/guides/mcp-server-auth-least-privilege)

How it compares

Build MCP Servers with Auth and Least Privilege side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.

1 trust signal differ across this comparison (Submitter).

Field

A source-backed guide for designing Model Context Protocol servers with explicit authorization boundaries, narrow tools, scoped resources, privacy-aware logging, and least-privilege runtime access.

Open dossier

A practical pre-installation review workflow for Model Context Protocol servers. Inventory tools, resources, prompts, credentials, network reach, storage, and runtime permissions before connecting a server to Claude or another MCP client.

Open dossier

Master MCP server development from scratch. Create custom Claude Desktop integrations with TypeScript/Python in 60 minutes using production-ready patterns.

Open dossier

Microsoft open-source Model Context Protocol curriculum with hands-on MCP server, client, security, transport, auth, deployment, Azure, VS Code, Inspector, PostgreSQL, and cross-language examples.

Open dossier
Next steps
Trust
Review statusReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewed
Package trustPackage not verifiedPackage not verifiedPackage not verifiedPackage not verified
Source provenanceSource-backedSource-backedSource-backedSource-backed
SubmitterDiffersMkDev11MkDev11
Install riskReview firstReview firstReview firstReview first
Notes Safety ✓ Privacy ✓ Safety ✓ Privacy ✓ Safety ✓ Privacy ✓ Safety ✓ Privacy ✓
BrandMicrosoft logoMicrosoft
Categoryguidesguidesguidesguides
SourceSource-backedSource-backedSource-backedSource-backed
AuthorMkDev11MkDev11JSONboredMicrosoft
Added2026-06-042026-06-042025-10-272026-06-18
Platforms
Harness
Source repo
Safety notesDesign every tool as a capability grant: expose only the narrow action the client needs and reject arguments that exceed that boundary. Require explicit human approval or a separate workflow for tools that write files, mutate remote systems, spend money, publish content, or delete data. Do not pass through broad user tokens to downstream services; validate tokens for the MCP server audience and keep credentials revocable.An MCP server gives Claude Code model-callable tools that can run on your behalf; a stdio server runs as a local process with your environment access, so treat installing one as running third-party code. Anthropic reviews connectors against its listing criteria before adding them to the Anthropic Directory but does not security-audit or manage any MCP server, so trust verification is your responsibility (per code.claude.com/docs/en/security). Servers that fetch external content can expose you to prompt injection; Claude Code requires trust verification for new MCP servers and prompts for approval before using project-scoped servers from .mcp.json. Prefer least-privilege credentials, scoped directories, and explicit approval for side-effect tools.Building and connecting an MCP server runs a local process (or connects to a remote one) that executes tools with your user privileges; only connect servers you trust and review the command and URL first.The curriculum includes runnable MCP servers, clients, deployment examples, cloud integrations, database labs, and tooling exercises; run samples in isolated projects with non-production credentials. MCP servers expose model-callable tools. Review each sample's file, network, database, and cloud side effects before connecting it to Claude, VS Code, Cursor, or another host. Security, OAuth, Entra ID, PostgreSQL, Azure, and deployment labs can create real accounts, containers, databases, tokens, or cloud resources if followed against live infrastructure. Do not paste personal access tokens, Azure secrets, database credentials, customer data, or production URLs into sample configs, screenshots, public issues, or shared prompts.
Privacy notesTool arguments, resource URIs, resource contents, prompts, traces, server logs, error reports, and downstream API responses can contain private data. Redact secrets and customer data before logging, tracing, sharing debug output, or storing MCP interaction artifacts. Keep test fixtures synthetic or sanitized until the server's authorization, resource filtering, and log retention behavior are reviewed.MCP servers can expose local files, resources, prompt templates, tool arguments, tool outputs, logs, and retrieved data to the connected client and model workflow. For HTTP/SSE transports, OAuth access tokens are stored in the system keychain (macOS) or a credentials file; use "Clear authentication" in the /mcp menu to revoke access. For stdio servers, credentials come from the environment you pass in. Restrict OAuth scopes with oauth.scopes in .mcp.json so a remote server only receives the access it needs, and revoke credentials and delete persisted state when uninstalling a server that had access to private repositories, databases, or files.Connecting servers can pass secrets via --env and OAuth tokens stored in Claude Code's local config; the server process can access whatever data and credentials you grant it.Sample prompts, MCP tool arguments, server logs, API responses, database rows, telemetry from external tools, and cloud diagnostics may contain sensitive learning or project data. Running model-connected samples can send prompts, tool outputs, code snippets, and resource identifiers to the selected model provider or cloud service. The repository is public and translated; keep local notes, secrets, generated configs, and lab outputs outside commits and issue comments. When adapting the curriculum for teams, document which sample services are allowed, what data can be used, and how temporary credentials and cloud resources are deleted.
Prerequisites
  • A specific MCP server use case, target client, and list of actions or data sources the server should expose.
  • A chosen transport model such as local stdio for trusted local use or HTTP for remote/protected access.
  • A credential plan that separates development, test, and production access.
  • A review owner who can approve tool scopes, side effects, logging, and rollout.
  • The MCP server's documentation, package/repository source, config example, and declared tools/resources/prompts.
  • A list of credentials, files, network services, databases, browsers, or cloud APIs the server will access.
  • Permission to install the server in an isolated test profile before connecting it to production or personal data.
  • A rollback plan for removing the server and revoking tokens.
— none listed
  • Basic programming knowledge in at least one supported language such as C#, Java, JavaScript, Python, TypeScript, or Rust.
  • Familiarity with client-server systems, REST APIs, HTTP, and command-line development workflows.
  • A local development environment for whichever sample language, SDK, Docker, database, or cloud path you plan to run.
  • Non-production model provider, Azure, database, or API credentials if you run optional samples that connect to external services.
Install
Config
Citations
ClaimUnclaimedUnclaimedUnclaimedUnclaimed
Open 4 picks in the interactive comparison tool

Related guides

Signals

Loading live community signals…

More like this, weekly

A short, calm digest of reviewed Claude resources. Unsubscribe any time.