Production-Ready MCP: Why Security Standards Matter for AI Tool Infrastructure

Production-Ready MCP: Why Security Standards Matter for AI Tool Infrastructure

Wils Dawson's avatar
Wils Dawson
JUNE 30, 2025
2 MIN READ
THOUGHT LEADERSHIP
Rays decoration image
Ghost Icon

After eight years building authentication systems at Okta, followed by stints at Kong and ngrok working on developer tools and API gateways, I've seen how to build systems that are secure by default. Now at Arcade.dev, I'm watching the MCP ecosystem struggle to get there.

The Model Context Protocol has incredible potential for enabling AI agents to interact with real-world systems. But there's a gap between experimental implementations and production-ready infrastructure that most developers aren't addressing.

The Current State of MCP Security

The MCP specification (as of June 18, 2025) defines authentication between clients and servers. This is essential, but it's only part of the story. The spec handles:

  • Local transport (stdio): Suitable for development and single-user scenarios
  • Remote transport (HTTP): Requires OAuth-based authorization

This foundation is solid. The challenge comes when MCP servers need to interact with external APIs and services—which is arguably the entire point of building them.

The Authorization Gap

Here's the critical issue: when your MCP server needs to access third-party APIs (Google Drive, Slack, Salesforce), you face an architectural decision with significant security implications.

The Anti-Pattern: Embedding admin-level credentials in your MCP server. This forces the server to reimplement the authorization logic of every system it touches. It's not just a security risk—it's an engineering nightmare that doesn't scale.

The Solution: User-specific authorization flows. The MCP server obtains tokens scoped to individual users, inheriting their permissions from the downstream systems. This is what our PR #475 addresses—enabling secure token exchange without exposing credentials to clients or LLMs.

Why Standards Compliance Matters

The temptation to bypass security standards is strong, especially during rapid prototyping. But consider the implications:

  1. Interoperability: Non-compliant servers won't work with Claude Desktop, Cursor, VS Code, or other standard MCP clients
  2. Security vulnerabilities: Improper token handling exposes attack vectors that standard OAuth flows prevent
  3. Scalability issues: What works for one user breaks at scale without proper session management and authorization
  4. Audit requirements: Enterprise deployments often require SOC 2 compliance and security attestations, forcing you into complex rebuilds

Production Readiness Beyond Security

Security is foundational, but production-ready MCP deployments require:

  • Observability: Detailed logging and monitoring of tool calls and data access
  • Scalability: Multi-instance deployment with proper session handling
  • Error handling: Graceful degradation when downstream services fail
  • Rate limiting: Protection against abuse and unexpected usage patterns
  • Audit trails: Compliance with data governance requirements

The Path Forward

The MCP community is at an inflection point. We can either implement secure standards now or become irrelevant when something else does. It has to be easy to do the secure and scalable thing. At Arcade.dev, we're building infrastructure that makes security and production-readiness the default, not an afterthought.

This isn't about gatekeeping or adding unnecessary complexity. It's about learning from decades of API development and applying those lessons to the next generation of agentic AI infrastructure.

The future of AI agents depends on their ability to safely and reliably interact with real-world systems. That future requires more than just functional code—it requires infrastructure built on proven security principles.


Arcade.dev provides production-ready infrastructure for AI tool-calling, with built-in authentication, authorization, and enterprise-grade security. Learn more in our documentation or join our Discord community.

SHARE THIS POST

RECENT ARTICLES

THOUGHT LEADERSHIP

The Agent Hierarchy of Needs: Why Your AI Can't Actually Do Anything (Yet)

Your AI can summarize documents you feed it, answer questions about your uploaded PDFs, and explain concepts from its training data. But ask it to pull your actual Q4 revenue from NetSuite, check real customer satisfaction scores, or update a deal in Salesforce? Suddenly it's just guessing—or worse, hallucinating numbers that sound plausible but aren't your data. This disconnect between AI's intelligence and its ability to access real data and take action is why less than 30% of AI projects hav

COMPANY NEWS

We Just Won "Overall Authentication Solution of the Year" — Here's Why It Matters for AI Builders

Arcade.dev just took home "Overall Authentication Solution of the Year" in the 8th Annual AI Breakthrough Awards. And before you roll your eyes at another tech award announcement, let me explain why this actually matters for anyone building AI agents that need to do real work. The Problem We All Keep Hitting You know that moment when your perfectly crafted AI agent suggests "I'll schedule that meeting for you" — and then... doesn't? Because it can't? Yeah, that's the wall everyone's been hit

Rays decoration image
TUTORIALS

How to choose the best Agentic Framework, Part 2: Agentic Delegation

In the previous post in this series, we explored Human-in-the-Loop. Here, we’re exploring Handoffs, which I prefer to call “Agentic Delegation” This post is a companion to a video, I encourage you to watch it! Here’s the experiment setup I’m using the same agentic system. I implemented the same system using three different Frameworks: * LangGraph * OpenAI’s Agents SDK * Google’s Agent Development Kit (ADK) In all cases, the agent uses a “supervisor” architecture, where a single agent re

Blog CTA Icon

Get early access to Arcade, and start building now.