undefined | Better HN

0 pointsstaticassertion1d ago0 comments

Can you explain the auth part? I feel like auth for an agent is largely a matter of either verifying its context or issuing it a JWT that's scoped to its rights, which I assume is quite similar to how any tools would work. But I'm very unfamiliar with MCP.

0 comments

monkpit1d ago

I think they’re saying you could start up the mcp and pass it creds/auth for some downstream service, and then the LLM uses the tool and has auth but doesn’t know the creds.

simonw1d ago

Right. If you're running a CLI tool that is authenticated there's effectively no way to prevent the coding agent from accessing those credentials itself - they're visible to the process, which means they're visible to the agent.

With MCP you can at least set things up such that the agent can't access the raw credentials directly.

dcherman1d ago

How so? Let's use a common CLI tool as an example - kubectl. Config is generally stored in ~/.kube in a variety of config files. Running `kubectl config view` already redacts the auth information from the config. LLMs could invoke `kubectl` commands without having knowledge of how it's authenticated.

1 more reply

steve-atx-76001d ago

Also, you can set permissions to allow and disallow specific mcp server tool calls. With a skill you’d have to do something in the shell environment to block unwanted behaviors with auth or other means in a way that isn’t declarative.

zbentley1d ago

This is right. It’s not about scoping auth, it’s about preventing secret misuse/exfil.

(Moved from wrong sub)

JambalayaJimbo1d ago

The MCP implementation is itself an agent right? Is that not just pushing the problem somewhere else?

Also, I run programs on my machine with a different privilege level than myself all the time. Why can’t an agent do that?

conception1d ago

No, mcp just is a server that returns prompts to the llm. The server can be/do whatever. You can have an echo mcp that list echoes back whatever you send it.

simonw1d ago

I define the agent as the harness that runs the LLM in a loop calling tools. The MCI implementation is one of those tools. I wouldn't call an MCP implementation an agent.

gavmor1d ago

Typically, no; an MCP is a deterministic program with SSE protocols.

staticassertionOP1d ago

Oh. Yeah, that's neat at least. I don't think it's a big deal but that's nice enough.

j / k navigate · click thread line to collapse

0 comments

monkpit1d ago

I think they’re saying you could start up the mcp and pass it creds/auth for some downstream service, and then the LLM uses the tool and has auth but doesn’t know the creds.

simonw1d ago

With MCP you can at least set things up such that the agent can't access the raw credentials directly.

dcherman1d ago

1 more reply

steve-atx-76001d ago

zbentley1d ago

This is right. It’s not about scoping auth, it’s about preventing secret misuse/exfil.

(Moved from wrong sub)

JambalayaJimbo1d ago

The MCP implementation is itself an agent right? Is that not just pushing the problem somewhere else?

Also, I run programs on my machine with a different privilege level than myself all the time. Why can’t an agent do that?

conception1d ago

No, mcp just is a server that returns prompts to the llm. The server can be/do whatever. You can have an echo mcp that list echoes back whatever you send it.

simonw1d ago

I define the agent as the harness that runs the LLM in a loop calling tools. The MCI implementation is one of those tools. I wouldn't call an MCP implementation an agent.

gavmor1d ago

Typically, no; an MCP is a deterministic program with SSE protocols.

staticassertionOP1d ago

Oh. Yeah, that's neat at least. I don't think it's a big deal but that's nice enough.

j / k navigate · click thread line to collapse