# Securing MCP Usage Modern agents are only as useful as the tools they can safely access. MCP enables models to move beyond pure text generation and take action, while ensuring that those actions are constrained, auditable, and policy-compliant. With MCP, tools are never implicitly available. Each tool must be explicitly registered, enabled, and governed. Every invocation is tied to the application that initiated it, ensuring that access, usage, and logging remain scoped to the correct context. ### Registry as a Trust Boundary An MCP Registry establishes a trust boundary between models and external systems. All tool calls routed through a registry pass through the Agent Gateway, where security controls, guardrails, and observability are applied consistently. This design ensures: * Models never communicate directly with remote or hosted MCP servers * Tool access is explicit, scoped, and revocable * Every invocation is attributable to an agent * Tool responses are inspected before being returned to the model In practice, registries act as both a discovery mechanism and a security perimeter. **Downstream credential handling** is managed per-registry via credential modes. The Gateway can forward client-supplied tokens unchanged (OAuth Passthrough), fetch per-user tokens from a central credential store (Token Broker), or use a shared connection with static credentials (Internal). See [Credential Modes](/agent-gateway/credential-modes.md) for configuration details. ### Continuous MCP Scan: Tool Risk Assessment Whenever an MCP Server is enabled, Highflame automatically performs a vulnerability scan on that tool. This scan evaluates the tool for MCP-specific security risks such as injection vectors, unsafe parameters, or misconfigured behaviors. Scan results are displayed directly alongside the tool, allowing teams to make informed decisions before enabling it in production. This ensures that the registry is not just a catalog of tools, but an actively monitored security surface. ### Registry-Level Guardrails MCP Registries support baseline security guardrails that apply to all tools exposed by the registry. These policies are enforced after a tool is invoked and before the output is returned to the model or application. Examples include: * Protection against indirect prompt injection originating from the tool output * Data loss prevention to stop sensitive information from flowing back to models * Security filters that detect tool-level vulnerabilities, such as command injection or SQL injection > Learn more about how MCP traffic flows through the [Agent Gateway](/agent-gateway/ai-gateway.md#mcp-traffic-handling-and-enforcement). ### Application Scoping and Visibility All MCP interactions are scoped to the application key that initiated the request. This means tool usage, logs, policies, and traces are always attributed to the correct application context. Highflame visualizes this data in the Application Graph view, showing: * Which MCP tools are being used * How frequently are they invoked * When they were last accessed This makes it easy to analyze usage patterns, detect unexpected behavior, and audit tool access over time. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.highflame.ai/agent-gateway/securing-mcps.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.