What is the MCP host approval model and at what granularity should consent be obtained?
Describe the MCP host approval model and explain what granularity of consent a well-designed host should require from the user.
In MCP the host, not the protocol, is the trust boundary: it surfaces every tool call for consent, scopes what each server may do, and picks the approval granularity.
Think of a building with one security desk. Vendors (the servers) show up offering services, but none can walk in and touch anything on their own. Every action goes through the front desk (the host), which asks you, the resident, before letting a vendor open a door or move a box. A lazy desk hands out a master key on day one, so a window-cleaner could empty your apartment. A careful desk asks before risky jobs but waves through harmless ones, like reading the lobby notice board. The protocol just defines how vendors describe their services. It is the desk that decides what they are actually allowed to do, and what to check with you first.
Detailed answer & concept explanation~8 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
4 min: host as trust boundary + three host jobs + the consent granularity spectrum + approval fatigue + allowlisting and its rug pull risk.
| Granularity | User burden | Safety | Best for |
|---|---|---|---|
| Blanket approve-all | None after first prompt | Poor, hides destructive calls | Anti-pattern, avoid |
| Per-server | Low | Floor, weak inside a server | Trusted single-purpose servers |
| Per-tool or per-category | Moderate | Strong for side effects | Writes, network, secrets |
| Per-call always | High, causes fatigue | Strong on paper, weak in practice | Rarely, only highest risk |
Real products, models, and research that use this idea.
- Claude Desktop and Claude Code prompt the user before a discovered MCP tool runs, showing the server origin and tool name.
- Cursor and Zed both gate MCP tool execution through the editor host, so the user approves connection and risky calls.
- The OWASP MCP Top 10 (2025) lists rug pull and tool poisoning as host-side risks that an allowlist alone does not stop.
What an interviewer would ask next. Try answering before peeking at the approach.
QHow does allowlisting safe tools interact with a rug pull attack on an MCP server?
QWhat concrete information must a consent prompt show to make the decision meaningful?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Assuming the protocol enforces safety. MCP defines no sandboxing or consent. The host is the trust boundary, and a blanket approve all destroys it.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.