What UX patterns help users make informed MCP approval decisions without approval fatigue?
Describe UX patterns that help users make informed MCP tool approval decisions while avoiding approval fatigue.
Show users the full tool definition the model sees, scope and tier approvals to fight fatigue, and flag changes; the consent UX is a security control against tool poisoning.
Picture signing for a package at your door. A bad delivery UX makes you scribble your name on every box without reading anything, so you'd sign for a bomb just as fast as a birthday card. A good UX shows you what's inside, who sent it, and only stops you for the suspicious ones. MCP approval is the same. If the app makes you click 'allow' a hundred times, you stop reading and approve everything, including a poisoned tool whose hidden instructions tell the model to leak your files. Good approval UX shows the real tool description the model sees, groups the safe reads, and flags anything that changed since you last trusted it.
Detailed answer & concept explanation~7 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
5 min: why fatigue breaks consent + show the full description the model sees + risk tiering + provenance + definition pinning against rug pulls + frame UX as a security control.
| Pattern | Anti-pattern (fails) | Better pattern (informed consent) |
|---|---|---|
| What is shown | Tool name only | Full description the model sees, plus data-flow summary |
| Granularity | Blanket allow-all per server | Risk-tiered, session or path scoped grants |
| Read-only tools | Prompt on every call | Batch-approve to cut fatigue |
| Destructive tools | Same flow as reads | Individual prompt every time |
| Definition changes | Silently honored | Re-prompt and diff against the approved hash |
Real products, models, and research that use this idea.
- Claude Desktop and Claude Code prompt for tool approval per server and let users scope grants rather than blanket-trusting a server.
- The OWASP MCP Top 10, published in 2025, lists tool poisoning and rug pull attacks that informed-consent UX is designed to mitigate.
- Cursor and Zed surface MCP server origin from the config file so users can judge provenance before approving tools.
- Invariant Labs' 2025 tool poisoning disclosure showed hidden instructions in a server's tool description steering the model to exfiltrate files.
What an interviewer would ask next. Try answering before peeking at the approach.
QHow would you detect a rug pull where a server swaps a benign tool for a malicious one after approval?
QHow do you stop hidden instructions in a tool description from reaching the user as trusted text?
QWhere do you draw the line between batch-approving and individually prompting a tool?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Treating approval as a checkbox to clear, not a security control. Showing only the tool name hides the poisoned description the model actually reads.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.