Skip to content

MCP Python SDK Implementaion Gap 15- lack token isolation when calling upstream APIs #1455

New issue
New issue
Closed as duplicate of#1627
Closed as duplicate of#1627
MCP Python SDK Implementaion Gap 15- lack token isolation when calling upstream APIs#1455
@younaman

Description

@younaman
younaman
opened on Oct 9, 2025

Initial Checks

Description

Summary

The MCP Python SDK's HttpResource class lacks token isolation mechanisms when making requests to external APIs, violating the MCP specification requirement that "MCP servers MUST NOT pass through the token it received from the MCP client to upstream APIs."

🎯 Core Problem

MCP specification

If the MCP server makes requests to upstream APIs, it may act as an OAuth client to them. The access token used at the upstream API is a separate token, issued by the upstream authorization server. The MCP server MUST NOT pass through the token it received from the MCP client.

HttpResource Lacks Token Isolation

File Location: src/mcp/server/fastmcp/resources/types.py:148-159

class HttpResource(Resource):
    """A resource that reads from an HTTP endpoint."""

    url: str = Field(description="URL to fetch content from")
    mime_type: str = Field(default="application/json", description="MIME type of the resource content")

    async def read(self) -> str | bytes:
        """Read the HTTP content."""
        async with httpx.AsyncClient() as client:
            response = await client.get(self.url)  # ⚠️ No authentication headers!
            response.raise_for_status()
            return response.text

Problem Analysis

  1. Lacks Authentication Mechanism: HttpResource makes direct calls to external APIs without any authentication headers
  2. Lacks Token Isolation Checks: No mechanism to prevent passing client tokens

🔍 Security Impact

  • Lack of framework-level protection against token passthrough
  • Developers may incorrectly pass client tokens

P.S. I am not entirely certain if this is the correct location where the upstream API calling issue occurs. If I have misunderstood the implementation or missed other relevant code paths, I would greatly welcome and appreciate discussion and clarification from the maintainers.

Example Code



Python & MCP Python SDK


latest

Metadata
Metadata
Assignees
No one assigned
    Labels
    No labels
    No labels
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions