frontpage.
newsnewestaskshowjobs

Open Source @Github

fp.

Open in hackernews

A Critical Look at "A Critical Look at MCP."

https://docs.mcp.run/blog/2025/05/16/mcp-implenda-est/
33•palmfacehn•1y ago

Comments

nip•1y ago
> Further, one of the issues with remote servers is tenancy

Excellent write-up and understanding of the current state of MCP

I’ve been waiting for someone to point it out. This is in my opinion the biggest limitation of the current spec.

What is needed is a tool invocation context that is provided at tool invocation time.

Such tool invocation context allows passing information that would allow authorizing, authentication but also tracing the original “requester”: think of it as “tool invoked on behalf of user identity”

This of course implies an upstream authnz that feeds these details and more.

If you’re interested in this topic, my email is in my bio: I’m of the architect of our multi-tenant tool calling implementation that we’ve been running in production for the past year with enterprise customers where authnz and auditability are key requirements.

jensneuse•1y ago
The way we've solved this in our MCP gateway (OSS) is that the user first needs to authenticate against our gateway, e.g. by creating a valid JWT with their identity provider, which will be validated using JWKS. Now when they use a tool, they must send their JWT, so the LLM always acts in their behalf. This supports multiple tenants out of the box. (https://wundergraph.com/mcp-gateway)
Yoric•1y ago
Is this really hard to code?

I mean, converting a tool-less LLM into a tool-using LLM is a few hundred lines of code, and then you can plug all your tools, with whichever context you want.

nip•1y ago
Indeed very easy to code!

My point is about the need for a spec of this mechanism: without a spec, every company / org will roll out their own and result in 500 flavors of the same concept.

That’s where MCP shines: tool calling and tool discovery is already 1.5 years old (an eternity in ai land).

The MCP spec ensures that we can all focus on solving problems with tool calling rather than wasting time in cobbling together services that re not interoperable (because developed without a common spec / standard)

__loam•1y ago
This is an advertisement
tomrod•1y ago
I wish this were critical, but it is an ad for MCP.run.
nip•1y ago
It’s both in my opinion and discussions can stem from the linked article

Many come to HN also for the comments

palmfacehn•1y ago
Personally, I'm not a fan. I thought the proponent's view might stimulate a discussion.
FunnyLookinHat•1y ago
> Server authors working on large systems likely already have an OAuth 2.0 API.

I think this biases towards sufficiently large engineering organizations where OAuth 2.0 was identified as necessary for some part of their requirements. In most organizations, they're still using `x-<orgname>-token` headers and the like to do auth.

I'm not sure that there's a better / easier way to do Auth with this use case, but it does present a signficant hurdle to adoption for those who have an API (even one ready for JSON-RPC!) that is practically ready to be exposed via MCP.

motorest•1y ago
> I think this biases towards sufficiently large engineering organizations where OAuth 2.0 was identified as necessary for some part of their requirements. In most organizations, they're still using `x-<orgname>-token` headers and the like to do auth.

I don't think that's it. Auth is a critical system in any organization, and larger organizations actually present more resistance to change, particularly in business critical areas. If anything, smaller orgs gave an easier time migrating critical systems such as authentication.

hirsin•1y ago
Touching on tenancy and the "real" gaps in the spec does help push the discussion in a useful direction.

https://vulnerablemcp.info/ is a good collection of the immediately obvious issues with the MCP protocol that need to be addressed. A couple low blows in there, that feel a bit motivated to make MCP look worse, but generally a good starting point overall.

owebmaster•1y ago
This post has too many "shameless plugs" to be taken seriously.
smitty1e•1y ago
Serious question:

If doing an extended, service-level session (like a GPT interaction) with a server known beforehand, would it make sense to set up a keypair and manage the interaction over SSH?

Restated: are we throwing away a lot of bandwidth establishing TLS trust for the more general HTTP?

Blizzard coped with World of Warcraft's blood plague and other disasters

https://www.pcgamer.com/how-blizzard-coped-with-world-of-warcrafts-blood-plague-and-other-early-d...
1•colinprince•2m ago•0 comments

Show HN: NamedLocal – does ChatGPT recommend your local business?

https://namedlocal.com/
1•only_jeff•3m ago•0 comments

Show HN: Design Slop Cop – How AI-generated is this website?

https://slopcop.adriankrebs.ch
1•hubraumhugo•3m ago•0 comments

Google loses EU court fight over $4.7B Android antitrust fine

https://www.aa.com.tr/en/economy/google-loses-eu-court-fight-over-47b-android-antitrust-fine/3984015
1•sharpshadow•4m ago•0 comments

I made a macOS desktop app to manage Nix-Darwin and Home Manager

https://github.com/darkmatter/nixmac
2•czxtm•5m ago•1 comments

Dash diet associated with lower risk of cognitive decline

https://jamanetwork.com/journals/jamaneurology/article-abstract/2845466
1•rawgabbit•5m ago•0 comments

We Need a 'Truth Campaign' for the AI Era

https://www.techpolicy.press/why-we-need-a-truth-campaign-for-the-ai-era/
1•cdrnsf•6m ago•0 comments

Generative AI creates delicious, sustainable, and nutritious burgers

https://arxiv.org/abs/2602.03092
1•sebg•6m ago•0 comments

Show HN: Debriefr – Discussions that unlock as you watch

https://debriefr.tv
1•jhedlund•7m ago•0 comments

The Importance of Humility in Software Development (2020)

http://humbletoolsmith.com/2020/08/10/the-importance-of-humility-in-software-development/
1•downbad_•10m ago•0 comments

Launch HN: Manufact (YC S25) – MCP Cloud

https://manufact.com
8•pzullo•11m ago•0 comments

Show HN: OSS Tests to Fix AI Gen Code. 110 Test for Major API – Supabase, Auth0

https://github.com/qualtyco/api-doctor
1•Reuben_Santoso•12m ago•0 comments

US employers still reluctant to add many jobs as hiring slows in June

https://apnews.com/article/jobs-economy-hiring-labor-49c7a993b394e6ae3f801c8e3c0d39dd
1•mattas•13m ago•0 comments

AI Increased Our Open PRs by 36%. That Wasn't the Whole Story

https://www.stackbuilders.com/insights/ai-in-software-delivery-whats-working-whats-hard-and-what-...
1•StackBuilders•13m ago•0 comments

Show HN: UATC – A Closed-Loop Controller to Prevent GPU OOM

https://github.com/sajjaddoda72-design/UATC
1•L_u_u_6•13m ago•0 comments

Evolution of moral expression in song lyrics

https://www.nature.com/articles/s41598-026-53778-9
1•sebg•14m ago•0 comments

I Tried Rips, the Card App Where Users Spend Thousands Chasing Pricey Pokémon

https://www.wired.com/story/i-tried-rips-the-card-pack-app-where-users-spend-thousands-chasing-pr...
1•reece_rogers•14m ago•0 comments

Reverse-engineering the Whoop 5.0 to work without a subscription in 24 hours

https://twitter.com/b_nnett/status/2061434000766382246
1•MrBuddyCasino•16m ago•0 comments

US deaths hit record low in 2025

https://san.com/cc/living-longer-in-america-u-s-deaths-hit-record-low-in-2025/
2•Cabal•17m ago•1 comments

The competing federal efforts behind America's 250th anniversary plans

https://www.govexec.com/management/2026/07/inside-competing-federal-efforts-behind-americas-250th...
1•everybodyknows•18m ago•0 comments

The last mile of AI-assisted coding is a signup form

https://trustysquire.ai/blog/the-last-mile-is-a-signup-form
1•lunchboxfortwo•19m ago•0 comments

Spain Orders Blacklist of Palantir from Public and Private Companies

https://clashreport.com/world/articles/spain-orders-blacklist-of-us-tech-giant-palantir-from-publ...
2•mgh2•20m ago•0 comments

T-Mobile moving virtual machines off VMware amid lawsuit

https://arstechnica.com/information-technology/2026/07/t-mobile-moving-tens-of-thousands-of-virtu...
1•Brajeshwar•22m ago•0 comments

Show HN: Oculor: find warm intro paths to investors

https://oculor.ai
1•fredrussias•22m ago•0 comments

Ask HN: What are you working on? (July 2026)

1•AznHisoka•23m ago•3 comments

Who am I? I'm an awkward fellow, after all

https://devz.cl/posts/who-am-i/
2•DanielVZ•23m ago•1 comments

Kavrol – predicts upcoming bill shortfalls before they happen

https://kavrol.com
1•Krishna142•24m ago•0 comments

SQLite Databases for Humans and Agents

https://marcobambini.substack.com/p/rethinking-databases-for-humans-and
1•marcobambini•24m ago•0 comments

I deduplicated 53,000 missing-persons reports from Venezuela's earthquake

https://medium.com/tilo-tech/i-deduplicated-53-000-missing-persons-reports-from-venezuelas-earthq...
3•Major_Grooves•25m ago•1 comments

The Imagination Curriculum (a reading list)

https://zoescaman.substack.com/p/the-imagination-curriculum
1•anarbadalov•25m ago•0 comments