SMCP: Adding Security to the Model Context Protocol

The Model Context Protocol (MCP) is becoming the standard for connecting AI agents to tools and data sources. But standard MCP has a security problem: it has none. No authentication. No authorization. No encryption at the protocol level. No audit trail. Security is entirely left to the transport layer and the application developer.

SMCP (Secure Model Context Protocol) is a proof-of-concept that explores what MCP could look like with security built in — while remaining 100% backward compatible with existing MCP tools and clients.

GitHub: KellerKev/smcp

The Security Gap in Standard MCP
#

Capability	Standard MCP	SMCP
Authentication	None (relies on transport)	API keys, JWT, OAuth2/SAML
Authorization	None (application responsibility)	Role-based, per-tool access control
Encryption	None at protocol level	ECDH key exchange + AES-256-GCM
Audit trail	None	Full operation logging with compliance support
Multi-agent coordination	Not supported	Dynamic discovery, task orchestration, load balancing

Standard MCP trusts that the transport layer (usually stdio or HTTP) handles security. In practice, this means most MCP deployments have no authentication, no message-level encryption, and no way to audit what tools an agent accessed or what data it retrieved. For development and personal use, that’s acceptable. For enterprise production, it’s not.

Four Security Tiers
#

SMCP takes a progressive approach — you choose the security level that matches your threat model:

1. Simple Mode (Development)
#

Basic API key authentication. No encryption. Fast to set up, suitable for local development and testing.

# Simple mode — API key only
config = {"security_mode": "simple", "api_key": "dev-key-123"}

2. Basic Mode (Staging)
#

JWT tokens over HTTPS with automatic token refresh. The minimum recommended level for any shared environment.

# Basic mode — JWT + TLS
config = {
    "security_mode": "basic",
    "jwt_secret": "your-32-char-minimum-secret-key-here",
    "tls_enabled": True
}

3. Encrypted Mode (Production)
#

End-to-end message encryption using ECDH (Elliptic Curve Diffie-Hellman) key exchange with AES-256-GCM for message encryption and HMAC authentication. Messages are encrypted independently of the transport layer — even if TLS is compromised, message content remains protected.

Client                          Server
  │                                │
  │  ECDH Public Key Exchange      │
  │◄──────────────────────────────►│
  │                                │
  │  Derive Shared Secret          │
  │  (AES-256-GCM key)            │
  │                                │
  │  Encrypted MCP Message         │
  │  + HMAC Authentication         │
  │───────────────────────────────►│
  │                                │
  │  Encrypted MCP Response        │
  │  + HMAC Authentication         │
  │◄───────────────────────────────│

4. Enterprise Mode (Regulated Industries)
#

OAuth2/SAML integration with full audit trails and compliance reporting. Every tool invocation, every data access, every agent action is logged with timestamps, user identity, and operation details.

# Enterprise mode — OAuth2 + audit
config = {
    "security_mode": "enterprise",
    "oauth2_provider": "https://login.microsoftonline.com/tenant/v2.0",
    "audit_enabled": True,
    "compliance_mode": "SOC2"
}

Multi-Agent Coordination
#

Beyond security, SMCP adds a capability MCP doesn’t have: agent-to-agent communication and orchestration.

┌──────────────┐     ┌──────────────────────┐     ┌──────────────┐
│  Orchestrator │────►│   Agent Registry      │◄────│  Worker A    │
│  (CrewAI,     │     │                      │     │  (Analyst)   │
│   custom)     │     │  • Dynamic discovery  │     └──────────────┘
└──────────────┘     │  • Load balancing     │     ┌──────────────┐
                      │  • Task routing       │◄────│  Worker B    │
                      │  • Health monitoring  │     │  (Coder)     │
                      └──────────────────────┘     └──────────────┘
                                                    ┌──────────────┐
                                                ◄────│  Worker C    │
                                                    │  (Reviewer)  │
                                                    └──────────────┘

Agents register themselves with a discovery service, advertise their capabilities, and accept tasks. The orchestrator decomposes complex requests into parallel subtasks, assigns them to available agents, and aggregates results. Built-in load balancing distributes work across multiple agent instances.

This is particularly relevant for building production-grade agentic systems where you need coordination between specialized agents — each with its own security context and access permissions.

Native Connectors
#

SMCP ships with two built-in connectors:

DuckDB Connector — query analytical databases directly from agents:

from connectors.smcp_duckdb_connector import DuckDBConnector

connector = DuckDBConnector("analytics.duckdb")
result = connector.query("SELECT * FROM sales WHERE region = 'EMEA'")

Filesystem Connector — secure file operations with path restrictions:

from connectors.smcp_filesystem_connector import FilesystemConnector

connector = FilesystemConnector(allowed_paths=["/data/reports"])
content = connector.read("quarterly_summary.csv")

Both connectors inherit the security context of the requesting agent — the DuckDB connector respects row-level access controls, and the filesystem connector enforces path boundaries.

Quick Start
#

# Clone
git clone https://github.com/KellerKev/smcp.git
cd smcp

# Install dependencies (uses pixi)
pixi install

# Pull a model
ollama pull qwen2.5-coder:1.5b

# Initialize sample data
pixi run python examples/duckdb_integration_example.py --init

# Run the showcase
pixi run python examples/showcase_complete_system.py

Performance
#

Security adds overhead, but SMCP keeps it minimal:

Operation	Overhead
Encryption (AES-256-GCM)	< 10ms per message
Agent discovery	< 50ms
JWT validation	< 5ms
ECDH key exchange	< 100ms (one-time per session)

The one-time ECDH handshake is the most expensive operation. After the shared secret is established, per-message overhead stays under 10ms.

Why This Matters
#

As AI agents move from development toys to production infrastructure, the security gap in MCP becomes a real risk:

Data exfiltration: An MCP tool with no access control can read any file or query any database the host process can access
Prompt injection: A compromised tool response can manipulate the agent’s behavior with no audit trail
Lateral movement: In multi-agent systems, a compromised agent can impersonate other agents without authentication
Compliance: Regulated industries (finance, healthcare, government) need audit trails for every AI action

SMCP doesn’t solve all of these — it’s a proof of concept, not a production framework. But it demonstrates that security can be layered onto MCP without breaking compatibility and with minimal performance overhead.

For a deeper discussion of how to govern AI agents in production, see Governing AI Inference in the Data Cloud.

Related
#

Building the Agentic Enterprise — why custom agents with native security beat generic ones
Containing AI Agents — defense-in-depth architecture for production agents
Cortex Proxy — prompt policy enforcement for AI coding agents
Nanocortex — blueprint for building custom Snowflake Cortex agents

Author

Kevin Keller

Personal blog about AI, Observability & Data Sovereignty. Snowflake-related articles explore the art of the possible and are not official Snowflake solutions or endorsed by Snowflake unless explicitly stated. Opinions are my own. Content is meant as educational inspiration, not production guidance.

Share this article

The Security Gap in Standard MCP#

Four Security Tiers#

1. Simple Mode (Development)#

2. Basic Mode (Staging)#

3. Encrypted Mode (Production)#

4. Enterprise Mode (Regulated Industries)#

Multi-Agent Coordination#

Native Connectors#

Quick Start#

Performance#

Why This Matters#

Related#

Related