[SPEC] Annotations for MCP Requests and Responses (security/privacy)

[SamMorrowDrums]

There have been lots of concerns about Indirect Prompt Injection attacks and data exfiltration. This proposal attempts to address some parts of it that MCP itself can improve.

Motivation and Context

As MCP adoption grows, the need for robust, composable trust and sensitivity controls becomes critical. Today, MCP clients and servers have limited means to track, propagate, and enforce trust boundaries on data as it flows through tool invocations, especially in multi-organization and open-world scenarios. This is a preliminary proposal, and a full RFC will follow if the community like the direction. This RFC proposes a standard for trust annotation metadata, enabling both clients and servers to:

• Mark data as sensitive, dangerous, or originating from untrusted sources
• Track attribution and provenance of all context shared in a session
• Enforce policies (e.g., block, escalate, or require confirmation) based on trust annotations

Proposal

Optional Trust Annotation Metadata

MCP tools (servers) MAY emit the following annotations in responses, and MUST respect them in requests:

• privateHint: Indicates the data is internal or private to an organization, but not necessarily highly sensitive (e.g., internal documentation, non-public but low-risk data).
• sensitiveHint: Indicates the presence of sensitive data, with more granular levels (e.g., sensitiveHint: low|medium|high). For example:
  • low: Internal-only, not for public release but not highly confidential
  • medium: Confidential, may include customer data or intellectual property
  • high: Highly sensitive, regulated, or secret even within a context (e.g., credentials, secrets, regulated PII)
• openWorldHint: Indicates data more likely to be subject to prompt injection or originating from a public/untrusted source. The key distinction between this and the Tool schema hint is this about where the data may originate from, rather than a tool having unbounded access to data.
• maliciousActivityHint: Indicates detected or suspected malicious activity (e.g., secrets, prompt injection, or other attacks)
  • elicitation could also be invoked with this hint.
• attribution: List of source attributions for all data included in the response (e.g., resource URIs, local files, etc.)

Annotation Responsibility

MCP servers are primarily responsible for emitting trust and sensitivity annotations because they have the most accurate context about their own data, resources, and operations. Servers MAY know whether a resource is internal, private, or sensitive, and can best determine the appropriate annotation for each response or result. This aligns with the MCP architecture, where servers are isolated and only receive the context necessary for their operation (see Architecture).

However, clients can and should also set or propagate annotations based on local knowledge or user actions outside of MCP. For example, a host application like VSCode may know the user is working in a private repository, and if the LLM context now includes file content from that repo, the client should set privateHint or an appropriate sensitiveHint level on all subsequent requests—even if the server does not explicitly mark the data as such. This ensures that trust boundaries are respected even when context is aggregated from multiple sources or user actions.

This dual responsibility enables both servers and clients to contribute to a more accurate and secure trust model, leveraging their unique perspectives and local knowledge.

Propagation

• If any annotation (e.g., sensitiveHint) is ever true in a session, it MUST be included in all subsequent requests in that session.
• For list/search results, annotations MAY be specified per result.
• annotations MAY be collected by clients to present to a user as part of a manual confirmation intervention.

Enforcement

• MCP clients MAY enforce basic rules (e.g., block, escalate, or require user confirmation for dangerous actions).
• MCP servers MAY enforce nuanced policies (e.g., refuse to write to an open world resource if sensitiveHint is true).

Critical Recommendation: Malicious Activity Detection

If no other part of this RFC is adopted into the MCP specification, the inclusion of maliciousActivityHint is essential. As MCP tools and servers begin to implement detection for malicious activity (such as prompt injection, secret leakage, or other attacks), there must be a standardized way for servers to communicate these findings to clients and end users. This enables:

• User and admin alerting for compliance and security scenarios
• Human-in-the-loop review and escalation
• Auditing and reporting of suspicious or non-compliant actions

Without this, critical security signals may be lost between tool boundaries, reducing the effectiveness of any detection or compliance system built on MCP.

Example: Email MCP

• Internal/external recipients are annotated.
• Refuse to send private repo content to an external address if openWorldHint is true.
• Prevent writing to a dangerous (external) address when sensitiveHint is true.

Deterministic Tracking

• All context and annotations are tracked and used by deterministic systems (client/server), not the model itself.

User Experience

• Instead of flat-out prevention, dangerous actions MAY trigger user confirmation, even if previously allowed.
• Trust in all MCP servers used is required for useful enforcement, malicious servers are not in scope for this RFC.

Sequence Diagram

sequenceDiagram
    participant User
    participant MCP Client
    participant MCP Server (A)
    participant MCP Server (B)

    User->>MCP Client: Initiate tool call (may include context)
    MCP Client->>MCP Server (A): Request (with context, trust annotations)
    MCP Server (A)-->>MCP Client: Response (with trust annotations)
    MCP Client->>MCP Server (B): Request (with aggregated trust annotations)
    MCP Server (B)-->>MCP Client: Response (may refuse, escalate, or require confirmation)
    MCP Client->>User: Escalate or require confirmation if policy triggers

Loading

Problems and Limitations

While this RFC provides a foundation for trust and sensitivity annotations, there are important limitations and open problems:

• Divergent Definitions: Different MCP servers may have different definitions of "internal", "external", "private", and "sensitive". For example, what is considered internal in one organization may be external in another, and sensitivity levels may not be consistent across servers.
• Session Risk Accumulation: As a session accumulates more context from various sources, the risk profile may increase. This RFC enables more human-in-the-loop notifications as risk grows, and encourages users to start a new session to reduce scope when possible.
• Contextual Appropriateness: Some actions may be appropriate in one context but not another (e.g., emailing the CEO about layoffs vs. sending that information to a direct report). The RFC does not attempt to encode all such policies, but provides the primitives for host applications and registries to implement them.
• Deliberate Incompleteness: This RFC intentionally avoids specifying a single, universal policy. Instead, it provides the bones for limited registries, host applications, and situation-specific tools to define and react to annotations as appropriate for their environment.
• Annotation Sharing: In some cases, it may not be desirable to share annotations across MCP servers. Implementers should consider privacy and security implications when propagating annotation metadata.

This RFC is a toolkit, not a complete solution. It is designed to enable, not constrain, the development of robust trust and compliance systems in MCP.

Implementation Guidance

This RFC is intentionally minimal and flexible. It is designed to enable host applications, registries, and other tools to define their own policies and enforcement strategies, rather than prescribing a one-size-fits-all solution. The goal is to provide the necessary primitives for trust and sensitivity awareness, while allowing for situation-specific adaptation and human oversight.

Implementation Considerations

• Annotations should be optional and settable by tool authors (MCP server developers)
• Clients MUST propagate and enforce annotations
• UI/UX should reflect annotation state (e.g., warnings, confirmation dialogs)
• Policy enforcement should be configurable

Open questions:

• Can an MCP reliably discover the sensitivity of an item?
• Can an MCP reliably discover the security posture that applies to the audience?

References

• MCP Specification 2025-03-26
• Schema: Annotations

[JustinCappos]

Thanks for putting this out! It's really useful to have something concrete to comment on.

One thought I had is to wonder if having levels (low medium high) or really any sort of linear scoring system like this is the best approach. For example, I want an email with medical test results to be able to be read by my mail MCP and my credit card number to be sent to a payment MCP, but I may not want either bit of detail shared with the other.

As a strawman argument for a counter proposal, would it perhaps make more sense to have something akin to IFC labels that are specific to each type of data? Then email would get labeled with that property and only things permitted to consume that label would be able to read it. If there is interest I'll explain more, but for now I'll avoid talking about complexities (e.g., removing labels via declassification) to prevent pulling your issue's conversation too far afield.

One nice thing about your approach over what I'm listing is that you only need to set a relatively simple value per MCP tool. I would think that an IFC approach would need to manage a namespace of labels, which seems more complex. However, I don't think either is a major hurdle.

[SamMorrowDrums]

It's really useful to have something concrete to comment on

That was the intention! 🙏

I think you make an excellent point and I would definitely be open to that. I'm really hoping to nerd snipe us all into converging on something that feels "MCP". What I liked about reusing the Annotations concept was how native it feels.

[olaservo]

It seems like different organizations will have different ways of classifying these things and extending them for their needs. Could it be more practical to give them a structured way to define their own vocabulary about this?

For example, instead of sensitiveHint: low|medium|high, the protocol could provide a more generic annotation mechanism where organizations define their own schemas.

So a healthcare company could use their HIPAA classifications, while a financial firm uses their PCI compliance levels, etc. and they could even publish their standardized schemas. And that way MCP doesn't have to get into the business of what these sorts of classifications mean, it just provides a consistent way to express and exchange them.

[Mossaka]

One thought I had is to wonder if having levels (low medium high) or really any sort of linear scoring system like this is the best approach. For example, I want an email with medical test results to be able to be read by my mail MCP and my credit card number to be sent to a payment MCP, but I may not want either bit of detail shared with the other.

I'd like to offer my own two cents on top of @JustinCappos 's insights. Reading from the Motivation section, I think this RFC wants to address two related but different security dimensions:

1. data provenance: where did the data come from?
2. data classification: what's the nature of this data?

so perhaps, instead of a linear sensitivity (sensitiveHint: low|meium|high) proposed here, we change it to be categorical labels like the folllowing (inspired by @olaservo 's comments). We still do need to address the namesapce though, and perhaps we allow for organization-specific labels using reverse DNS notations (com.mycorp/.../...)?

If we do want to address both data provenance and classification together, we can propose the following to the annotations about tool behaviour.

"data": {
  "provenance": {
    "openWorldHint": true // This answers "where did the data come from?" 
    "attribution": ["https://files.mycorp.com/docs/receipt.pdf"] // This tells exactly where the data is from 
  }
  "classification": {
      "labels": ["financial.invoice", "com.mycorp.project.x.expense-record"] // this answers "what's the nature of the data?"
  }
}
"maliciousActivityHint": true

Some comments:

1. I think the sensitivity labels can cover the use case of privateHint, so I removed it.
2. I am not sure about where to put maliciousActivityHint as it's, in my opinion, depends on some form of security scanners that indicate the tool has been compromised. Perhaps, this should be put into another security dimension?
3. There must be a mechanism to propogate labels with union of the labels of all inputs.
4. @JustinCappos hinted at label declassification, we might need to think about how to sanitize data labels.
5. I'd also imagine there will be a 3rd party policy engine to enforce policies based on data provenance and classification like Open Policy Agent. We may have a policy rule like the following

"policy": {
  "rules": [
    {
      "name": "need-user-consent",
      "effect": "escalate",
      "conditions": {
        "all": [
          { "fact": "data.classification.labels", "contains": "Financial" }
        ]
      }
    }
}

I drew some inspirations from the following references:

1. https://kubernetes.io/docs/concepts/security/pod-security-admission/
2. https://open-policy-agent.github.io/gatekeeper/website/docs/

[JustinCappos]

When considering how these sorts of tags would work across MCP servers, I've also been thinking a bit about the label namespace.

It seems there are three options:

1. Only have standardized labels (e.g., some spec / standards body says this is what the 'credit-card' tag means, when that tag may get applied, how it gets sanitized, etc.)
2. Only custom labels which are specific to whomever defines them and which have no meaning outside of that which the label applicant's MCP server gives
3. A mix of both (much as exists in systems like port number allocations for UDP, TCP, etc.)

My experience is that going for option 1 early on is a trap. I think people go in with the good intention of defining things in a secure manner and prescribing how they should be used for security. However, it soon devolves into a bunch of arguing about fine-grained semantics of corner cases that are all purely hypothetical.

Similarly, I think that option 2 is also a trap. It really just punts the problem to MCP server providers who then get blamed for "not using the security system correctly". They're probably not security folks and we really should minimize the work the MCP server providers (and the poor end users) have to shoulder.

I'd argue that making something basic and letting design patterns become more mature as experience is gained fits best within the third option.

[JustinCappos]

3. There must be a mechanism to propagate labels with union of the labels of all inputs.

I think this is pretty common for IFC systems. Usually a piece of data gets labeled with all of the input labels.

One related issue I want to be sure we're tracking is how to handle things like storage of data. If I write a credit card number to a file and then read it back in, the label shouldn't disappear. (I'm sure the IFC folks have written many papers on this topic.) The more unique wrinkle to us is that I think this also becomes really messy when thinking about models that may retrain themselves based upon labeled input.

4. @JustinCappos hinted at label declassification, we might need to think about how to sanitize data labels.

My non-expert, moderately cynical view of how IFC systems handle this is to just assume these magically exist and are always correct, etc. We could certainly do the same here, but I do think we need to consider who is allowed to define these sorts of declassifiers and why?

In response to my prior post, if we think about there being some label namespace, there are some really extreme design options here that raise different questions. For example, perhaps there could be a certification process your MCP server code needs to go through to be able to declassify credit card numbers. As another example, what about for a custom tag? Can only the creator of that tag declassify it? Should we give them the flexibility to control who can declassify it (and how do we do this)?

[JustinCappos]

One big problem (perhaps the key problem) of IFC is handling taint tracking especially with all of the problems related to side channels, etc.

What if instead we broke up any generated code that would have a label so that there is a minimal piece of code that handles it. This would further isolate and simplify the application of IFC properties at the cost of having a few smaller programs to execute instead of one large one.

For example, suppose that you have a prompt: "Find the email with my [insert horrible disease here] positive test result and email the doctor to set up an appointment". From an IFC standpoint, the LLM would want to query the email reading MCP, find the test result, retrieve only the email address once you've identified it, and then send an email to the doctor, using only the email. The important security part here is the repeated phrase "only the email". So, what if instead of trying to have an IFC system enforce this property via a declassifier and then try to prevent information flow within the program, we had separate programs that are pre / post declassification. The first bit of code has knowledge of the medical records, but none of this is passed on past declassification. There is no potential for an IFC leak (barring really hard to imagine side channel cases).

An advantage is this simplifies the IFC implementation dramatically, since it now only needs to know labels are applied coming in and what the declassifier can remove going out. In essence, this is IFC at a program granularity, which feels like it might be a good sweet spot for security since the model is (relatively slowly) generating small bits of code as is.

As suggested by @Mossaka , the other concern here is making a model generate multiple small programs. I would suggest the way is to help it learn to break this up along privacy boundaries (declassifiers are used to end the current context and provide its information to another program) and then have the actual programs be generated by separate prompts with different contexts.

@SamMorrowDrums I think we're polluting your issue with our IFC discussion. Do you want us to move this to another issue?

[SamMorrowDrums]

@JustinCappos thanks for the thoughtful replies. I am clearly no expert in the IFC field, and I appreciate your input, I will keep thinking about it all before I try to shape things into an actual specification PR.

I'd argue that making something basic and letting design patterns become more mature as experience is gained fits best within the third option.

We need to forever deal with security/utility trade-off and while there are enterprise users who will care about an advanced version of this ( with time and money to apply to the problem space) and academics who will care about a pure version of this; end users will likely not enjoy more human in the loop confirmations or systems preventing them from doing things. They might be glad if they realise they were saved from something problematic, but false positives will of course occur and be inconvenient.

Ultimately, the specification I hope to result from this discussion will [have to] be:

• disappointing to many, because there are a lot of hot takes on the future of privacy and security
• it will likely only partially solve a subset of problems in the space, and even then if and only if correctly applied
• adoption/utilisation will be the life/death of this spec
• simple enough for developers to implement easily
• effective enough to be worth doing at all

I will be satisfied if it effectively reduces the surface area though. Correctness is IMHO not the only horse in the race, staying mostly out of the way while reducing the number of instances where bad things occur is better than the status quo. Perfect is the enemy of good as they say.