HomeMCP / Tooling【続編】ノーガードだったMCPサーバーに認証をつける(Bearer Token編)
【続編】ノーガードだったMCPサーバーに認証をつける(Bearer Token編)

【続編】ノーガードだったMCPサーバーに認証をつける(Bearer Token編) A sequel post covering how to retrofit Bearer Token authentication onto an MCP server that…

元記事を読む 鮮度 OK
AI 3 行サマリ
  • 認証なしで運用されていたMCPサーバーにBearer Token認証を追加する手順を解説した続編記事。
  • 適切な認証を導入することで不正アクセスを防止し、MCPサーバーを本番環境で安全に運用できるようになる。
English summary
  • A sequel post covering how to retrofit Bearer Token authentication onto an MCP server that had no access controls, making it secure enough for production use.

AIエージェントと外部ツールをつなぐ標準として注目を集めるMCP(Model Context Protocol)だが、開発初期に立てたサーバーは認証を持たない「ノーガード」のまま運用されがちだ。今回の続編記事は、そうした無防備なMCPサーバーに後付けでBearer Token認証を組み込み、本番環境でも安全に使える状態へ引き上げる具体的な手順を解説している。

MCPは、Anthropicが公開した仕様で、LLMやAIエージェントがファイル、データベース、社内APIといった外部リソースへ統一的にアクセスするための橋渡しを担う。ローカルで動かす分には認証がなくても実害は小さいが、リモートで公開したりチームで共有したりする段階になると、誰でもツールを呼び出せる状態は情報漏洩や不正操作のリスクに直結する。

Bearer Tokenは、HTTPのAuthorizationヘッダーに「Bearer <トークン>」の形式で秘密の文字列を載せて送る、シンプルかつ広く使われる認証方式だ。サーバー側は受け取ったトークンを検証し、一致しないリクエストを拒否する。実装が比較的軽く、既存のエンドポイントに大きな変更を加えずに導入できる点が、後付けのセキュリティ強化に適しているとみられる。

記事では、リクエストのヘッダーからトークンを取り出して照合する処理を差し込み、認証を通らないアクセスを弾く流れが示されていると考えられる。トークンは環境変数などで管理し、コードへの直接埋め込みを避けるのが一般的な運用だ。

認証なしで運用されていたMCPサーバーにBearer Token認証を追加する手順を解説した続編記事。
🔗 MCP / Tooling · 本記事のポイント

もっとも、Bearer Tokenは万能ではない。トークンが漏れればそのまま悪用されうるため、通信のHTTPS化、トークンの定期的なローテーション、有効期限の設定などを併用することが望ましい。より本格的な認可が必要な場面では、MCPの仕様側でも議論が進むOAuth 2.0ベースの仕組みを検討する余地がある。

MCP対応クライアントやサーバーの実装が急速に増える一方で、セキュリティは後回しにされやすい領域だ。まず手軽なBearer Tokenで最低限のアクセス制御を敷き、運用の成熟度に応じて認証を強化していく本記事のアプローチは、多くの開発者にとって現実的な出発点になりそうだ。

Model Context Protocol (MCP) servers have quickly become a common way to expose tools, data sources, and application logic to AI assistants, but many of them are deployed without any access controls. This follow-up post walks through retrofitting Bearer Token authentication onto an MCP server that previously ran "no guard," a change that matters because an unauthenticated server reachable over a network can be invoked by anyone who discovers its endpoint.

MCP, introduced by Anthropic and since adopted across a range of AI clients and developer tools, standardizes how large language models connect to external capabilities. A server advertises tools and resources, and a client such as an AI agent calls them on the user's behalf. When an MCP server runs locally over the stdio transport, the operating system's process boundary provides a natural layer of isolation. The risk profile changes significantly once the same server is exposed over a network transport, such as HTTP with Server-Sent Events or the newer Streamable HTTP transport, because the endpoint is then reachable by any client that can send requests to it.

The core problem the article addresses is that a server without authentication treats every incoming request as trusted. If that server can read files, query a database, call internal APIs, or trigger actions, an exposed and unprotected endpoint becomes an obvious avenue for misuse. Adding authentication is therefore presented as a prerequisite for moving an MCP server from a local experiment into anything resembling a production deployment.

Bearer Token authentication is the mechanism chosen here, and it is attractive largely because of its simplicity. The scheme, defined as part of the broader OAuth 2.0 framework in RFC 6750, works by having the client include a token in the HTTP Authorization header, formatted as "Authorization: Bearer <token>." The server extracts that token, compares it against an expected value or validates it, and rejects the request with an HTTP 401 Unauthorized response if the token is missing or incorrect. Because the check happens at the transport layer, it can be applied uniformly to every tool the server exposes without changing the individual tool implementations.

In practice, the approach described appears to involve inserting a middleware or request-handling layer that inspects incoming requests before they reach the MCP message handling. The token itself is typically stored as an environment variable or in a secrets manager rather than hardcoded, and the client is configured to send the matching value. This keeps credentials out of source control and makes rotation easier. The article's framing as a sequel suggests the earlier post established the unauthenticated baseline, and this installment layers security on top of that existing implementation rather than rebuilding it from scratch.

It is worth noting the limits of a static Bearer Token. A single shared token offers coarse, all-or-nothing access and no way to distinguish between callers, so revoking access for one client means rotating the token for all of them. It also provides no protection on its own against interception, which is why Bearer Tokens should always be transmitted over TLS. For scenarios that require per-user identity, scoped permissions, or expiring credentials, the MCP specification has been evolving toward a more complete authorization story built on OAuth 2.1, including support for authorization servers, token endpoints, and discovery metadata. A static token is best understood as a pragmatic first step that is substantially better than nothing, rather than a comprehensive solution.

The broader context is that MCP security has become an active area of discussion as the protocol spreads. Reports of misconfigured or overly permissive servers, prompt-injection risks, and the dangers of connecting untrusted servers to capable agents have pushed both the specification maintainers and the community to emphasize authentication, least-privilege tool design, and careful handling of secrets. Adjacent practices such as running servers behind API gateways, using reverse proxies for TLS termination, and applying network-level restrictions complement token-based checks.

For developers maintaining their own MCP servers, the takeaway is straightforward: any server exposed beyond a local machine should require authentication, and Bearer Tokens offer a low-friction way to close the most obvious gap while more granular authorization models mature.

  • SourceQiita MCP tagT2
  • Source Avg ★ 2.0
  • Typeブログ
  • Importance ★ 通常 (top 100% in MCP / Tooling)
  • Half-life 📘 中期 (チュートリアル)
  • LangJA
  • Collected2026/07/04 16:00

本ページの本文・要約は AI による自動生成です。正確性は元記事 (qiita.com) をご確認ください。

🔗 MCP / Tooling の他の記事 もっと見る →

URL をコピーしました