How should I authenticate to MCP servers?

Use short-lived OAuth tokens that expire within minutes. Avoid long-lived API keys. Use scoped tokens that only have access to the specific resources the MCP server needs. Rotate tokens regularly and never reuse a token across multiple servers.

Can Guard detect if my MCP server is logging tokens?

Guard can flag MCP servers whose response headers or error messages suggest they log request headers. Guard cannot inspect the server's internal logging configuration directly, but it can alert you to investigate servers that handle authentication tokens.

high severityCurated advisory

MCP authentication token theft via headers

MCP servers that accept authentication tokens in headers can leak those tokens if the server logs requests, shares telemetry, or is compromised. Tokens passed to MCP servers persist in server-side logs and may be accessible to attackers.

Protect my harness Protect a team

Affected surfacesMCP server authenticationHTTP headersserver-side logstelemetry pipelines

The attack

What happens

When an AI agent authenticates to an MCP server, the authentication token is sent in an HTTP header. If the MCP server logs headers, shares telemetry, or is compromised, the token is exposed and can be reused by an attacker.

Step by step

How the attack unfolds

1Agent connects to an MCP server using an OAuth token or API key in the Authorization header.

2The MCP server logs the full request including the Authorization header.

3Logs are sent to a telemetry pipeline, cloud logging service, or shared with a third party.

4An attacker gains access to the logs and extracts the authentication token.

5The attacker reuses the token to access other services that accept the same token.

Example

What it looks like in practice

Scenario

A developer configures Claude Code to use an MCP server called "db-query" with an OAuth token. The db-query server logs all requests including the Authorization header to Datadog for debugging. A Datadog admin sees the token in the logs and uses it to access the developer's database directly.

Detection

How Guard catches this

Guard maintains an inventory of MCP servers that receive authentication tokens.

Guard alerts when a token is reused across multiple MCP servers.

Guard flags MCP servers that log request headers in their telemetry.

Mitigation

How to stop it

Recommended action

Use short-lived tokens for MCP authentication. Rotate tokens regularly. Use Guard to monitor which MCP servers receive authentication tokens and alert on token reuse across servers.

Guard configuration

Enable "MCP token inventory" to track which servers receive authentication tokens.

Enable "Token reuse detection" to alert when the same token is used across multiple servers.

Enable "Header logging detection" to flag MCP servers that log request headers.

FAQ

Common questions

Related advisories

More threats to know about

high

MCP tool description poisoning

Malicious MCP tool descriptions embed hidden instructions that redirect AI agents into calling the wrong tool, exfiltrating secrets, or executing unintended commands — even when the tool itself appears harmless.

Read advisory

medium

Shadow MCP server discovery and persistent access

MCP servers added to a project during development can persist in configuration files and maintain access to the agent’s context window long after they are forgotten. These "shadow" servers continue receiving tool calls and may be modified by attackers who compromise the original server.

Read advisory

Stop this threat before it reaches your agent

Install HOL Guard to get real-time protection against this attack and others like it.

Install HOL Guard See team plans