Anthropic, the AI company behind the large language model Claude, a year ago
introduced the Model Context Protocol (MCP), which is designed to make it easier for AI models and agents to more easily access external data, tools, and applications.
It was a boon for companies adopting AI because it gave them a simple, standardized, and open way to scale their AI applications, improving their accuracy and capabilities by reducing the need for custom integrations through a universal language.
That said, since MCP’s release, security vendors have been designing ways to protect organizations from the security risks the standard brings, from data and credential exposure to weak authentication, prompt injections, and other threats, and the rapid proliferation of
AI agents.
In recent months, companies like
TrojAI,
Graylog,
Proofpoint, and
SentinelOne have introduced products and services designed to secure MCP servers while preserving the benefits they offer.
Now comes
Arcade.dev, which offers a platform developers can use to build AI agents. The San Francisco-based startup this week introduced URL Elicitation, which makes MCP more enterprise-ready by giving users a secure way to ensure agents can authenticate and directly connect with web-based services like Gmail and Slack.
Integrated into the Latest MCP Spec
Arcade developed URL Elicitation with Anthropic through the AI vendor’s Specification Enhancement Proposal (SEP), a formal process for proposing enhancements and extensions for standards like MCP. Arcade’s offering standardizes the secure flow and is now available after being accepted into the latest version of the MCP specification.
Until now, MCP wasn’t production-grade, particularly for enterprises trying to build and deploy multi-user agents, Arcade Founding Engineer
Nate Barbettini told MSSP Alert. The security concerns were a hurdle too high to clear.
“Third-party authorization, proper secrets handling, and multi-user context are missing from the MCP spec, or left as an ‘exercise for the reader’ at best,” Barbettini said. “This meant that most fancy MCP demos fell apart as soon as they had more than one user, faced a real security review, or both. While MCP has been terrific for agentic experimentation and local ‘on my own laptop’ use, the reality is that nearly all enterprise agents using MCP have been getting stuck in demo and never reaching production.”
Secure Connections
By merging the URL Elicitation into the MCP specification, enterprises can now securely connect MCP agents to real systems, so teams can more easily deploy and integrate production-grade agents.
“OAuth flows, secrets management, and security are now built in, expediting powerful workflow automation across industries,” he said. “Teams can deploy agents that can actually interact with their data, access the tools and apps they use every day, and integrate with their core systems, while ensuring sensitive credential data never passes through the AI model itself.”
Arcade’s SEP builds on an existing authorization spec in MCP based on OAuth 2.1, leveraging the capabilities in that spec for the specific problem of MCP servers interacting with other systems that require direct user interaction.
Solving the Multi-User Agent Problem
“Current MCP authorization describes how an MCP client – Claude, Cursor, a custom agent – securely connects to an MCP server,” Barbettini said. “When there are just two parties in scope – an MCP client and an MCP server – that is sufficient. However, many MCP servers need to call out to other APIs or services, which means there are actually three parties in scope: the MCP client, MCP server, and a third-party API.”
That meant securely authorizing to or handling secrets for third-party APIs was not addressed by the MCP authorization, which has focused only on the two-party problem.
“That left a wide gap filled with security landmines,” he said. “We observed many MCP server builders trying to solve the third-party problem on their own, because calling out to other APIs is one of the big motivating factors for MCP. Without a standardized and secure pattern that both MCP clients and MCP servers can agree on, the ecosystem would be stuck with sub-optimal solutions.”
MSSPs Can Scale AI-Powered Services
This is also an important step for MSSPs, Barbettini said. Before, MSSPs and other providers had to choose between insecure hardcoded credentials, building custom authentication for each client, or avoiding AI agent deployments altogether. This made it difficult to offer AI-powered services at scale.
“What MSSPs need to know is that there previously wasn’t a mechanism in MCP to securely allow users to authorize access to external systems, perform payment flows, or input sensitive credentials,” he said. “This meant MCP was not well-suited to integrate to the business systems that enterprises care about, and that most MCP servers were a bespoke collection of bad security practices.”
Arcade’s URL Elicitation SEP in MCP “brings the patterns that security teams know and expect to the world of AI agents,” he added. “MSSPs can now confidently deploy production-grade AI agents across hundreds of clients using the same trusted security flows their teams already audit.”
