Whatever message this page gives is out now! Go check it out!
Using roots to enforce scope
Last update:
May 18, 2026
Configure MCP roots as strict security boundaries by limiting access to only the directories or URIs that a tool genuinely requires.
Overview
Roots define which parts of the environment an MCP server is allowed to access, such as specific directories or resource URIs. Treat roots as explicit security boundaries that restrict visibility and prevent unintended data exposure.
Define narrow roots
- Point roots only to directories or URIs that tools explicitly need, such as a dedicated logs or reports folder.
- Avoid broad roots that expose the entire file system, shared home directories, or other large storage areas.
- Do not include locations that may contain source code, credentials, configuration files, or private data unless absolutely required.
Separate roots by use case
- Assign distinct, minimal roots to different tool categories, such as log analysis tools versus customer export tools.
- Limit cross-visibility so that a defect or misuse in one tool does not automatically grant access to unrelated data.
- Design root boundaries to reflect functional and data ownership boundaries within your system.
Review roots during changes
- Evaluate root configuration whenever adding a new tool or feature.
- Verify what data resides under a proposed root before granting access.
- Confirm that all data exposed by the root is appropriate for agent-level access.
We're glad. Tell us how this page helped.
We're sorry. Can you tell us what didn't work for you?
Share additional feedback to help us improve.
0/255
|
