Secure Model Context Protocol Tools with Open Policy Agent and Quarkus
A new architectural guide demonstrates how to secure Model Context Protocol (MCP) server endpoints using Open Policy Agent (OPA) with Quarkus, preventing unauthorized tool execution by LLMs.
Impact: High
Why it matters
Prevent autonomous agents from running destructive commands on your systems by enforcing robust access control policies on MCP tools.
TL;DR
- 01Securing tool execution is critical to prevent destructive LLM agent exploits.
- 02Using Open Policy Agent separates security policy definition from hardcoded application logic.
- 03Quarkus acts as an efficient gateway to forward MCP execution context to OPA for fast evaluation.
Key facts
- Policy Engine
- Open Policy Agent (OPA)
- Implementation Language
- Rego (for policies)
- Target Framework
- Quarkus (Java)
Decoupled Authorization for MCP Server Endpoints
The core challenge of securing MCP endpoints is that tools often execute shell scripts, database writes, or HTTP requests on behalf of the user. By integrating Open Policy Agent (OPA), authorization policies are written in Rego and decoupled from the application logic. The Quarkus MCP server intercepts incoming tool execution requests, serializes the context (user identity, model calling parameters, and arguments), and queries the OPA engine.
Implementing the Security Guardrails
Developers can write fine-grained policies restricting tools based on parameters, context, or request origin. For example, a file-writing tool can be restricted to specific directories, or critical deployment tools can require a human-in-the-loop validation flag passed along with the payload. This architecture ensures that even if an agent is jailbroken, the underlying security engine rejects unsafe execution calls.
Try it in 2 minutes
package mcp.authz
default allow = false
allow {
input.tool == "read_file"
input.arguments.path == "/tmp/sandbox/"
}rego
✓ When to use
- When exposing powerful system tools, database access, or deployment APIs to LLM agents
- When you want to maintain a centralized, audit-compliant security policy across multiple MCP servers
✕ When NOT to use
- For simple local desktop clients where the agent only interacts with non-destructive local tools
- When building lightweight Python-based MCP servers where adding a Java-based Quarkus container introduces excessive overhead
What to do today
- Define your MCP authorization rules using OPA's Rego language.
- Configure the Quarkus interceptor to serialize MCP execution payloads to your OPA instance.
Sources