Definition
An MCP endpoint that accepts JSON-RPC traffic without meaningful authentication—or with shared, guessable credentials—lets anyone who can reach the URL list tools and often invoke them.
How it appears in MCP
Clients call tools/list and tools/call over HTTP. If the server does not require a valid bearer token (or equivalent), scanners and opportunistic actors get the same visibility as your internal assistants.
Example pattern
Public HTTP deployments, misconfigured reverse proxies, and “temporary” dev endpoints left reachable from the internet have led to tool catalog exposure and unauthenticated invocation in many API-adjacent systems; MCP inherits the same failure mode when servers are fronted naïvely.
What MCP Trail does on the Guardian path
Guardian sits in front of upstream MCP URLs: clients authenticate to per-server bearer tokens, traffic is logged, and policy (allowlists, DLP, HITL) applies before requests reach your upstream. The free MCP Playground can help validate exposure assumptions on a URL you provide; full enforcement requires routing through Guardian.
What still needs process
Train teams on secret handling, review vendor and internal servers under change control, and treat MCP URLs like production API surfaces.