The Three-Layer MCP Security Stack: Why Authentication Alone Is Not Enough

The Three-Layer MCP Security Stack: Why Authentication Alone Isn't Enough After publishing our data on MCP server security — 535 servers scanned, 205 without authentication, 1,325 tools exposed — we got a comment that crystallized something we'd been seeing in the data but hadn't articulated clearly. The comment came from someone building A2SPA, a cryptographic payload signing layer for MCP. Their observation: all the attack vectors we documented — credential extraction, unauthenticated tool calls, agent reconnaissance — happen downstream of a gap that authentication doesn't address. Nothing cryptographically verifies that a payload was actually sent by the agent who claims to have sent it, unmodified and authorized. They're right. And they're describing a different layer than the one most MCP servers are missing. Here's how I'd frame the MCP security stack. Layer 1: Authentication (Who Can Call) This is the most basic question: can anyone call your tools, or only authorized clients? O