Skip to content

Commit 39884fd

Browse files
committed
Document that subscription filters carry no per-client authorization
Any client may subscribe to any URI, including one it cannot read, and will receive update notifications for it (resource existence and change timing - never content). Multi-tenant servers should not publish sensitive per-user URIs, or should serve the method with their own handler and narrow the filter before acking; a narrowing hook on the built-in handler is a candidate follow-up.
1 parent badcba0 commit 39884fd

1 file changed

Lines changed: 8 additions & 0 deletions

File tree

docs/advanced/subscriptions.md

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,14 @@ The SDK serves `subscriptions/listen` for you — `MCPServer` registers the hand
3333

3434
The filter is a contract. A stream that requested tool-list changes and one resource URI receives those two kinds and nothing else — publish a prompt change and that stream stays silent. Resource URIs are matched as exact strings: `note://todo` does not cover `note://todo/draft`.
3535

36+
!!! warning
37+
Filters are honored without per-client authorization: any client may name any URI —
38+
including one it cannot read — and will receive update notifications for it (resource
39+
existence and change timing, never content). On a multi-tenant server, don't publish
40+
sensitive per-user URIs through `notify_resource_updated`, or serve the method with
41+
your own handler on the low-level `Server` and narrow the filter there before acking —
42+
the honored subset exists in the protocol precisely so servers can do this.
43+
3644
Two more things the stream is *not*:
3745

3846
* **It is not a replay log.** A dropped stream is gone; events published while nobody was connected are not queued. The client's contract is to re-listen and re-fetch what it cares about.

0 commit comments

Comments
 (0)