Skip to content

docs: clarify MCP gateway API key is leaked by design #26695

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pelikhan merged 3 commits into from
Apr 16, 2026
+6 −0
Merged

docs: clarify MCP gateway API key is leaked by design #26695

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
aa942f4
chore: plan security architecture docs update
Copilot Apr 16, 2026
4b7de7f
docs: clarify MCP gateway API key trust boundary
Copilot Apr 16, 2026
7bd6b08
Merge branch 'main' into copilot/update-security-architecture-docs
pelikhan Apr 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions docs/src/content/docs/introduction/architecture.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -266,6 +266,9 @@ flowchart LR
4. All MCP traffic remains within the host boundary: AWF restricts egress, and the gateway routes requests to sandboxed MCP servers.
5. When supported by an agent, AWF creates a trusted `api-proxy` that routes model traffic on the agent's behalf while keeping that traffic behind AWF's network controls. This proxy should not be treated as a separate caller-authentication boundary for arbitrary code already running inside the agent container.

> [!WARNING]
> The MCP gateway API key that is mounted into the agent container is not a strong security boundary against a compromised or malicious agent. An agent running arbitrary code may extract the key from process memory, runtime state, or other in-container channels. Treat this key as leaked by design and rely on substrate isolation, network policy, and staged permission separation for security.

## MCP Server Sandboxing

MCP servers execute within isolated containers, enforcing substrate-level separation between the agent and each server instance. Tool filtering at the configuration level restricts which operations each server may expose, limiting the attack surface available to a compromised agent. This isolation ensures that even if an MCP server is compromised, it cannot access the memory or state of other components.
Expand Down
3 changes: 3 additions & 0 deletions docs/src/content/docs/reference/mcp-gateway.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1051,6 +1051,9 @@ The MCP Gateway uses a simple API key authentication scheme. When `gateway.apiKe
- Implementations MAY use different formats (e.g., direct value or Bearer scheme)
- The specific format is implementation-dependent

> [!WARNING]
> The gateway API key should not be treated as a secure lock against code already running inside the agent container. A sufficiently capable agent may extract it from in-memory process state or other runtime channels. Treat this key as leaked by design and rely on container isolation, network controls, and staged permission boundaries for defense in depth.
**Example formats**:

```http
Expand Down
Loading