Model Context Protocol authorization decides which tools an agent client can reach. EMILIA Protocol decides whether the specific tool invocation about to execute was authorized by a named human. Both layers are required for any MCP tool that touches money, infrastructure, or user data.
MCP servers expose tools. The MCP authorization spec — built on OAuth 2.1 — answers which tools a client is allowed to call. Once a client holds a valid token with the right scopes, every call to a permitted tool succeeds. This is the right layer for distinguishing trusted clients from untrusted ones.
MCP authorization makes no statement about whether the arguments to a permitted call were authorized. A client with the send_wire scope can invoke send_wire(account, amount, beneficiary) with any well-formed arguments. The MCP server has no signal that distinguishes a human-approved invocation from a prompt-injected one.
For tools that move money, change infrastructure, escalate permissions, export data, or trigger irreversible state changes, scope-level authorization is the floor — not the ceiling.
| Dimension | MCP authorization (alone) | EP on top of MCP |
|---|---|---|
| Authorizes | Which tools the client can call | Whether THIS specific call was approved |
| Granularity | Tool-level scopes | Per-invocation parameter binding |
| Replay protection | Token expiry | One-time consumable per action |
| Human accountability | Out of scope | Named principal signoff bound to action |
| Output evidence | Server logs | Self-verifying trust receipt |
| Composes with OAuth | Yes (recommended) | Yes — sits above MCP + OAuth |
A high-risk MCP tool wraps its handler with the EP SDK. When the agent invokes the tool, the MCP server first verifies the client's OAuth token (MCP authorization), then asks EP whether a valid handshake exists for these exact arguments. If the handshake is missing or doesn't match, the tool refuses to execute — and the client surfaces a request for human signoff before retrying.
The EP MCP server itself ships 34 tools for protocol operations and reference workflows; the SDK pattern is a 3-line wrap of any other tool you want to gate.