This article explores the architecture and security model behind an MCP (Model Context Protocol) server used as a team knowledge base system called intent-brain.

The system sits on top of a Fastify HTTP API and is accessed through an MCP interface so developers can query institutional knowledge directly from their coding environment.

Initially, the system used a single shared API key for authentication, which worked in early development but quickly revealed critical limitations in a multi-user environment.

Specifically, a shared key makes auditing impossible at the individual level and forces full rotation of credentials when revoking access for a single user.To address this, the system introduces a structured authentication and authorization redesign.First, per-user bearer tokens replace the shared key, mapping each request to a distinct identity with an actor and role (admin or member).This allows fine-grained revocation and proper attribution of all actions.

Second, a server-side write gate is implemented using Fastify middleware, enforcing role-based access control on mutating endpoints such as memory updates, policy changes, and imports.This ensures that only admin users can perform sensitive operations, regardless of how the request is made.The article emphasizes that MCP client-side tool gating is not a security boundary but a user experience feature.While clients may hide write tools from non-admin users, this does not prevent direct API calls outside the client.Therefore, true security must reside at the API layer.

Additionally, the system introduces a separate access log for read operations, distinguishing query telemetry from the immutable governance audit chain.This separation preserves the integrity of the audit system while still enabling observability.

The piece concludes by highlighting tradeoffs, including in-memory token storage, back-compatibility with legacy shared keys, and the importance of treating client controls as UX rather than enforcement.The central thesis is that real security boundaries exist only at the API level, not in client-facing tool design.