MCP Server Concepts

Explores the concepts and terms related to Autonomous AI Database MCP Server.

• Audit Logging
  
• Authorization
  
• Controlled Data Access
  
• Model Context Protocol (MCP)
  
• MCP Client
  
• Streamable HTTP Transport
  
• Virtual Private Database (VPD)
  

Audit Logging

The server records token issuance and tool calls. It logs access in OCI SIEM and Database Audit logs. Use audit policies that reference MCP_SERVER_CONTEXT$ attributes (USERNAME and TOOLNAME) to capture who called which tool and when, without storing result data.

Authorization

The startup exchange where the client and the Autonomous AI Database MCP server establish identity and capabilities.

The Autonomous AI Database MCP Server uses the database user for authentication and authorization. Consider adopting a two-schema approach for enhanced security:

• Custom tools should reside in the database user schema used to log in to the MCP server (for example, MCP_USER).
• The PL/SQL functions used to define these tools should be defined in a separate schema (for example, SALES_USER).
• Grant appropriate access from SALES_USER to the MCP_USER schema.

Controlled Data Access

Controlled data access can be achieved by returning only the required rows and masking sensitive fields as necessary. Enforce least privilege with VPD policies that bind access to the user (from MCP_SERVER_ACCESS_CONTEXT$.USER_IDENTITY).

Model Context Protocol (MCP)

MCP (Model Context Protocol) is an open-source standard for connecting AI applications to external systems. In Autonomous AI Database you can enable one MCP server per-database endpoint. See Model Context Protocol for more details.

Autonomous AI Database MCP server supports the OAuth 2.1 and token based authentication.

MCP Client

The agent or chat application (for example, Visual Studio Code with Cline, Claude Desktop and others) that connects to one or more Autonomous AI Database MCP endpoints, lists available tools for the signed‑in user, and calls them to get results.

Streamable HTTP Transport

Streamable HTTP is a transport mode that uses HTTP with Server-Sent Events (SSE) to deliver responses in small, continuous messages instead of one large result. SSE is a web mechanism where the server sends a sequence of small messages to the client over a single open HTTP connection.

The MCP Server uses streamable HTTP to send metadata, tool output, and query results in a steady stream rather than buffering everything before returning it. This supports long-running or large operations without exhausting memory on the client or the server. MCP clients can start processing the response as soon as the server emits the first event. The transport fits MCP’s design, which prioritizes predictable, observable, event-based exchanges between an MCP client and the database.

Virtual Private Database (VPD)

Virtual Private Database (VPD) policy is a feature that adds a security rule to every SQL query a user runs. The rule decides which rows the user can see. A row-level filtering is applied automatically by the database based on the user identity.

Note:

The SESSION_USER used for MCP tools execution is different from the customer database user. Therefore, avoid making security decisions based on SESSION_USER.

When an MCP tool runs, the database sets the username and scope in MCP_SERVER_CONTEXT$. VPD policies reference this context to filter rows for each user. The Database Administrator registers the VPD policy with DBMS_RLS.ADD_POLICY. When an MCP tool runs a read-only SQL operation, the VPD policy ensures that users see only the data they are authorized to view. This strengthens data privacy without changing application code.