Using Claude

MCP Connector Security: Connecting Only Servers You Trust

How to use MCP connectors safely — the trust boundary of custom connectors, minimizing permissions, prompt injection, and OAuth, based on official guidance.

MCP connectors are a powerful way to plug Claude directly into your tools and data — which makes "which servers you trust" the central safety question. Custom connectors in particular grant Claude access to (and action within) external services that Anthropic has not verified, so understanding the trust boundary is the key to using them safely. This guide summarizes the official principles for using MCP connectors securely.

A connector is a "trust boundary" Claude acts with your perms trust boundary MCP server tool/data broker (may be unverified) External service files, mail, DB, etc. Connecting only trusted servers shrinks the blast radius accordingly.

What custom connectors are — and why caution matters

Custom connectors (built on remote MCP) are available on Claude, Cowork, and Claude Desktop for Free, Pro, Max, Team, and Enterprise plans, and are currently in beta (Free users are limited to one custom connector). MCP (Model Context Protocol) is an open standard created by Anthropic that lets AI apps connect to tools and data.

The official guidance is explicit: custom connectors let you connect Claude to arbitrary services that have not been verified by Anthropic, and connecting grants Claude the ability to access and potentially modify data in those services based on your permissions. That's why it's important to connect only to remote MCP servers you trust and to stay aware of what Claude does through them.

Four principles for safe use (official guidance)

Remote MCP servers act as intermediaries between Claude and external apps. The four principles the official guidance lays out are:

  1. Only connect to trusted servers. Connect Claude only to servers built and hosted by organizations and applications you trust.
  2. Review requested permissions carefully. During OAuth, review what permissions the MCP server requests, limit the scopes when possible, and deny access that seems unnecessary.
  3. Be aware of prompt injection. Malicious MCP servers may embed hidden instructions that try to make Claude perform unintended actions. Claude has built-in protections that attempt to block these, but it's important to watch tool inputs and outputs and connect only to trusted servers.
  4. Monitor changes in tool behavior. Server developers may update tool behavior unexpectedly, which can lead to unintended or malicious behavior.
1. Trusted servers only Connect only servers from orgs you trust 2. Minimize permissions Deny unnecessary scopes 3. Watch for prompt injection Mind tool I/O and hidden instructions 4. Monitor behavior changes Server updates can change behavior

OAuth authentication and revoking access

When you add a custom connector, you typically go through an OAuth flow to securely sign in and grant specific permissions. This lets Claude interact with the app on your behalf without ever seeing your actual password. You can revoke these permissions any time by disconnecting the connector in Claude's settings or in the third-party service's security settings.

Tool execution — use "Allow always" carefully

Remote MCP servers give Claude tools it can invoke during a conversation. Developer-defined tools can read data, create, modify, or delete data, and take actions on your behalf. Claude can only reach resources you've permitted, but you should:

  • Be aware of the actions Claude takes and that they have no destructive or unintended effects.
  • Review Claude's tool approval requests carefully, and only click "Allow always" for servers and tools you trust to run unsupervised.
  • Use the "Search and tools" menu to disable any tools irrelevant to the current conversation or that you don't want Claude to invoke.

When using Research: During Research, Claude can invoke connector tools automatically without further approval. So disable any tools that can take write actions in external apps, and carefully review which tools you're granting permission to invoke.

Reporting malicious MCP servers

If you become aware of a malicious MCP server, report it to Anthropic's vulnerability disclosure program (HackerOne VDP) and choose the modelcontextprotocol repository as the Asset. Model-layer defenses are strong but can never be 100% effective, so keeping your trust boundary narrow is the most reliable protection.

Summary

  • Custom connectors = access/action on Anthropic-unverified external services (currently beta)
  • Trusted servers only → minimize permissions → watch for prompt injection → monitor behavior changes
  • OAuth connects without exposing your password; permissions can be revoked anytime
  • Use "Allow always" and Research auto-invocation only for trusted tools; be cautious with write tools

For finding and choosing connectors, see where to find MCP servers; for connection troubleshooting, see when an MCP connector won't connect; and for the concept itself, see what is MCP.

The security recommendations in this article are based on Anthropic's official Help Center article "Get started with custom connectors using remote MCP" (updated 2026-04-02). As a beta feature, specific policies may change.

Keep reading

What Is MCP? — A Simple Explanation for Non-Developers

Understand MCP (Model Context Protocol) without any coding knowledge. Covers the official 'USB-C for AI' analogy, before/after MCP, host and server, what you can do once connected, and safety — all at a beginner's level.

When MCP Connectors Won't Connect: Causes and Fixes by Symptom

Diagnose MCP connector failures by symptom: how remote connectors connect via the cloud, firewall/private-network blocks, OAuth and admin consent, chat toggles, the Free 1-connector limit, and SSE/HTTP — per official docs.

Where to find MCP servers — the official registry and connector directory

You don't have to build one. From the Claude app connector directory to the official MCP registry, GitHub reference servers, and marketplaces — paths to find and choose MCP servers.

Have a question or want to share how you use Claude?

Join the community to share tips with other users, or explore more guides.

Go to communityMore in Library