Movatterモバイル変換

[0]ホーム
URL:

Skip to main content
Client Features

Elicitation

Protocol Revision: draft
The Model Context Protocol (MCP) provides a standardized way for servers to request additionalinformation from users through the client during interactions. This flow allows clients tomaintain control over user interactions and data sharing while enabling servers to gathernecessary information dynamically.Elicitation supports two modes:
  • Form mode: Servers can request structured data from users with optional JSON schemas to validate responses
  • URL mode: Servers can direct users to external URLs for sensitive interactions that mustnot pass through the MCP client

User Interaction Model

Elicitation in MCP allows servers to implement interactive workflows by enabling user inputrequests to occurnested inside other MCP server features.Implementations are free to expose elicitation through any interface pattern that suitstheir needs—the protocol itself does not mandate any specific user interactionmodel.
For trust & safety and security:
  • ServersMUST NOT use form mode elicitation to request sensitive information
  • ServersMUST use URL mode for interactions involving sensitive information, such as credentials
MCP clientsMUST:
  • Provide UI that makes it clear which server is requesting information
  • Respect user privacy and provide clear decline and cancel options
  • For form mode, allow users to review and modify their responses before sending
  • For URL mode, clearly display the target domain/host and gather user consent before navigation to the target URL

Capabilities

Clients that support elicitationMUST declare theelicitation capability duringinitialization:
{  "capabilities": {    "elicitation": {      "form": {},      "url": {}    }  }}
For backwards compatibility, an empty capabilities object is equivalent to declaring support forform mode only:
{  "capabilities": {    "elicitation": {},// Equivalent to { "form": {} }  },}
Clients declaring theelicitation capabilityMUST support at least one mode (form orurl).ServersMUST NOT send elicitation requests with modes that are not supported by the client.

Protocol Messages

Elicitation Requests

To request information from a user, servers send anelicitation/create request.All elicitation requestsMUST include the following parameters:
NameTypeOptionsDescription
modestringform,urlThe mode of the elicitation. Optional for form mode (defaults to"form" if omitted).
messagestringA human-readable message explaining why the interaction is needed.
Themode parameter specifies the type of elicitation:
  • "form": In-band structured data collection with optional schema validation. Data is exposed to the client.
  • "url": Out-of-band interaction via URL navigation. Data (other than the URL itself) isnot exposed to the client.
For backwards compatibility, serversMAY omit themode field for form mode elicitation requests. ClientsMUST treat requests without amode field as form mode.

Form Mode Elicitation Requests

Form mode elicitation allows servers to collect structured data directly through the MCP client.Form mode elicitation requestsMUST either specifymode: "form" or omit themode field, and include these additional parameters:
NameTypeDescription
requestedSchemaobjectA JSON Schema defining the structure of the expected response.

Requested Schema

TherequestedSchema parameter allows servers to define the structure of the expectedresponse using a restricted subset of JSON Schema.To simplify client user experience, form mode elicitation schemas are limited to flat objectswith primitive properties only.The schema is restricted to these primitive types:
  1. String Schema
    {  "type":"string",  "title":"Display Name",  "description":"Description text",  "minLength":3,  "maxLength":50,  "pattern":"^[A-Za-z]+$",  "format":"email",  "default":"[email protected]"}
    Supported formats:email,uri,date,date-time
  2. Number Schema
    {  "type":"number",// or "integer"  "title":"Display Name",  "description":"Description text",  "minimum":0,  "maximum":100,  "default":50}
  3. Boolean Schema
    {  "type":"boolean",  "title":"Display Name",  "description":"Description text",  "default":false}
  4. Enum SchemaSingle-select enum (without titles):
    {  "type":"string",  "title":"Color Selection",  "description":"Choose your favorite color",  "enum": ["Red","Green","Blue"],  "default":"Red"}
    Single-select enum (with titles):
    {  "type":"string",  "title":"Color Selection",  "description":"Choose your favorite color",  "oneOf": [    {"const":"#FF0000","title":"Red" },    {"const":"#00FF00","title":"Green" },    {"const":"#0000FF","title":"Blue" }  ],  "default":"#FF0000"}
    Multi-select enum (without titles):
    {  "type":"array",  "title":"Color Selection",  "description":"Choose your favorite colors",  "minItems":1,  "maxItems":2,  "items": {    "type":"string",    "enum": ["Red","Green","Blue"]  },  "default": ["Red","Green"]}
    Multi-select enum (with titles):
    {  "type":"array",  "title":"Color Selection",  "description":"Choose your favorite colors",  "minItems":1,  "maxItems":2,  "items": {    "anyOf": [      {"const":"#FF0000","title":"Red" },      {"const":"#00FF00","title":"Green" },      {"const":"#0000FF","title":"Blue" }    ]  },  "default": ["#FF0000","#00FF00"]}
Clients can use this schema to:
  1. Generate appropriate input forms
  2. Validate user input before sending
  3. Provide better guidance to users
All primitive types support optional default values to provide sensible starting points. Clients that support defaults SHOULD pre-populate form fields with these values.Note that complex nested structures, arrays of objects (beyond enums), and other advanced JSON Schema features are intentionally not supported to simplify client user experience.

Example: Simple Text Request

Request:
{  "jsonrpc":"2.0",  "id":1,  "method":"elicitation/create",  "params": {    "mode":"form",    "message":"Please provide your GitHub username",    "requestedSchema": {      "type":"object",      "properties": {        "name": {          "type":"string"        }      },      "required": ["name"]    }  }}
Response:
{  "jsonrpc":"2.0",  "id":1,  "result": {    "action":"accept",    "content": {      "name":"octocat"    }  }}

Example: Structured Data Request

Request:
{  "jsonrpc":"2.0",  "id":2,  "method":"elicitation/create",  "params": {    "mode":"form",    "message":"Please provide your contact information",    "requestedSchema": {      "type":"object",      "properties": {        "name": {          "type":"string",          "description":"Your full name"        },        "email": {          "type":"string",          "format":"email",          "description":"Your email address"        },        "age": {          "type":"number",          "minimum":18,          "description":"Your age"        }      },      "required": ["name","email"]    }  }}
Response:
{  "jsonrpc":"2.0",  "id":2,  "result": {    "action":"accept",    "content": {      "name":"Monalisa Octocat",      "email":"[email protected]",      "age":30    }  }}

URL Mode Elicitation Requests

New feature: URL mode elicitation is introduced in the2025-11-25 version of the MCP specification. Its design and implementation may change in future protocol revisions.
URL mode elicitation enables servers to direct users to external URLs for out-of-band interactions that must not pass through the MCP client. This is essential for auth flows, payment processing, and other sensitive or secure operations.URL mode elicitation requestsMUST specifymode: "url", amessage, and include these additional parameters:
NameTypeDescription
urlstringThe URL that the user should navigate to.
elicitationIdstringA unique identifier for the elicitation.
Theurl parameterMUST contain a valid URL.
Important: URL mode elicitation isnot for authorizing the MCP client’saccess to the MCP server (that’s handled byMCPauthorization). Instead, it’s used when the MCPserver needs to obtain sensitive information or third-party authorization onbehalf of the user. The MCP client’s bearer token remains unchanged. Theclient’s only responsibility is to provide the user with context about theelicitation URL the server wants them to open.

Example: Request Sensitive Data

This example shows a URL mode elicitation request directing the user to a secure URL where they can provide sensitive information (an API key, for example).The same request could direct the user into an OAuth authorization flow, or a payment flow. The only difference is the URL and the message.Request:
{  "jsonrpc":"2.0",  "id":3,  "method":"elicitation/create",  "params": {    "mode":"url",    "elicitationId":"550e8400-e29b-41d4-a716-446655440000",    "url":"https://mcp.example.com/ui/set_api_key",    "message":"Please provide your API key to continue."  }}
Response:
{  "jsonrpc":"2.0",  "id":3,  "result": {    "action":"accept"  }}
The response withaction: "accept" indicates that the user has consented to theinteraction. It does not mean that the interaction is complete. The interaction occurs outof band and the client is not aware of the outcome until and unless the server sends a notification indicating completion.

Completion Notifications for URL Mode Elicitation

ServersMAY send anotifications/elicitation/complete notification when anout-of-band interaction started by URL mode elicitation is completed. This allows clients to react programmatically if appropriate.Servers sending notifications:
  • MUST only send the notification to the client that initiated the elicitation request.
  • MUST include theelicitationId established in the originalelicitation/create request.
Clients:
  • MUST ignore notifications referencing unknown or already-completed IDs.
  • MAY wait for this notification to automatically retry requests that received aURLElicitationRequiredError, update the user interface, or otherwise continue an interaction.
  • SHOULD still provide manual controls that let the user retry or cancel the original request (or otherwise resume interacting with the client) if the notification never arrives.

Example

{  "jsonrpc":"2.0",  "method":"notifications/elicitation/complete",  "params": {    "elicitationId":"550e8400-e29b-41d4-a716-446655440000"  }}

URL Elicitation Required Error

When a request cannot be processed until an elicitation is completed, the serverMAY return aURLElicitationRequiredError (code-32042) to indicate to the client that a URL mode elicitation is required. The serverMUST NOT return this error except when URL mode elicitation is required.The errorMUST include a list of elicitations that are required to complete before the original can be retried.Any elicitations returned in the errorMUST be URL mode elicitations and have anelicitationId property.Error Response:
{  "jsonrpc":"2.0",  "id":2,  "error": {    "code":-32042,// URL_ELICITATION_REQUIRED    "message":"This request requires more information.",    "data": {      "elicitations": [        {          "mode":"url",          "elicitationId":"550e8400-e29b-41d4-a716-446655440000",          "url":"https://mcp.example.com/connect?elicitationId=550e8400-e29b-41d4-a716-446655440000",          "message":"Authorization is required to access your Example Co files."        }      ]    }  }}

Message Flow

Form Mode Flow

URL Mode Flow

URL Mode With Elicitation Required Error Flow

Response Actions

Elicitation responses use a three-action model to clearly distinguish between different user actions. These actions apply to both form and URL elicitation modes.
{  "jsonrpc":"2.0",  "id":1,  "result": {    "action":"accept",// or "decline" or "cancel"    "content": {      "propertyName":"value",      "anotherProperty":42    }  }}
The three response actions are:
  1. Accept (action: "accept"): User explicitly approved and submitted with data
    • For form mode: Thecontent field contains the submitted data matching the requested schema
    • For URL mode: Thecontent field is omitted
    • Example: User clicked “Submit”, “OK”, “Confirm”, etc.
  2. Decline (action: "decline"): User explicitly declined the request
    • Thecontent field is typically omitted
    • Example: User clicked “Reject”, “Decline”, “No”, etc.
  3. Cancel (action: "cancel"): User dismissed without making an explicit choice
    • Thecontent field is typically omitted
    • Example: User closed the dialog, clicked outside, pressed Escape, browser failed to load, etc.
Servers should handle each state appropriately:
  • Accept: Process the submitted data
  • Decline: Handle explicit decline (e.g., offer alternatives)
  • Cancel: Handle dismissal (e.g., prompt again later)

Implementation Considerations

Statefulness

Most practical uses of elicitation require that the server maintain state about users:
  • Whether required information has been collected (e.g., the user’s display name via form mode elicitation)
  • Status of resource access (e.g., API keys or a payment flow via URL mode elicitation)
Servers implementing elicitationMUST securely associate this state with individual users following the guidelines in thesecurity best practices document. Specifically:
  • StateMUST NOT be associated with session IDs alone
  • State storageMUST be protected against unauthorized access
  • For remote MCP servers, user identificationMUST be derived from credentials acquired viaMCP authorization when possible (e.g.sub claim)
The examples in this section are non-normative and illustrate potential usesof elicitation. Implementers should adapt these patterns to their specificrequirements while maintaining security best practices.

URL Mode Elicitation for Sensitive Data

For servers that interact with external APIs requiring sensitive information (e.g., credentials, payment information), URL mode elicitation provides a secure mechanism for users to provide this information without exposing it to the MCP client.In this pattern:
  1. The server directs users to a secure web page (served over HTTPS)
  2. The page presents a branded form UI on a domain the user trusts
  3. Users enter sensitive credentials directly into the secure form
  4. The server stores credentials securely, bound to the user’s identity
  5. Subsequent MCP requests use these stored credentials for API access
This approach ensures that sensitive credentials never pass through the LLM context, MCP client or any intermediate MCP servers, reducing the risk of exposure through client-side logging or other attack vectors.

URL Mode Elicitation for OAuth Flows

URL mode elicitation enables a pattern where MCP servers act as OAuth clients to third-party resource servers.Authorization with external APIs enabled by URL mode elicitation is separate fromMCP authorization. MCP serversMUST NOT rely on URL mode elicitation to authorize users for themselves.

Understanding the Distinction

  • MCP Authorization: Required OAuth flow between the MCP client and MCP server (covered in theauthorization specification)
  • External (third-party) Authorization: Optional authorization between the MCP server and a third-party resource server, initiated via URL mode elicitation
In external authorization, the server acts as both:
  • An OAuth resource server (to the MCP client)
  • An OAuth client (to the third-party resource server)
Example scenario:
  • An MCP client connects to an MCP server
  • The MCP server integrates with various different third-party services
  • When the MCP client calls a tool that requires access to a third-party service, the MCP server needs credentials for that service
The critical security requirements are:
  1. The third-party credentials MUST NOT transit through the MCP client: The client must never see third-party credentials to protect the security boundary
  2. The MCP server MUST NOT use the client’s credentials for the third-party service: That would betoken passthrough, which is forbidden
  3. The user MUST authorize the MCP server directly: The interaction happens outside the MCP protocol, without involving the MCP client
  4. The MCP server is responsible for tokens: The MCP server is responsible for storing and managing the third-party tokens obtained through the URL mode elicitation (in other words, the MCP server must be stateful).
Credentials obtained via URL mode elicitation are distinct from the MCP server credentials used by the MCP client. The MCP serverMUST NOT transmit credentials obtained through URL mode elicitation to the MCP client.
For additional background, refer to thetoken passthroughsection of the SecurityBest Practices document to understand why MCP servers cannot act aspass-through proxies.

Implementation Pattern

When implementing external authorization via URL mode elicitation:
  1. The MCP server generates an authorization URL, acting as an OAuth client to the third-party service
  2. The MCP server stores internal state that associates (binds) the elicitation request with the user’s identity.
  3. The MCP server sends a URL mode elicitation request to the client with a URL that can start the authorization flow.
  4. The user completes the OAuth flow directly with the third-party authorization server
  5. The third-party authorization server redirects back to the MCP server
  6. The MCP server securely stores the third-party tokens, bound to the user’s identity
  7. Future MCP requests can leverage these stored tokens for API access to the third-party resource server
The following is a non-normative example of how this pattern could be implemented:This pattern maintains clear security boundaries while enabling rich integrations with third-party services that require user authorization.

Error Handling

ServersMUST return standard JSON-RPC errors for common failure cases:
  • When a request cannot be processed until an elicitation is completed:-32042 (URLElicitationRequiredError)
ClientsMUST return standard JSON-RPC errors for common failure cases:
  • Server sends anelicitation/create request with a mode not declared in client capabilities:-32602 (Invalid params)

Security Considerations

  1. ServersMUST bind elicitation requests to the client and user identity
  2. ClientsMUST provide clear indication of which server is requesting information
  3. ClientsSHOULD implement user approval controls
  4. ClientsSHOULD allow users to decline elicitation requests at any time
  5. ClientsSHOULD implement rate limiting
  6. ClientsSHOULD present elicitation requests in a way that makes it clear what information is being requested and why

Safe URL Handling

MCP servers requesting elicitation:
  1. MUST NOT include sensitive information about the end-user, including credentials, personal identifiable information, etc., in the URL sent to the client in a URL elicitation request.
  2. MUST NOT provide a URL which is pre-authenticated to access a protected resource, as the URL could be used to impersonate the user by a malicious client.
  3. SHOULD NOT include URLs intended to be clickable in any field of a form mode elicitation request.
  4. SHOULD use HTTPS URLs for non-development environments.
These server requirements ensure that client implementations have clear rules about when to present a URL to the user, so that the client-side rules (below) can be consistently applied.Clients implementing URL mode elicitationMUST handle URLs carefully to prevent users from unknowingly clicking malicious links.When handling URL mode elicitation requests, MCP clients:
  1. MUST NOT automatically pre-fetch the URL or any of its metadata.
  2. MUST NOT open the URL without explicit consent from the user.
  3. MUST show the full URL to the user for examination before consent.
  4. MUST open the URL provided by the server in a secure manner that does not enable the client or LLM to inspect the content or user inputs.For example, on iOS,SFSafariViewController is good, butWkWebView is not.
  5. SHOULD highlight the domain of the URL to mitigate subdomain spoofing.
  6. SHOULD have warnings for ambiguous/suspicious URIs (i.e., containing Punycode).
  7. SHOULD NOT render URLs as clickable in any field of an elicitation request, except for theurl field in a URL elicitation request (with the restrictions detailed above).

Identifying the User

ServersMUST NOT rely on client-provided user identification without server verification, as this can be forged.Instead, serversSHOULD followsecurity best practices.Non-normative examples:

Form Mode Security

  1. ServersMUST NOT request sensitive information (passwords, API keys, etc.) via form mode
  2. ClientsSHOULD validate all responses against the provided schema
  3. ServersSHOULD validate received data matches the requested schema

Phishing

URL mode elicitation returns a URL that an attacker can use to send to a victim. The MCP ServerMUST verify the identity of the user who opens the URL before accepting information.Typically identity verification is done by leveraging theMCP authorization server to identify the user, through a session cookie or equivalent in the browser.For example, URL mode elicitation may be used to perform OAuth flows where the server acts as an OAuth client of another resource server. Without proper mitigation, the following phishing attack is possible:
  1. A malicious user (Alice) connected to a benign server triggers an elicitation request
  2. The benign server generates an authorization URL, acting as an OAuth client of a third-party authorization server
  3. Alice’s client displays the URL and asks for consent
  4. Instead of clicking on the link, Alice tricks a victim user (Bob) of the same benign server into clicking it
  5. Bob opens the link and completes the authorization, thinking they are authorizing their own connection to the benign server
  6. The benign server receives a callback/redirect from the third-party authorization server, and assumes it’s Alice’s request
  7. The tokens for the third-party server are bound to Alice’s session and identity, instead of Bob’s, resulting in an account takeover
To prevent this attack, the serverMUST ensure that the user who started the elicitation request (the end-user who is accessing the server via the MCP client) is the same user who completes the authorization flow.There are many ways to achieve this and the best way will depend on the specific implementation.As a common, non-normative example, consider a case where the MCP server is accessible via the web and desires to perform a third-party authorization code flow.To prevent the phishing attack, the server would create a URL mode elicitation tohttps://mcp.example.com/connect?elicitationId=... rather than the third-party authorization endpoint.This “connect URL” must ensure the user who opened the page is the same user who the elicitation was generated for.It would, for example, check that the user has a valid session cookie and that the session cookie is for the same user who was using the MCP client to generate the URL mode elicitation.This could be done by comparing the authoritative subject (sub claim) from the MCP server’s authorization server to the subject from the session cookie.Once that page ensures the same user, it can send the user to the third-party authorization server athttps://example.com/authorize?... where a normal OAuth flow can be completed.In other cases, the server may not be accessible via the web and may not be able to use a session cookie to identify the user.In this case, the server must use a different mechanism to identify the user who opens the elicitation URL is the same user who the elicitation was generated for.In all implementations, the serverMUST ensure that the mechanism to determine the user’s identity is resilient to attacks where an attacker can modify the elicitation URL.

Was this page helpful?

⌘I
[8]ページ先頭
©2009-2026 Movatter.jp