June 30, 2026
MCP Auth

Virtual MCP Servers: scope exactly which tools each agent role can call

Standard MCP connections expose every tool in a connector's catalog, even when an agent only needs one. Virtual MCP servers let you define a scoped, reusable endpoint per agent role and resolve user identity at runtime, so agents see only the tools they're allowed to use.

Connecting Gmail to an agent exposes around 30 tools by default, when most roles need one or two. Larger context, worse tool selection, and a bigger surface for misuse all come from the same root cause: tool list and user identity baked into a single static config.

A summarizer agent only calls fetch. With virtual MCP servers, that's the only tool it sees. The role definition is set once and reused across every user; a short-lived session token resolves the right credentials per user at runtime, so the same definition serves a thousand tenants without a thousand separate servers.

What's included

  • Define a virtual MCP server once per agent role, scoped to specific connections and specific tools, not the full catalog.
  • Mint a short-lived session token per user before each run; credentials resolve server-side, never entering agent context or logs.
  • Cuts unused tool definitions from context, reducing overhead by roughly 80% when scoping from 40 tools down to 5-10.
  • Per-tenant credential isolation by default, so one user's data is never reachable by an agent acting for another.
Share on

Virtual MCP Servers: scope exactly which tools each agent role can call

Connecting Gmail to an agent exposes around 30 tools by default, when most roles need one or two. Larger context, worse tool selection, and a bigger surface for misuse all come from the same root cause: tool list and user identity baked into a single static config.

A summarizer agent only calls fetch. With virtual MCP servers, that's the only tool it sees. The role definition is set once and reused across every user; a short-lived session token resolves the right credentials per user at runtime, so the same definition serves a thousand tenants without a thousand separate servers.

What's included

  • Define a virtual MCP server once per agent role, scoped to specific connections and specific tools, not the full catalog.
  • Mint a short-lived session token per user before each run; credentials resolve server-side, never entering agent context or logs.
  • Cuts unused tool definitions from context, reducing overhead by roughly 80% when scoping from 40 tools down to 5-10.
  • Per-tenant credential isolation by default, so one user's data is never reachable by an agent acting for another.
Schedule a demo with Scalekit today.