The Itential Model Context Protocol (MCP) Server, combined with the Itential Platform, implements a comprehensive security architecture that ensures AI systems never have direct access to infrastructure. Every AI request flows through a structured mediation layer that validates, translates, and controls execution – providing full traceability while maintaining strict boundaries between AI interfaces and infrastructure operations.

The Security Challenge

As organizations adopt AI-powered automation, a critical question emerges: How do we enable AI assistants to manage complex infrastructure without exposing systems to uncontrolled access? The answer lies in secure mediation – a protective layer that sits between AI systems and production infrastructure.

Architecture Overview

The Itential MCP implements the open Model Context Protocol specification, providing a standardized communication framework between Large Language Models (LLMs) and the Itential Platform. This architecture ensures that AI systems interact with infrastructure through controlled, auditable channels rather than direct API access.

Core Security Components

• Protocol Implementation: Implements MCP specification with stdio and HTTP transports, providing standardized tool discovery and execution interfaces.
• Authentication & Authorization: JWT-based authentication with JWKS lookup for MCP client-to-server connections. HTTP Basic Authentication and OAuth 2.0 client credentials flow for MCP server-to-platform connectivity.
• Client Mediation Layer: Custom PlatformClient wrapper with automatic service discovery, standardized HTTP methods, and comprehensive exception handling.

How Mediation Works

Every AI request follows a five-step security flow:

1. AI Request Reception: AI assistant formulates natural language requests, which MCP clients translate into structured tool calls arriving via stdio or HTTP transport.
2. Authentication & Validation: Server validates JWT tokens from MCP clients, validates request structure against tool schemas, and type-checks parameters.
3. Translation to Platform Operations: Tool functions map AI requests to specific Itential Platform API endpoints, with the service layer translating generic requests into platform-specific operations.
4. Controlled Execution: Platform client executes API calls with proper authentication within authenticated user permission context, capturing results for AI consumption.
5. Response & Logging: API responses are wrapped in standardized Response objects, all exchanges are logged with configurable verbosity, and results return to the AI assistant in structured format.

The AI never directly calls the Itential Platform API – every interaction flows through the mediation layer.

Security Boundaries

No Direct Infrastructure Access

The MCP enforces strict separation between AI systems and infrastructure across four distinct layers:

Multiple Authentication Layers

Three authentication boundaries ensure proper access control:

1. MCP Client → MCP Server: JWT verification with JWKS support
2. MCP Server → Itential Platform: Basic Auth or OAuth 2.0 client credentials
3. Itential Platform → Infrastructure: Platform-managed device credentials and API keys
   

Each layer maintains its own authentication context, preventing credential exposure across boundaries.

Tool-Level Access Control

The MCP implements granular access control through a comprehensive tagging system with 11 tag groups including system, configuration_manager, devices, operations_manager, adapters, applications, automation_studio, gateway_manager, integrations, lifecycle_manager, and workflow_engine. This enables role-based configurations:

# Platform Administrator - System monitoring only
itential-mcp run --include-tags "system,adapters,applications"

# Network Operator - Device operations only
itential-mcp run --include-tags "devices,configuration_manager" \
                 --exclude-tags "adapters,applications"

The MCP translates unstructured AI intent into structured platform operations. When an AI requests “Check the health of the platform and restart any failed adapters,” the MCP tool get_health retrieves platform status through parallel authenticated API calls, the response is parsed to identify failed adapters, and restart_adapter is called for each failed adapter with validated adapter IDs and proper API endpoints.

The service layer provides high-level abstractions over raw API calls, handling pagination automatically for large result sets, managing external service execution (Ansible, Python scripts, OpenTofu), and validating data against JSON schemas for stateful resource CRUD operations.

ffcc00

The MCP implements multi-level logging (DEBUG, INFO, WARNING, ERROR, CRITICAL, FATAL) for complete traceability. All inbound AI requests are logged with timestamps, tool invocations recorded with parameters, API responses captured with status codes, and error conditions logged with full context.

Authentication events track JWT verification attempts, platform authentication success/failure, and authorization decisions. Performance metrics capture request processing times, API call latencies, and service execution duration. The audit trail tracks user actions through authentication context, tool usage patterns, infrastructure changes, and compliance-relevant events.

The logging system manages multiple logger hierarchies (itential_mcp, ipsdk, FastMCP/fastmcp) with configurable propagation for troubleshooting.

Platform Health Monitoring: AI assistant monitors platform health through validated MCP tool calls, identifies failed adapters, and requests restarts – all operations flow through validated, logged tool calls without direct API access.

Network Device Configuration: AI requests device configuration updates through MCP tools that validate configuration data against device schemas, translate to Configuration Manager API calls, and maintain full audit trails – AI never has device credentials or direct device access.

Workflow Orchestration: AI executes complex multi-step automation workflows by triggering validated workflows through MCP tools, with the Itential Platform orchestrating all infrastructure operations using platform-managed credentials while providing job tracking visibility.

Organizations should implement the principle of least privilege by configuring tool access based on actual requirements, use OAuth 2.0 client credentials for production deployments with credentials stored in secure vaults, deploy MCPs in management networks with TLS for all transports, enable comprehensive logging with monitoring of authentication failures and unusual tool usage patterns, and conduct regular security reviews of tool access configurations and authentication logs.

The Itential MCP provides robust security tooling for an architecture that enables AI-powered automation while maintaining strict control over infrastructure access. Through comprehensive mediation, structured translation, and complete traceability, organizations can confidently deploy AI assistants for network automation without compromising security.

Key security principles include no direct access (AI systems never directly access infrastructure), structured communication (all interactions follow MCP protocol standards), multiple layers of authentication and authorization, complete traceability with full audit trails, and flexible deployment supporting various transport mechanisms and authentication methods.

By implementing these security controls, the Itential MCP provides a safe, auditable bridge between AI capabilities and infrastructure management.

Itential MCP GitHub Repository →

Model Context Protocol Specification →

Itential Platform Documentation →