Hi Directus team,
I’m working on a multi-user application using Directus + MCP.
My setup:
-
Each user performs certain operations, and
-
Each operation result is stored as a record in a Directus collection.
-
Using Directus access policies, I can manually restrict access so that:
- A user can only retrieve their own records based on primary fields.
The problem (with MCP)
When enabling Directus MCP:
-
MCP resources seem to be globally accessible.
-
If an MCP client (LLM / agent) queries a collection:
- It can retrieve all records, including test runs / operations belonging to other users
-
This breaks user-level isolation in a multi-user environment
So my concern is:
How does Directus MCP enforce access policies per user context?
Heya @Joothis!
MCP enforces access policies the same way the REST and GraphQL endpoints do. It’s all based on the token you use to authenticate. The accountability object (user, role, permissions) from your token gets passed into every operation MCP performs, so row-level filters, field-level restrictions, and collection access all apply as expected.
If you’re seeing all records when querying through MCP, it’s likely that the token you’re using belongs to an admin user or a role that doesn’t have the row-level access filters configured. I’d double check what token your MCP client is using; ideally you’d create a dedicated Directus user per MCP client with the minimal permissions needed, including the “current user” filter on the collections you want to scope.
There’s some more info on this in the MCP Security docs 