Skip to content

Recommend clients expose resource read to models #2527

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
pja-ant wants to merge 4 commits into
base: main
Choose a base branch
from
+13 −3
Open

Recommend clients expose resource read to models #2527

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
1d87ba6
Recommend clients expose resource read to models
pja-ant Apr 6, 2026
c6c46a6
Drop MCP tools link from resource read recommendation
pja-ant Apr 6, 2026
69ba59c
Use literal em-dash instead of — entity
pja-ant Apr 6, 2026
0efede4
Add client security guidance for model-initiated resource reads
pja-ant Apr 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 13 additions & 3 deletions docs/specification/draft/server/resources.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,9 +24,13 @@ For example, applications could:
![Example of resource context picker](/specification/draft/server/resource-picker.png)

However, implementations are free to expose resources through any interface pattern that
suits their needs—the protocol itself does not mandate any specific user
suits their needsthe protocol itself does not mandate any specific user
interaction model.

Clients **SHOULD** provide a mechanism—such as a tool—for the language model
to read a resource by URI. Clients **MAY** additionally provide a mechanism for the model
to list available resources.

## Capabilities

Servers that support resources **MUST** declare the `resources` capability:
Expand All @@ -49,7 +53,7 @@ The capability supports two optional features:
- `listChanged`: whether the server will emit notifications when the list of available
resources changes.

Both `subscribe` and `listChanged` are optional—servers can support neither,
Both `subscribe` and `listChanged` are optionalservers can support neither,
either, or both:

```json
Expand Down Expand Up @@ -384,7 +388,7 @@ Clients can use these annotations to:
## Common URI Schemes

The protocol defines several standard URI schemes. This list is not
exhaustive—implementations are always free to use additional, custom URI schemes.
exhaustiveimplementations are always free to use additional, custom URI schemes.

### https://

Expand Down Expand Up @@ -448,3 +452,9 @@ Example error:
4. Resource permissions **SHOULD** be checked before operations
5. Servers **MUST** sanitize file paths to prevent directory traversal attacks
when serving `file://` resources
6. When providing the model with a mechanism to read resources, clients **SHOULD**:
- Prompt for user confirmation before reading sensitive resources
- Show the requested URI to the user before reading, to avoid malicious or accidental
data exfiltration
- Validate resource contents before passing them to the LLM
- Log model-initiated resource reads for audit purposes
Loading