ContextQMD
Back to Composio

Enhanced MCP URL Security Requirements

docs/content/changelog/11-05-25.mdx

0.11.12.4 KB
Original Source

We're introducing improved security requirements for Model Context Protocol (MCP) URLs to ensure better isolation between user connections and prevent unauthorized access.

What's Changing?

Starting today, all new Composio projects must include at least one of the following parameters in their MCP URLs:

  • user_id - Identifies the specific user
  • connected_account_id - Identifies the specific connected account

Why This Matters

This change ensures that:

  • User Isolation: Each user's connections remain completely separate from others
  • Enhanced Security: Prevents potential cross-user data access scenarios
  • Better Multi-Tenancy: Enables safer multi-tenant application architectures
  • Explicit Access Control: Forces developers to explicitly specify which user or account context they're operating in

Impact on Existing Projects

For existing projects: We understand the importance of backward compatibility. While we've sent email notifications to project owners about upgrading their MCP URLs, your existing integrations will continue to work until January 15th, 2026.

Important: After January 15th, 2026, MCP URLs without user_id or connected_account_id query parameters will no longer be supported. Please ensure you update your MCP URLs before this date to avoid service disruption.

Note: If your MCP URLs already include either user_id or connected_account_id query parameters, no action is required—you can safely ignore this notice.

Implementation Example

Before:

https://platform.composio.dev/v3/mcp/{id}

After (with user_id):

https://platform.composio.dev/v3/mcp/{id}?user_id=user_123

After (with connected_account_id):

https://platform.composio.dev/v3/mcp/{id}?connected_account_id=ca_xyz

Migration Guide

If you're using an existing project and want to adopt this security enhancement:

  1. Review your current MCP URL configuration
  2. Add either user_id or connected_account_id parameter to your URLs
  3. Update your application code to pass the appropriate identifier
  4. Test the updated URLs in your development environment

For more details on choosing the right user identifiers for your application, see our User Management documentation.

Questions?

If you have any questions about this security enhancement or need assistance with migration, please reach out to our support team or check our MCP documentation.