MCP + x402

MCP Paid-Tool Security Checklist

MCP lets models discover and invoke tools. Paid tools add a second risk: agents can spend money. This checklist combines MCP tool hygiene with x402 payment readiness.

Tool schema must be explicit

MCP tools should expose a clear name, description, inputSchema, and preferably outputSchema so clients know what they are invoking and how to parse results.

Evidence: The MCP tools specification defines tool metadata and structured output patterns.

Fix: Publish inputSchema and outputSchema for every paid tool, then mirror the paid endpoint in OpenAPI or an equivalent descriptor.

Payment must fail closed

A paid MCP tool should not execute before a valid payment or policy decision. The underlying HTTP endpoint should return 402 with x402 metadata when unpaid.

Evidence: Coinbase and Base x402 docs describe the client reading payment requirements from a 402 response before retrying with a signed payment.

Fix: Gate execution behind x402, expose the requirements in accepts[0], and verify with Ontario before listing.

Humans need control over risky tools

For high-impact paid tools, agents should require review or policy approval before payment.

Evidence: The MCP tools specification emphasizes trust, safety, and user awareness around tool exposure and invocation.

Fix: Use /api/agent/can-pay before spend and require review for endpoints without fresh certification.

Certification should point to evidence

A badge is only meaningful if it links to a public report with score, warnings, history, and signature integrity.

Evidence: Ontario reports expose report_id, score, signals, remediation, integrity, and service profile links.

Fix: Link MCP registry entries to Ontario service profiles and require Ontario Certified x402 for paid-tool promotion.

Sources

Open MCP integration guide