Skip to content

MCP Sessions

In addition to regular API Sessions, Wallarm provides dedicated support for Model Context Protocol (MCP) sessions. MCP sessions group MCP tool calls, resource reads, and prompt invocations into logical sessions, giving you visibility into how AI agents interact with MCP servers.

MCP sessions are displayed in a dedicated MCP Sessions tab in Wallarm Console โ†’ API Sessions.

Discovered MCP Sessions

How MCP Sessions work

When Wallarm detects MCP traffic (JSON-RPC 2.0 requests with MCP-specific methods), it groups requests into sessions based on the Mcp-Session-Id header โ€” a standard MCP protocol header that identifies a session.

For each MCP session, Wallarm displays:

  • MCP server โ€” the host and path of the MCP server endpoint

  • Session ID โ€” the value of the Mcp-Session-Id header

  • User and Role โ€” extracted from session context if configured

  • Methods โ€” MCP methods called during the session (tools/call, resources/read, prompts/get, etc.)

  • Primitives โ€” names of tools, resources, or prompts accessed during the session

  • Attacks โ€” any attacks detected within the session by MCP mitigation controls or other protection mechanisms

You can click on any session to see the full request sequence, with each request showing its MCP method, primitive name, and request/response details.

Requirements

MCP Session Configuration

MCP sessions are detected automatically โ€” the Wallarm node recognizes MCP traffic by JSON-RPC 2.0 patterns and groups requests into sessions using the standard Mcp-Session-Id header. No manual configuration is required for basic MCP session detection.

When API Discovery detects an MCP server, it automatically creates an MCP Session Configuration with default rules (extracting session ID from the Mcp-Session-Id header). You can view and customize these auto-created configurations or create new ones manually.

You can optionally add MCP session context parameters to extract additional information from MCP traffic, such as user identity and role. This enables:

  • User and role display in MCP session details

  • Filtering MCP sessions by user or role

  • User- and role-based ACL policies

MCP user and role

MCP sessions have their own user and role, separate from the HTTP-level user. A single AI agent may interact with multiple MCP servers using different identities. The extracted MCP user and role are written into the standard session user/role fields for display and filtering.

To configure MCP session context parameters:

  1. Go to Wallarm Console โ†’ API Sessions โ†’ click Session context parameters.

  2. Switch to the MCP Sessions tab.

  3. Select an existing MCP server (auto-created by API Discovery) or click Add MCP Session config to add a new one manually. For a new server, specify:

    • Host โ€” the hostname of your MCP server (e.g., mcp.example.com)
    • Location โ€” the path to the MCP endpoint (e.g., /mcp or /sse)

  4. Within the selected MCP server configuration, add context parameters. Each parameter specifies a request/response location and its type:

    Type Description
    MCP Session ID Location of the session identifier. By default, the node uses the Mcp-Session-Id header. Set this only if your MCP server uses a non-standard session ID location.
    MCP User Location of the user identifier (e.g., a JWT claim or a custom header).
    MCP Role Location of the user role (e.g., a JWT claim).

  5. Click Save.

Exploring MCP Sessions

MCP sessions can be explored in the MCP Sessions tab in Wallarm Console โ†’ API Sessions. Like regular API sessions, MCP sessions are split into daily parts and stored for 7 days. The tab provides the same capabilities as regular API Sessions (except CSV export, which is not available for MCP sessions):

  • Filter sessions by time range, user, role, MCP server, or attack type

  • View the full sequence of requests within a session

  • Inspect request and response details for each MCP call

  • Navigate to the attack details and the mitigation control that triggered detection

When viewing request details within an MCP session, the following MCP-specific information is displayed:

  • MCP method โ€” the JSON-RPC method (e.g., tools/call, resources/read)

  • Primitive name โ€” the tool, resource, or prompt name

  • Arguments โ€” the parameters passed to the tool call (for tools/call requests)

MCP session details

Viewing attacks in MCP Sessions

Attacks detected by MCP mitigation controls are displayed directly within the MCP session where they occurred. In the request details, you can see:

  • The attack type (ACL Violation, MCP Request Verification Failure, Invalid Tool Call)

  • A link to the mitigation control that triggered the detection

  • The full request content that caused the violation