A demonstration of enhanced cryptographic authorization using Biscuit tokens with mTLS client certificates, Model Context Protocol (MCP) servers, and PostgreSQL Row-Level Security.
This proof of concept shows how Biscuit tokens combined with mTLS client certificates can provide enterprise-grade, cryptographically secure authorization for database access through MCP servers. Unlike traditional bearer tokens, this enhanced security model provides 4 layers of defense with transport security, token cryptography, database privileges, and row-level filtering.
- π Enhanced mTLS + Biscuit Security: 4-layer defense-in-depth architecture
- π‘οΈ Client Certificate Validation: Identity-based access control with mTLS
- π Data Taint Protection: Token attenuation to prevent data exfiltration
- π€ Interactive Text-to-SQL: Natural language queries via Claude API integration
- π Healthcare Demo: Simulated patient data access control scenario
- π Comprehensive Testing: Automated and manual security validation
Client + mTLS Certificate + Enhanced Biscuit Token
β
mTLS Transport Security
β
Custom mTLS HTTP Server
β
Client Certificate + Token Verification
β
MCP Server Integration
β
PostgreSQL Database (RLS Policies)
β
Filtered Results Based on Token Facts
- mTLS Transport Layer: Client certificate authentication and identity verification
- Cryptographic Token Layer: Biscuit token signature verification and attestation validation
- Database Privilege Layer: PostgreSQL user privileges and access controls
- Row-Level Security Layer: Fine-grained data filtering based on token facts
This PoC implements data taint tracking to prevent data exfiltration via internet-accessible tools:
- Problem: Once sensitive data is fetched from the database, it could be sent to external services (HIPAA compliance APIs, internet endpoints, etc.)
- Solution: After fetching sensitive data, the database server attenuates the Biscuit token by adding a
sensitive_data=1fact in a new block - Enforcement: Internet-accessible servers (like HIPAA compliance checker) reject any requests from tainted tokens
- Result: Guarantees that no tool capable of accessing the internet can be called after fetching sensitive data
Data Taint Workflow:
1. Clean Token β Database Query β Success
2. Database returns data + Attenuated Token with sensitive_data=1
3. Attenuated Token β Internet Tool β REJECTED (π Data exfiltration prevented!)
4. Clean Token β Internet Tool β Allowed (normal operation)
This creates an information flow control mechanism where tokens carry evidence of having accessed sensitive data, preventing accidental or malicious data exfiltration.
- Enhanced Biscuit Generator: Creates tokens with mTLS attestation blocks
- Custom mTLS Server: Direct SSL certificate access with identity-based authorization
- mTLS + Biscuit Validator: Dual-layer security verification system
- PostgreSQL Integration: Row-Level Security policies for fine-grained access
- Interactive Demo: Text-to-SQL with Claude API integration
- Python 3.13+
- PostgreSQL database with pgAdmin4 (recommended)
- Anthropic API key
- uv package manager
Follow the setup instructions in [SCRIPT.md]
MCP-biscuit-PoC/
βββ π README.md # Project overview (this file)
βββ π SCRIPT.md # Step-by-step setup guide
βββ π SECURITY.md # Technical security deep dive
βββ π MTLS_IMPLEMENTATION.md # mTLS technical documentation
βββ π demo_magic_security.sh # Main demo script for presentations
βββ π§ pyproject.toml # Python dependencies
βββ π biscuit_parser_module.py # Core biscuit token operations
βββ π οΈ utilities/ # Token generation and parsing tools
βββ π₯οΈ server/ # MCP server, mTLS proxy and implementation
βββ π certs/ # Certificate Authority and mTLS certificates
βββ π₯ example-clients/ # Demo client applications
βββ πΎ database/ # Database setup scripts
demo_magic_security.sh: Main interactive demo script for presentationsbiscuit_parser_module.py: Core Biscuit token parsing and validationutilities/biscuit_generator.py: Token generation with custom facts and rulesserver/app.py: Main MCP server with PostgreSQL integrationserver/mtls_proxy.py: mTLS proxy server for secure transportserver/tools/query.py: Database query execution with Biscuit token authenticationexample-clients/claude_cli_tls.py: TLS-enabled MCP client with Claude API
Enhanced Token = {
Original Facts: [patient_name("Erin oRTEga")],
mTLS Attestation: [
mtls_client("claude-client"),
mtls_audience("mcp-server"),
attestation_time(1234567890)
],
Rules: [allow($user, $resource, $operation) <- ...],
Checks: [
check if user("alice"),
check if mtls_client("claude-client"),
check if mtls_audience("mcp-server")
],
Signature: cryptographic_signature
}
- mTLS Transport Security: Client certificate authentication prevents unauthorized network access
- Cryptographic Token Verification: Biscuit signatures prevent token tampering and ensure authenticity
- Database User Privileges: Restricted PostgreSQL accounts limit system capabilities
- Row-Level Security: PostgreSQL policies filter data based on verified token context
- Client connects with mTLS certificate + Enhanced Biscuit token
- Server validates client certificate identity (transport layer)
- Server verifies Biscuit token cryptographically (token layer)
- Server validates mTLS attestation matches actual client identity (attestation layer)
- Token facts extracted and applied as PostgreSQL session parameters (database layer)
- Database RLS policies filter results based on verified session context
- Only multiply-authorized data returned to client
# Start the comprehensive interactive security demo
./demo_magic_security.sh# Test authorized access with Biscuit tokens
uv run python example-clients/claude_cli.py "Show me all medical records for patient Erin oRTEga"
# Test with TLS-enabled client
uv run python example-clients/claude_cli_tls.py "Show me all medical records for patient Erin oRTEga"# Inspect Biscuit tokens and their facts
uv run python utilities/biscuit_parser_cli.py TOKEN --public-key KEY --analyze# Start the MCP server
PYTHONPATH=. uv run python server/app.py
# Start the mTLS proxy server
PYTHONPATH=. uv run python server/mtls_proxy.py
# Test server endpoints with curl (requires client certificate)
curl -k --cert certs/claude-client-cert.pem --key certs/claude-client-key.pem \
https://localhost:8443/sse- SCRIPT.md: Complete setup guide with step-by-step instructions
- SECURITY.md: Technical deep dive into the security architecture
- MTLS_IMPLEMENTATION.md: mTLS technical documentation and architecture
- DATA_TAINT_PROTECTION.md: Data exfiltration prevention and information flow control
- PART3_TESTING_GUIDE.md: Manual testing procedures and validation
- Code Comments: Inline documentation throughout the codebase
This PoC demonstrates several important concepts:
- Enhanced Authorization: Combining mTLS certificates with cryptographic tokens for multi-layer security
- Defense-in-Depth Security: 4 independent security layers that must all validate successfully
- Zero-Trust Architecture: Never trust, always verify at transport, token, database, and row levels
- Certificate-Based Identity: Using client certificates for cryptographically-verified identity
- Cryptographic Attestation: Tokens that prove specific client-server relationships
- Database Security Integration: Seamlessly combining application tokens with database-native security
- AI Security: Securing AI-powered natural language database queries with comprehensive access control
# Add new authorized client certificates
./certs/create-client-cert.sh new-client-name
# Update server/tls_config.py authorized_clients listfacts = ['patient_name("Erin oRTEga")', f'expiry({int(expiry.timestamp())})']
checks = ['check if time($time), expiry($exp), $time <= $exp']facts = ['user("alice")', 'role("nurse")', 'department("cardiology")',
'mtls_client("nurse-workstation")', 'mtls_audience("mcp-server")']
rules = ['allow($u, $r, "read") <- user($u), role("nurse"), resource($r)']# Different client identities for testing
workstation_token = generator.add_mtls_attestation_block(token, "workstation-1", "mcp-server")
mobile_token = generator.add_mtls_attestation_block(token, "mobile-client", "mcp-server")This project demonstrates concepts for educational purposes. Feel free to:
- π Report issues or bugs
- π‘ Suggest improvements to the security model
- π Improve documentation
- π§ͺ Add new test scenarios
See LICENSE file for details.
Built with: Python 3.13, FastMCP, PostgreSQL, Biscuit-python, Anthropic Claude API
Demonstrates: Enhanced mTLS + Biscuit security, Row-level security, Defense-in-depth architecture, Certificate-based identity, AI-powered secure database access