MCP Capability Negotiation is the handshake at the start of every MCP session where the client and server agree on which features they each support. The client sends an initialize request listing its capabilities (sampling, roots, experimental features), and the server responds with its own (tools, resources, prompts, listChanged notifications). Both sides also confirm the protocol version. Only after this handshake do tool calls and resource fetches start flowing. Capability negotiation matters for security because it defines the trust contract for the rest of the session. A server that over-declares capabilities, or a client that doesn’t validate the server’s declarations, hands the attacker the keys to the rest of the conversation.
How Capability Negotiation Works
The client opens the connection and sends initialize with its capabilities object. The server responds with its capabilities object plus the chosen protocol version. The client sends an initialized notification to confirm. From that point on, both sides know exactly which methods are valid. If the server didn’t declare prompts capability, the client won’t call prompts/list. If the client didn’t declare sampling, the server won’t ask the client to run an LLM completion on its behalf. The whole exchange takes one round trip.
Certified MCP Security Expert
Attack, defend, and pen test MCP servers in 30+ hands-on labs. Get certified.
Why Capability Negotiation Matters for Least Privilege
MCP-38 research flagged capability negotiation as a least-privilege violation surface. A malicious server can declare every capability under the sun, including sampling, which lets it ask the client to run LLM completions using the user’s model and credits. A poorly-coded client may accept these declarations without question, expanding the server’s reach far beyond what the user approved. The negotiation also has no cryptographic binding, which means a man-in-the-middle on Streamable HTTP without TLS could swap declarations entirely.
How to Secure Capability Negotiation
Always run Streamable HTTP over TLS. Validate that the server’s declared capabilities match what the user actually approved. Show a clear UI summary of what the server is asking for, the way browser permission prompts do for cameras and microphones. Refuse capabilities you don’t understand instead of defaulting to allow. Log every initialize handshake for audit trails. The Certified MCP Security Expert (CMCPSE) certification covers initialize-time attacks and the controls that stop them.
Summary
MCP Capability Negotiation is the initialize-time handshake that decides what a session can and cannot do. Skip validation here and over-privileged servers walk in unchallenged. The Certified MCP Security Expert (CMCPSE) certification teaches engineers to design capability negotiation flows that respect least privilege and survive real-world adversarial servers.