Define a minimal tool set for your commerce MCP server: separate read-only tools (search_catalog, get_product, get_inventory, get_policy) from write tools (add_to_cart, update_cart, initiate_checkout) and never bundle both into a single tool — this limits the blast radius if an agent is prompt-injected into issuing unintended write calls
Implement OAuth 2.0 authentication on your MCP server; the SentinelOne MCP Security report (2026) found 41% of public MCP servers had no authentication — unauthenticated commerce MCP servers allow any agent to read pricing and inventory data or initiate carts under any buyer identity
Scope OAuth tokens to the minimum required actions: a catalog-reading agent should receive a read-only token; a checkout-completing agent receives a scoped write token that expires after a single session and cannot be used to modify orders already placed
Validate every inbound tool call for expected parameter shape and range before executing it against your commerce backend; MCP tool poisoning attacks craft malformed parameters designed to trigger backend errors that leak system state — reject unexpected fields rather than passing them through
Log all MCP tool invocations with the agent identity (from the OAuth token), tool name, input parameters (sanitized of any credential fields), and the response status; this log is your audit trail for agent-initiated order anomalies
Conduct regular security reviews against the OWASP guidance for MCP servers; BlueRock Security found 36.7% of public MCP servers carried SSRF vulnerabilities — review all URL or redirect parameters accepted by your tools for server-side request forgery exploitability
Known gotchas
MCP tool descriptions visible to the LLM are a social engineering surface; a malicious upstream MCP server whose tool descriptions instruct the LLM to exfiltrate data via a commerce tool parameter is a real threat class documented in 2025 — validate tool descriptions against your registered spec and reject deviations
The first malicious MCP package was discovered September 2025 and operated undetected for two weeks; use a dependency scanning tool on your MCP server's npm or PyPI dependency tree and pin dependency versions to avoid supply-chain substitution attacks
Commerce MCP servers that expose a checkout tool without requiring a human confirmation step can be coerced by a prompt injection into completing unauthorized purchases; require an explicit buyer-authorization call (e.g., via Link OAuth or an SMS OTP) before any checkout-completing tool is executable
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp