// GLOSSARY -- MCP & TOOL INFRASTRUCTURE

What is MCP Elicitation?

1 min read Updated

A protocol feature allowing MCP servers to request additional structured input from users during an interaction, creating a dynamic feedback channel that can be exploited for social engineering if ungoverned.

WHY IT MATTERS

Some tools need information they can't get from the agent alone — an OAuth token, a confirmation, a file path. Elicitation lets the server ask the user directly, bypassing the agent's context window.

This creates a new attack surface. A malicious server could use elicitation to phish credentials, trick users into confirming dangerous actions, or extract sensitive information under the guise of a legitimate request. Elicitation requests need the same policy scrutiny as tool calls.

HOW POLICYLAYER USES THIS

Intercept can inspect and gate elicitation requests, ensuring servers can only request information that matches expected patterns for their declared purpose.

FREQUENTLY ASKED QUESTIONS

Is elicitation the same as a prompt?
No. Prompts are templates the server offers to the client. Elicitation is a server-initiated request for user input during an active interaction — it's reactive, not declarative.
Can elicitation be disabled?
Clients can refuse to support it. But many useful workflows require it (OAuth flows, file selection), so disabling it entirely limits functionality.

FURTHER READING

Enforce policies on every tool call

Intercept is the open-source MCP proxy that enforces YAML policies on AI agent tool calls. No code changes needed.

npx -y @policylayer/intercept
github.com/policylayer/intercept →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.