// GLOSSARY -- MCP & TOOL INFRASTRUCTURE

What are MCP Roots?

2 min read Updated

MCP roots are filesystem boundaries that a client exposes to servers, defining which directories and files a server is meant to operate within. Servers retrieve them with a roots/list request and are notified of changes via notifications/roots/list_changed.

WHY IT MATTERS

Roots give a server a declared working scope — typically the user's current project or workspace. Clients that support them MUST declare the roots capability during initialisation, with listChanged indicating whether the client will emit change notifications. The server then sends a roots/list request and receives a list of root objects, each with a uri (which must be a file:// URI in the current spec) and an optional human-readable name.

Clients commonly populate roots from a workspace or project picker, or detect them automatically from version control. When the user switches projects, the client sends notifications/roots/list_changed and the server re-queries.

The crucial caveat: roots are advisory, not enforcement. The spec says servers SHOULD respect root boundaries and validate paths against the provided roots — but nothing in the protocol prevents a misbehaving or malicious server from reading paths outside them. The spec's security guidance puts obligations on both sides: clients must only expose roots with appropriate permissions, validate root URIs against path traversal, and prompt users for consent before exposing roots; servers should check for the capability, handle roots becoming unavailable, and respect the boundaries in every operation.

Roots are therefore best understood as a scoping contract that well-behaved servers honour, to be combined with real controls — sandboxing, least privilege, and policy enforcement — rather than relied on alone.

See mcp roots working in your own stack — route your MCP servers through PolicyLayer and every tool call is checked against policy before it runs.

GOVERN YOUR MCP SERVERS →

Enforced before the call runs. Nothing to install.

HOW POLICYLAYER USES THIS

PolicyLayer treats declared scope and enforced scope as different things. The catalogue's per-tool risk classification at policylayer.com/tools flags filesystem-capable tools regardless of what roots a client might declare, and gateway policies can deny or log tool calls whose arguments reach outside an approved scope — deterministic enforcement rather than a convention the server is trusted to follow.

Browse the MCP server catalogue →

FREQUENTLY ASKED QUESTIONS

Do MCP roots enforce filesystem access control?
No. Roots tell servers where they are meant to operate, and the spec says servers should respect those boundaries — but compliance is voluntary. Enforcement requires OS-level sandboxing or a policy layer in the request path.
What URI schemes can a root use?
In the current specification a root URI must be a file:// URI. Each root may also carry an optional display name.
How does a server learn that the roots changed?
Clients that declared listChanged must send notifications/roots/list_changed when the list changes; the server then issues a fresh roots/list request.

FURTHER READING

Let agents act without letting them run wild.

Route your MCP servers through PolicyLayer and every tool call is checked against your policy before it runs — allow, deny, or require approval. Per-identity grants. Full audit log. Live in minutes.

GOVERN YOUR MCP SERVERS →

Free to start. No card required.

43,000+ MCP servers and 220,000+ tools scanned and risk-classified.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.