Why this matters
Without identity context, an MCP tool has no way to distinguish one user from another. Every request looks the same. This means either everyone sees everything (a security problem) or the tool has to ask the LLM for user identification (unreliable and gameable). Agent Session Parameters solve this by establishing identity at the infrastructure level, outside the LLM’s control. The user’s identity comes from authenticated session data, not from what the LLM decides to pass. The LLM never sees these headers and cannot tamper with them. This is especially important for:- Multi-tenant applications. Your MCP server needs to return only data that belongs to the requesting user’s organization, not data from other tenants.
- Role-based access. A regular user asking “show me my reviews” should see their own reviews. A manager asking “show me my team’s reviews” should see their direct reports’. An admin should see everyone’s.
- Audit trails. Knowing which user triggered which tool call is essential for compliance and debugging. The headers provide this without relying on the LLM to report it accurately.
- Data minimization. Your MCP server can filter results at the source, returning only what the user is entitled to see, before the data ever reaches the LLM.
The headers your MCP server receives
Every MCP tool request from the Mindset AI platform includes these HTTP headers:
These headers are set by the platform based on authenticated session data. They are not generated by the LLM and cannot be influenced by user messages or prompt injection.
How session parameters are established
Session parameters are set once, when the client application creates an agent session via the AgentSessions API, before any conversation happens.
The structural fields (
contextUids, mcpserverUids) configure the agent’s capabilities for the session. The identity fields (externalUserId, tags) travel with every tool request as headers.
How session parameters compare to other data channels
Agent Session Parameters are one of four channels for passing data from the client to the agent system:
The boundaries are clean: identity goes through session parameters, reasoning context goes through Situational Awareness, and bulk data goes through Pass-through Parameters. They do not overlap.
See Data channels overview for the full four-channels picture, including Page Tools.
Implementation guide
Reading headers in your MCP server
Every MCP tool request arrives with the identity headers. How you access them depends on your framework. Python (FastMCP):Who is the user? Headers vs parameters
Most tools act on behalf of the requesting user: “show me my records”, “update my settings”, “search my documents.” For these, the user’s identity comes from thex-user-id header. The tool does not need a user ID parameter because the platform already knows who is asking.
x-user-id is the trusted identity of the person making the request. It comes from authenticated session data that the LLM cannot influence. Use it for authorization decisions. When a tool needs to reference a different user (admin scenarios), accept that as a parameter but always verify that the requester has permission first.
Using session tags for entitlement filtering
Session tags are arbitrary strings that you define. The Mindset AI platform passes them through without interpreting them. This gives you a flexible mechanism for access control, segmentation, and filtering. Setting tags at session creation:
Tags are strings with no enforced structure. The
key:value convention shown above is a recommendation, not a requirement. Your MCP server defines what tags mean and how to interpret them.
Security considerations
Your MCP server is the authorization boundary
The Mindset AI platform authenticates the request (validates the API key, attaches identity headers) but does not authorize it. Authorization is your MCP server’s responsibility. The platform tells you who the user is; you decide what they can see and do. This means:- Filter data at the source. Do not return all records and rely on the LLM to filter. The LLM sees everything you return and might choose to reveal it to the user.
- Validate permissions before acting. Check
x-user-idandx-session-tagsbefore performing write operations. - Return only what is needed. Follow the principle of least privilege. If the user asked about their own profile, return their profile, not everyone’s.
What the LLM sees
The LLM sees the tool’s response in full. Whatever your MCP server returns becomes part of the LLM’s context, and the LLM may surface any of it in conversation. If there is information you never want a user to see, do not make it available to the LLM. This applies to MCP server responses, tool outputs, and any other data that enters the agent’s context. LLMs are not reliable keepers of secrets. This is not a prohibition on returning sensitive data. If your use case requires it, that is your decision. But make it a conscious one, with an understanding of where that data ends up.Header trust model
Thex-user-id, x-app-uid, and x-session-tags headers are set by the Mindset AI platform based on authenticated session data. They are trustworthy as long as:
- Your MCP server validates the API key (Bearer token) via the authentication middleware. This confirms the request came from the Mindset AI platform, not from an arbitrary caller.
- You do not expose your MCP server endpoint publicly without API key validation.
Quick reference
Related
Data channels overview
The four channels in context, including how session parameters relate to the others.
Situational Awareness
Per-message context for the LLM.
Pass-through Parameters
Direct data injection into tool calls.
AgentSessions API
How to create sessions with parameters.