MCP Advanced: Roots, File System Access, Path Permissions, Security Boundaries

Roots are a mechanism that grants MCP servers access to specific files and folders on the user's local machine. Without roots, when a user asks Claude to convert a file, Claude has no way to search the entire file system to find where that file lives. The user would need to provide the full path every time, which is not user-friendly. With roots, the client tells the server which directories are accessible. Claude can then call list_roots to discover approved directories and search within them to find the requested file automatically.

The workflow follows four steps. First, the user makes a request involving a file, such as asking to convert a video. Second, Claude calls list_roots to discover which directories it can access. Third, Claude calls a directory reading tool on those accessible directories to locate the specific file. Fourth, once found, Claude calls the appropriate tool with the full file path. This happens transparently to the user, who can simply refer to files by name without providing complete paths. The roots mechanism handles the file discovery automatically.

Roots limit file access to only the directories the user has explicitly approved. If you grant access only to your Desktop folder, the MCP server cannot access files in Documents, Downloads, or any other location. When Claude tries to access a file outside the approved roots, it receives an error and can inform the user that the file is not accessible from the current server configuration. This prevents accidental access to sensitive files and gives users granular control over what each MCP server can see and interact with on their system.

No, the MCP SDK does not automatically enforce root restrictions. You need to implement this yourself in your server code. A typical pattern is to create a helper function like is_path_allowed that takes a requested file path, retrieves the list of approved roots from the client, checks whether the requested path falls within one of those roots, and returns true or false. You then call this validation function in every tool that accesses files or directories before performing the actual file operation. The enforcement is a convention, not a built-in security layer.

Roots provide four key benefits. User-friendliness means users do not need to provide full file paths in their requests. Focused search means Claude only looks in approved directories, making file discovery faster and avoiding scanning the entire file system. Security means roots prevent accidental access to sensitive files outside approved areas. Flexibility means you can provide roots through tools that the server calls on the client, or inject them directly into prompts. Together these benefits make MCP servers both more powerful and more secure when working with local files.

You can provide root information in two ways. The first is through the list_roots method that the server calls on the client, which returns the currently configured root directories. The second is by injecting root paths directly into prompts or tool descriptions so Claude knows where to look without making a separate call. The choice depends on your application architecture. Dynamic roots that can change during a session use the list_roots approach, while static roots that are always the same can be hardcoded into the server configuration.

When Claude attempts to access a file path that falls outside the approved root directories, the server's path validation function should reject the request and return an error. Claude can then inform the user that the requested file is not accessible from the current server configuration and suggest adding the relevant directory as a root. This clear feedback loop helps users understand why a request failed and how to fix it, rather than silently failing or returning confusing error messages about missing files. ---