Remote MCP turns an agent into a real product client. That is powerful, but it also raises the bar for product boundaries. The server should know which records belong to the signed-in user, which actions require a paid entitlement, and which operations should never be exposed outside an operator surface.
Good tools reflect the product model
In Veas, the public MCP endpoint is scoped to the user's career, documents, applications, interview prep, and related records. Admin tools, billing controls, and internal diagnostics stay separate. That separation keeps the connector useful without turning it into a broad administrative backdoor.
The same principle shows up in the UI. Personal career records and organization hiring records share authentication, but they keep different ownership, billing, and permission models.
Permission is part of the interface
OAuth, dynamic client registration, tier gates, and tool annotations are not plumbing details. They are the interface contract between the product, the user, and the agent. When the contract is clear, an agent can work quickly while the user stays in control.