URL Mode Elicitation + Sampling with Tools (2025): Build Safer Agentic MCP Servers
The 2025-11-25 MCP revision adds URL mode elicitation and sampling with tools. Together, they unlock safer agentic patterns: servers can request sensitive input out-of-band, and can ask the client to run tool-enabled model calls when needed.
The 2025 shift: more agentic, more sensitive
As MCP servers became more autonomous, two issues showed up in production: collecting sensitive inputs (credentials, payments, identity) and enabling servers to orchestrate more complex reasoning when a single tool call is not enough.
URL mode elicitation
Servers can send users to a secure URL for interactions that must not pass through the MCP client.
Sampling with tools
Servers can request the client to create model messages with tool calling enabled, improving agentic orchestration.
URL mode elicitation: secure out-of-band input
In URL mode, the server requests an elicitation that points to an external URL. The client opens that URL so the user can complete a sensitive flow outside the MCP channel.
When you should use it
- OAuth login and consent flows
- Payment details or identity verification
- Any secret you do not want in prompts or logs
The key principle is simple: the MCP client should remain in control of user interactions and data sharing, while the server can still ask for what it needs to proceed.
Inbox Zero with AI
Clean Email uses AI to automatically organize and clean your inbox. Save hours every week.
Clean My InboxSampling with tools: servers that can reason (without overreaching)
Sampling is a client feature: the server can ask the client to create a model message (and optionally allow tool calling) so that the client remains the controlling host.
Why tool-enabled sampling matters
It enables a safe pattern where the server requests reasoning, while the client decides model choice, limits, tool access, and user-visible approvals.
{
"jsonrpc": "2.0",
"id": 1,
"method": "sampling/createMessage",
"params": {
"messages": [
{
"role": "user",
"content": {
"type": "text",
"text": "Plan a safe multi-step workflow"
}
}
],
"tools": [
{
"name": "get_weather",
"description": "Get current weather for a city",
"inputSchema": {
"type": "object",
"properties": {
"city": {
"type": "string",
"description": "City name"
}
},
"required": ["city"]
}
}
],
"toolChoice": { "mode": "auto" },
"maxTokens": 1000
}
}Note: this example is illustrative for the concept; concrete tool definitions depend on the host and the connected servers.
Practical safety patterns
Keep secrets out of the model context
If the user must enter a password, an API key, or payment details, use URL mode elicitation. Never push those strings into tool calls or prompts.
Prefer explicit approvals for risky tools
Tool-enabled sampling can be powerful, but the client should keep human approvals for destructive operations and limit scopes.
Treat the server as a coordinator
The server requests actions; the client and user remain the final authority.
If you are building a content and outreach pipeline around your MCP workflows, you can pair these patterns with email automation tools like GetResponse to run follow-ups once a workflow finishes.
Conclusion
URL mode elicitation and sampling with tools are about one thing: making agentic systems safer and more scalable.
Use URL mode for sensitive flows, and use sampling with tools to let servers request reasoning while clients keep control.