MCP Server Identity Model: Authentication, Authorization, and Trust for the Model Context Protocol
Updated 2026-05-15 · 11 min read · By @guptadeepak
Key takeaways
- MCP authentication is OAuth 2.1 with Dynamic Client Registration; the spec inherits the OAuth security model wholesale.
- Each MCP server is its own OAuth resource server with its own scopes. Agents collect tokens per server, scoped to that server's tools.
- Open DCR is the default registration mode and the default risk; production deployments gate registration with Initial Access Tokens and scope policies.
- MCP does not standardize per-tool authorization within a server. That gap is what auth gateways and policy engines fill in production.
- MCP server discovery is a trust-bootstrapping problem. Agents that auto-discover unknown servers expand their attack surface; pin known servers.
What MCP is and what its identity model actually is
The three actors:
- MCP Client / Agent: the AI system that calls tools. Holds OAuth tokens. From the spec's perspective, an OAuth client.
- MCP Server: the thing that exposes tools to be called. From the spec's perspective, an OAuth resource server (and often also an OAuth authorization server, when it provides its own auth flow).
- OAuth Authorization Server: the issuer of access tokens. Sometimes co-deployed with the MCP server, sometimes separate.
The MCP protocol itself defines the message format for tool listing, tool invocation, resource access, and prompt serving. The MCP Authorization specification defines how OAuth 2.1 layers on top.
Server discovery and the trust bootstrap
How does an agent find MCP servers to use?
Three patterns in 2026, in increasing order of risk:
-
Pinned servers (allowlist): the agent runtime ships with a configured list of MCP servers it may use. The user cannot add new ones at runtime; an admin manages the list. Highest trust, lowest flexibility. Production-default for enterprise deployments.
-
User-provided servers with confirmation: the agent can use a server the user explicitly provides, but each new server is shown to the user with a confirmation prompt before the agent uses it. Trust delegated to the user, who is in the loop for each addition.
-
Auto-discovery from URLs in conversation: the agent picks up MCP server URLs from documents, web pages, or tool responses and starts using them. Highest risk; the agent's surface area is determined by content sources it doesn't fully vet. Acceptable only in low-stakes contexts.
The risks of accepting unknown servers:
- The server itself may be malicious — its tool results can attempt to manipulate the agent (prompt injection on the agent's planner), exfiltrate context, or trick the agent into invoking other tools harmfully.
- The server's OAuth flow may be designed to harvest credentials, register the agent under attacker control, or redirect tokens.
- The server's tool descriptions may misrepresent what tools do; the agent invokes "summarize this document" and gets "exfiltrate document contents to attacker.com."
Treat MCP server URLs with the same caution as code dependencies. The allowlist is the production default; the auto-discovery pattern is for research demos.
OAuth authorization server metadata
For each MCP server an agent may connect to, the agent fetches OAuth 2.0 Authorization Server Metadata (RFC 8414) at the well-known URL:
GET https://<mcp-server>/.well-known/oauth-authorization-server
This returns a JSON document describing:
issuer: the authorization server's issuer URL.authorization_endpoint: where to send the user for consent.token_endpoint: where to exchange codes for tokens.registration_endpoint: where to do Dynamic Client Registration.scopes_supported: the set of scopes the server defines.response_types_supported: which OAuth response types are accepted.token_endpoint_auth_methods_supported: how the client may authenticate to the token endpoint.
The agent uses this metadata to drive the OAuth flow without per-server hand-coding.
Dynamic Client Registration: how agents become clients
Most MCP deployments expect agents to register as OAuth clients dynamically (RFC 7591). The agent POSTs a JSON document to the registration endpoint:
{
"client_name": "Calendar Assistant",
"redirect_uris": ["https://agent.example.com/oauth/callback"],
"grant_types": ["authorization_code", "refresh_token"],
"scope": "tools:read tools:write"
}And receives back a client_id, client_secret (or alternative auth credential), and a registration_access_token for managing the registration.
The defaults in the MCP spec lean toward openness — the registration endpoint accepts requests without an initial-access-token gate, the registered client gets the scopes it asked for. Production MCP deployments tighten:
- Initial Access Tokens (RFC 7591 §3): gate the registration endpoint. The IAT is issued out-of-band by an admin or by an automated provisioning system that authenticates the agent platform.
- Scope policies per IAT class: different IATs map to different allowed scope sets. An agent registering with an "internal-tools" IAT can request internal-tool scopes; an external-agent IAT cannot.
- Software statements (RFC 7591 §2.3): a signed JWT from the agent platform vendor attesting "this software is what it claims to be." Lets the MCP server know the registering software is a vetted agent runtime, not arbitrary code.
- Registration TTL: registrations expire and require refresh, so stale clients accumulate less.
The pattern: treat DCR as authenticated registration, not anonymous. Anonymous registration is fine for development; production needs gates.
Per-tool authorization within a server
The MCP spec defines tool listing and invocation but does not standardize per-tool authorization. Once the agent has a valid access token for the MCP server, the server's logic decides which tools the token is permitted to invoke.
The patterns:
Per-tool OAuth scopes. The MCP server defines scopes like tools:calendar:read, tools:calendar:write, tools:email:send. The OAuth server issues tokens scoped per tool. The MCP server checks scope in the access token against the tool's required scope.
Pros: standard OAuth machinery, easy to audit. Cons: requires re-issuing tokens when the agent needs new scopes (chatty for highly-dynamic agents).
External policy evaluation. The MCP server, on each tool invocation, calls out to an external policy engine (OPA, Cedar, Permify, Authress, Auth0 FGA) with the principal (from the access token), the tool name, and the arguments. The policy engine returns allow/deny.
Pros: fine-grained, dynamic, decoupled from token issuance. Cons: per-call latency, requires policy authoring.
JIT permission elevation. The agent does not hold broad scopes. For each tool call, the agent requests a narrow short-lived token from the auth server. The auth server evaluates against policy and either issues the token, denies, or escalates to human approval. The agent presents the narrow token to the MCP server.
Pros: minimal standing surface, every action has an explicit grant. Cons: highest latency, requires JIT support in the auth server.
Production deployments commonly combine: coarse OAuth scopes for "this agent may use this server's tools at all," plus per-call policy evaluation for "this specific invocation is permitted given the principal, the resource, and the context."
Cross-server delegation and the chain problem
When an agent uses multiple MCP servers and operations span them — read a document from server A, send it via server B — how does authority flow?
Three patterns:
-
Independent tokens per server. The agent holds one OAuth token per MCP server. Each tool call uses the relevant token. The MCP servers do not need to know about each other.
-
OAuth token exchange across servers. Server A issues a token; the agent exchanges it via RFC 8693 for a token bound to server B's audience, with attenuated scope. Server B sees the chain in the exchanged token's claims.
-
Capability tokens. The token from server A is a capability that the agent can attenuate and pass to server B without contacting any issuer. Useful for deep chains where issuer roundtrips are prohibitive.
Pattern 1 is the default and the simplest. Patterns 2 and 3 matter when the audit trail needs to show cross-server authority flow, or when a downstream server needs to make decisions based on the upstream context.
Audit log requirements for MCP
Per-invocation audit on the MCP server should record:
- Principal: the OAuth client_id (the agent), the user it acts for (from the token claims), the source IATor IAT class if available.
- Tool: which tool was invoked.
- Arguments: what the tool was called with (sanitized for sensitive data).
- Result: success / denied / approval_required / error.
- Decision rationale: which scope or policy rule produced the result.
The MCP server is positioned to be the most informative audit point in the agent stack — it sees the full tool invocation graph as it happens. Servers that ship strong audit log structure for the MCP layer (and stream it to SIEM) are the ones that make agent incident response possible.
Implementation guidance
- Pin your MCP server allowlist for production. Auto-discovery is a research feature, not a production one.
- Adopt OAuth 2.1, not OAuth 2.0. PKCE mandatory, refresh-token rotation mandatory. OAuth 2.1 Explained for the details.
- Gate Dynamic Client Registration with Initial Access Tokens and scope policies. Open registration is open in the worst sense.
- Per-tool scopes for coarse authorization, policy engine for fine-grained. The combination is the production pattern.
- One OAuth issuer per organization is the cleanest deployment, with each MCP server as a distinct resource audience.
- Short-lived tokens, sender-constrained. Token Management for AI Agents covers the rationale.
- Audit everything, principal + tool + args (sanitized) + result + reason. Stream to SIEM.
- Test the registration endpoint adversarially. What scopes can an attacker register a client for? What clients accumulate over time? What deprovisioning happens?
Related vendors
Auth0
Auth0 remains the safest mid-market default for B2C plus B2B Enterprise SSO when developer velocity matters more than long-run TCO. Below 50k MAU it is hard to beat. Above 500k MAU, cost and Actions-driven lock-in make alternatives like FusionAuth (self-host), Cognito (AWS-native), or Stytch plus Corbado (passkey-first) increasingly attractive.
Curity
Curity is the standards-purist enterprise CIAM in 2026, among the most spec-correct OAuth 2.0 / OIDC implementations available, with strong FAPI and Open Banking support that suits financial services and regulated workloads. The configuration-as-code model treats identity like infrastructure-as-code, which appeals to engineering-mature enterprises. Outside the standards-correctness or FAPI use cases, the enterprise pricing and learning curve make broader-scope CIAM (Auth0, Ping) more practical.
Descope
Descope is the orchestration-first CIAM in 2026, its Flows visual editor is the most capable no-code auth designer in the market, paired with above-average passkey orchestration and an early MCP-native posture for AI agents. For mid-market B2C and B2B SaaS that wants modern auth without writing the orchestration layer, Descope is one of the strongest picks. Compliance breadth and ecosystem maturity still favor Auth0 above 500k MAU.
WorkOS
WorkOS is the strongest B2B-first CIAM in 2026 by deliberate scope choice, every product surface assumes the buyer is selling to enterprise IT, not to consumers. AuthKit's 1M MAU free tier makes it a credible Auth0 alternative for B2B SaaS that doesn't need adaptive risk or B2C consumer flows. For pure B2B SSO, SCIM, and audit logs, WorkOS is hard to beat at any price point.
FAQ
- What is MCP and why does it have its own identity model?
- Model Context Protocol (MCP) is Anthropic's open standard for connecting AI agents to tools, data sources, and services. It is the connector layer that turns 'an LLM that can chat' into 'an agent that can take actions in the real world.' MCP does not invent its own identity model — it adopts OAuth 2.1 with Dynamic Client Registration — but the patterns for using OAuth in an agent-discovers-server context are new enough that the deployment patterns are still being figured out in 2026.
- How does an agent authenticate to an MCP server?
- OAuth 2.1 Authorization Code flow with PKCE. The MCP server's discovery document points to its OAuth authorization and token endpoints. The agent (acting as an OAuth client) redirects the user through authorization, gets an authorization code, exchanges it for an access token, and includes the access token on every MCP request. For autonomous agents without a user in the loop, client_credentials grant — the agent has its own pre-registered service principal.
- Does each MCP server need its own OAuth issuer?
- Conceptually yes, in practice often no. An organization running ten MCP servers can run them all behind one OAuth authorization server, with each MCP server as a distinct resource (audience). The benefit: one consent surface for the user, one token-management story for the agent, one audit log. The cost: the MCP servers are coupled to that auth server. For independently-deployed MCP servers (vendor-provided, open-source you self-host), each typically brings its own OAuth issuer.
- What's the security risk of MCP server auto-discovery?
- An agent that discovers MCP servers from URLs the user provides at runtime can be pointed at malicious servers. The risks: the server itself is the threat (returns malicious tool results designed to manipulate the agent), or the server's OAuth flow is the threat (DCR registers the agent's client_id under the attacker's control, future interactions go through the attacker). Mitigations: pin MCP servers to an allowlist for production deployments, require attestation of new servers before adding them, treat unknown servers with the same caution you would treat unknown websites.
- How do I authorize specific MCP tools within a server?
- MCP doesn't standardize this; it's left to the implementation. The patterns: per-tool OAuth scopes (the access token has scopes like `tools:read_calendar`, `tools:send_email`; the MCP server checks the scope per tool call), per-tool policy evaluation (the MCP server proxies authorization decisions to an external policy engine like OPA), or JIT permission elevation (the agent requests a narrow token for the specific tool call, the auth server evaluates and grants). Production MCP deployments typically combine scopes for coarse access and policy evaluation for fine-grained.
Sources
- Model Context Protocol specification (Anthropic)
- MCP Authorization specification
- OAuth 2.1 (IETF draft)
- RFC 7591 — OAuth 2.0 Dynamic Client Registration
- RFC 8414 — OAuth 2.0 Authorization Server Metadata