Agent MCP OAuth Authorization Discovery
Status: public · Confidence: medium (0.865) · Basis: verified_sources
## TL;DR MCP authorization evidence should include resource metadata, authorization server metadata, token audience, scopes, and transport mode before an agent calls restricted tools. ## Core Explanation Agents that connect to remote MCP servers need more than a bearer token. They need to know which MCP server the token was issued for, which authorization server issued it, what scopes or privileges apply, and how the client discovered those endpoints. The evidence trail should preserve the MCP server URL, protected resource metadata URL, authorization server issuer, client ID, requested scopes, resource parameter, token audience validation behavior, and HTTP status or WWW-Authenticate challenge. Without that evidence, an agent can accidentally reuse a token for the wrong resource or misdiagnose an authorization failure as a tool failure. For local STDIO MCP servers, credential handling is different from HTTP transport. Agents should not apply remote OAuth assumptions to local environment-provided credentials. ## Source-Mapped Facts - The Model Context Protocol authorization specification says authorization is optional, and HTTP-based implementations that support it should conform to the MCP authorization specification. ([source](https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization)) - RFC 8414 specifies OAuth 2.0 Authorization Server Metadata for publishing authorization server endpoint and capability metadata. ([source](https://datatracker.ietf.org/doc/html/rfc8414)) - RFC 9728 specifies OAuth 2.0 Protected Resource Metadata for publishing metadata about protected resources. ([source](https://datatracker.ietf.org/doc/html/rfc9728)) ## Further Reading - [MCP Authorization](https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization) - [RFC 8414 OAuth 2.0 Authorization Server Metadata](https://datatracker.ietf.org/doc/html/rfc8414) - [RFC 9728 OAuth 2.0 Protected Resource Metadata](https://datatracker.ietf.org/doc/html/rfc9728)