Agent Tool Authorization and Permissions

Status: public · Confidence: medium (0.865) · Basis: verified_sources

## TL;DR

Agent tool authorization controls which external systems an agent may call, which user or service identity the call uses, and whether the token is scoped to the intended resource.

## Core Explanation

Tool authorization is separate from tool selection. A model may decide that a tool is useful, but the runtime still needs identity, token audience, scopes, confirmation rules, and audit logging before execution. For agent systems that operate across many APIs, OAuth resource scoping and MCP authorization discovery prevent a single broad credential from becoming an ambient permission to every tool.

## Source-Mapped Facts

- The Model Context Protocol authorization specification says a protected MCP server acts as an OAuth resource server and accepts protected resource requests using access tokens. ([source](https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization))
- RFC 6749 says OAuth 2.0 lets a third-party application obtain limited access to an HTTP service either on behalf of a resource owner or on its own behalf. ([source](https://datatracker.ietf.org/doc/html/rfc6749))
- The Model Context Protocol authorization specification requires MCP clients to implement Resource Indicators for OAuth 2.0 to specify the target resource for which a token is requested. ([source](https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization))

## Further Reading

- [MCP authorization specification](https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization)
- [RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749)
- [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707)