···
7
+
{{< callout type="info" >}} **Protocol Revision**: 2025-03-26 {{< /callout >}}
11
+
### 1.1 Purpose and Scope
13
+
The Model Context Protocol provides authorization capabilities at the transport level,
14
+
enabling MCP clients to make requests to restricted MCP servers on behalf of resource
15
+
owners. This specification defines the authorization flow for HTTP-based transports.
17
+
### 1.2 Protocol Requirements
19
+
Authorization is **OPTIONAL** for MCP implementations. When supported:
21
+
- Implementations using an HTTP-based transport **SHOULD** conform to this specification.
22
+
- Implementations using an STDIO transport **SHOULD NOT** follow this specification, and
23
+
instead retrieve credentials from the environment.
24
+
- Implementations using alternative transports **MUST** follow established security best
25
+
practices for their protocol.
27
+
### 1.3 Standards Compliance
29
+
This authorization mechanism is based on established specifications listed below, but
30
+
implements a selected subset of their features to ensure security and interoperability
31
+
while maintaining simplicity:
33
+
- [OAuth 2.1 IETF DRAFT](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12)
34
+
- OAuth 2.0 Authorization Server Metadata
35
+
([RFC8414](https://datatracker.ietf.org/doc/html/rfc8414))
36
+
- OAuth 2.0 Dynamic Client Registration Protocol
37
+
([RFC7591](https://datatracker.ietf.org/doc/html/rfc7591))
39
+
## 2. Authorization Flow
43
+
1. MCP auth implementations **MUST** implement OAuth 2.1 with appropriate security
44
+
measures for both confidential and public clients.
46
+
2. MCP auth implementations **SHOULD** support the OAuth 2.0 Dynamic Client Registration
47
+
Protocol ([RFC7591](https://datatracker.ietf.org/doc/html/rfc7591)).
49
+
3. MCP servers **SHOULD** and MCP clients **MUST** implement OAuth 2.0 Authorization
50
+
Server Metadata ([RFC8414](https://datatracker.ietf.org/doc/html/rfc8414)). Servers
51
+
that do not support Authorization Server Metadata **MUST** follow the default URI
54
+
### 2.2 Basic OAuth 2.1 Authorization
56
+
When authorization is required and not yet proven by the client, servers **MUST** respond
57
+
with _HTTP 401 Unauthorized_.
59
+
Clients initiate the
60
+
[OAuth 2.1 IETF DRAFT](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12)
61
+
authorization flow after receiving the _HTTP 401 Unauthorized_.
63
+
The following demonstrates the basic OAuth 2.1 for public clients using PKCE.
67
+
participant B as User-Agent (Browser)
68
+
participant C as Client
69
+
participant M as MCP Server
72
+
M->>C: HTTP 401 Unauthorized
73
+
Note over C: Generate code_verifier and code_challenge
74
+
C->>B: Open browser with authorization URL + code_challenge
75
+
B->>M: GET /authorize
76
+
Note over M: User logs in and authorizes
77
+
M->>B: Redirect to callback URL with auth code
78
+
B->>C: Callback with authorization code
79
+
C->>M: Token Request with code + code_verifier
80
+
M->>C: Access Token (+ Refresh Token)
81
+
C->>M: MCP Request with Access Token
82
+
Note over C,M: Begin standard MCP message exchange
85
+
### 2.3 Server Metadata Discovery
87
+
For server capability discovery:
89
+
- MCP clients _MUST_ follow the OAuth 2.0 Authorization Server Metadata protocol defined
90
+
in [RFC8414](https://datatracker.ietf.org/doc/html/rfc8414).
91
+
- MCP server _SHOULD_ follow the OAuth 2.0 Authorization Server Metadata protocol.
92
+
- MCP servers that do not support the OAuth 2.0 Authorization Server Metadata protocol,
93
+
_MUST_ support fallback URLs.
95
+
The discovery flow is illustrated below:
99
+
participant C as Client
100
+
participant S as Server
102
+
C->>S: GET /.well-known/oauth-authorization-server
103
+
alt Discovery Success
104
+
S->>C: 200 OK + Metadata Document
105
+
Note over C: Use endpoints from metadata
106
+
else Discovery Failed
107
+
S->>C: 404 Not Found
108
+
Note over C: Fall back to default endpoints
110
+
Note over C: Continue with authorization flow
113
+
#### 2.3.1 Server Metadata Discovery Headers
115
+
MCP clients _SHOULD_ include the header `MCP-Protocol-Version: <protocol-version>` during
116
+
Server Metadata Discovery to allow the MCP server to respond based on the MCP protocol
119
+
For example: `MCP-Protocol-Version: 2024-11-05`
121
+
#### 2.3.2 Authorization Base URL
123
+
The authorization base URL **MUST** be determined from the MCP server URL by discarding
124
+
any existing `path` component. For example:
126
+
If the MCP server URL is `https://api.example.com/v1/mcp`, then:
128
+
- The authorization base URL is `https://api.example.com`
129
+
- The metadata endpoint **MUST** be at
130
+
`https://api.example.com/.well-known/oauth-authorization-server`
132
+
This ensures authorization endpoints are consistently located at the root level of the
133
+
domain hosting the MCP server, regardless of any path components in the MCP server URL.
135
+
#### 2.3.3 Fallbacks for Servers without Metadata Discovery
137
+
For servers that do not implement OAuth 2.0 Authorization Server Metadata, clients
138
+
**MUST** use the following default endpoint paths relative to the authorization base URL
139
+
(as defined in [Section 2.3.2](#232-authorization-base-url)):
141
+
| Endpoint | Default Path | Description |
142
+
| ---------------------- | ------------ | ------------------------------------ |
143
+
| Authorization Endpoint | /authorize | Used for authorization requests |
144
+
| Token Endpoint | /token | Used for token exchange & refresh |
145
+
| Registration Endpoint | /register | Used for dynamic client registration |
147
+
For example, with an MCP server hosted at `https://api.example.com/v1/mcp`, the default
148
+
endpoints would be:
150
+
- `https://api.example.com/authorize`
151
+
- `https://api.example.com/token`
152
+
- `https://api.example.com/register`
154
+
Clients **MUST** first attempt to discover endpoints via the metadata document before
155
+
falling back to default paths. When using default paths, all other protocol requirements
158
+
### 2.3 Dynamic Client Registration
160
+
MCP clients and servers **SHOULD** support the
161
+
[OAuth 2.0 Dynamic Client Registration Protocol](https://datatracker.ietf.org/doc/html/rfc7591)
162
+
to allow MCP clients to obtain OAuth client IDs without user interaction. This provides a
163
+
standardized way for clients to automatically register with new servers, which is crucial
166
+
- Clients cannot know all possible servers in advance
167
+
- Manual registration would create friction for users
168
+
- It enables seamless connection to new servers
169
+
- Servers can implement their own registration policies
171
+
Any MCP servers that _do not_ support Dynamic Client Registration need to provide
172
+
alternative ways to obtain a client ID (and, if applicable, client secret). For one of
173
+
these servers, MCP clients will have to either:
175
+
1. Hardcode a client ID (and, if applicable, client secret) specifically for that MCP
177
+
2. Present a UI to users that allows them to enter these details, after registering an
178
+
OAuth client themselves (e.g., through a configuration interface hosted by the
181
+
### 2.4 Authorization Flow Steps
183
+
The complete Authorization flow proceeds as follows:
187
+
participant B as User-Agent (Browser)
188
+
participant C as Client
189
+
participant M as MCP Server
191
+
C->>M: GET /.well-known/oauth-authorization-server
192
+
alt Server Supports Discovery
193
+
M->>C: Authorization Server Metadata
195
+
M->>C: 404 (Use default endpoints)
198
+
alt Dynamic Client Registration
199
+
C->>M: POST /register
200
+
M->>C: Client Credentials
203
+
Note over C: Generate PKCE Parameters
204
+
C->>B: Open browser with authorization URL + code_challenge
205
+
B->>M: Authorization Request
206
+
Note over M: User /authorizes
207
+
M->>B: Redirect to callback with authorization code
208
+
B->>C: Authorization code callback
209
+
C->>M: Token Request + code_verifier
210
+
M->>C: Access Token (+ Refresh Token)
211
+
C->>M: API Requests with Access Token
214
+
#### 2.4.1 Decision Flow Overview
218
+
A[Start Auth Flow] --> B{Check Metadata Discovery}
219
+
B -->|Available| C[Use Metadata Endpoints]
220
+
B -->|Not Available| D[Use Default Endpoints]
222
+
C --> G{Check Registration Endpoint}
225
+
G -->|Available| H[Perform Dynamic Registration]
226
+
G -->|Not Available| I[Alternative Registration Required]
228
+
H --> J[Start OAuth Flow]
231
+
J --> K[Generate PKCE Parameters]
232
+
K --> L[Request Authorization]
233
+
L --> M[User Authorization]
234
+
M --> N[Exchange Code for Tokens]
235
+
N --> O[Use Access Token]
238
+
### 2.5 Access Token Usage
240
+
#### 2.5.1 Token Requirements
242
+
Access token handling **MUST** conform to
243
+
[OAuth 2.1 Section 5](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12#section-5)
244
+
requirements for resource requests. Specifically:
246
+
1. MCP client **MUST** use the Authorization request header field
247
+
[Section 5.1.1](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12#section-5.1.1):
250
+
Authorization: Bearer <access-token>
253
+
Note that authorization **MUST** be included in every HTTP request from client to server,
254
+
even if they are part of the same logical session.
256
+
2. Access tokens **MUST NOT** be included in the URI query string
261
+
GET /v1/contexts HTTP/1.1
262
+
Host: mcp.example.com
263
+
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
266
+
#### 2.5.2 Token Handling
268
+
Resource servers **MUST** validate access tokens as described in
269
+
[Section 5.2](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12#section-5.2).
270
+
If validation fails, servers **MUST** respond according to
271
+
[Section 5.3](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12#section-5.3)
272
+
error handling requirements. Invalid or expired tokens **MUST** receive a HTTP 401
275
+
### 2.6 Security Considerations
277
+
The following security requirements **MUST** be implemented:
279
+
1. Clients **MUST** securely store tokens following OAuth 2.0 best practices
280
+
2. Servers **SHOULD** enforce token expiration and rotation
281
+
3. All authorization endpoints **MUST** be served over HTTPS
282
+
4. Servers **MUST** validate redirect URIs to prevent open redirect vulnerabilities
283
+
5. Redirect URIs **MUST** be either localhost URLs or HTTPS URLs
285
+
### 2.7 Error Handling
287
+
Servers **MUST** return appropriate HTTP status codes for authorization errors:
289
+
| Status Code | Description | Usage |
290
+
| ----------- | ------------ | ------------------------------------------ |
291
+
| 401 | Unauthorized | Authorization required or token invalid |
292
+
| 403 | Forbidden | Invalid scopes or insufficient permissions |
293
+
| 400 | Bad Request | Malformed authorization request |
295
+
### 2.8 Implementation Requirements
297
+
1. Implementations **MUST** follow OAuth 2.1 security best practices
298
+
2. PKCE is **REQUIRED** for all clients
299
+
3. Token rotation **SHOULD** be implemented for enhanced security
300
+
4. Token lifetimes **SHOULD** be limited based on security requirements
302
+
### 2.9 Third-Party Authorization Flow
304
+
#### 2.9.1 Overview
306
+
MCP servers **MAY** support delegated authorization through third-party authorization
307
+
servers. In this flow, the MCP server acts as both an OAuth client (to the third-party
308
+
auth server) and an OAuth authorization server (to the MCP client).
310
+
#### 2.9.2 Flow Description
312
+
The third-party authorization flow comprises these steps:
314
+
1. MCP client initiates standard OAuth flow with MCP server
315
+
2. MCP server redirects user to third-party authorization server
316
+
3. User authorizes with third-party server
317
+
4. Third-party server redirects back to MCP server with authorization code
318
+
5. MCP server exchanges code for third-party access token
319
+
6. MCP server generates its own access token bound to the third-party session
320
+
7. MCP server completes original OAuth flow with MCP client
324
+
participant B as User-Agent (Browser)
325
+
participant C as MCP Client
326
+
participant M as MCP Server
327
+
participant T as Third-Party Auth Server
329
+
C->>M: Initial OAuth Request
330
+
M->>B: Redirect to Third-Party /authorize
331
+
B->>T: Authorization Request
332
+
Note over T: User authorizes
333
+
T->>B: Redirect to MCP Server callback
334
+
B->>M: Authorization code
335
+
M->>T: Exchange code for token
336
+
T->>M: Third-party access token
337
+
Note over M: Generate bound MCP token
338
+
M->>B: Redirect to MCP Client callback
339
+
B->>C: MCP authorization code
340
+
C->>M: Exchange code for token
341
+
M->>C: MCP access token
344
+
#### 2.9.3 Session Binding Requirements
346
+
MCP servers implementing third-party authorization **MUST**:
348
+
1. Maintain secure mapping between third-party tokens and issued MCP tokens
349
+
2. Validate third-party token status before honoring MCP tokens
350
+
3. Implement appropriate token lifecycle management
351
+
4. Handle third-party token expiration and renewal
353
+
#### 2.9.4 Security Considerations
355
+
When implementing third-party authorization, servers **MUST**:
357
+
1. Validate all redirect URIs
358
+
2. Securely store third-party credentials
359
+
3. Implement appropriate session timeout handling
360
+
4. Consider security implications of token chaining
361
+
5. Implement proper error handling for third-party auth failures
363
+
## 3. Best Practices
365
+
#### 3.1 Local clients as Public OAuth 2.1 Clients
367
+
We strongly recommend that local clients implement OAuth 2.1 as a public client:
369
+
1. Utilizing code challenges (PKCE) for authorization requests to prevent interception
371
+
2. Implementing secure token storage appropriate for the local system
372
+
3. Following token refresh best practices to maintain sessions
373
+
4. Properly handling token expiration and renewal
375
+
#### 3.2 Authorization Metadata Discovery
377
+
We strongly recommend that all clients implement metadata discovery. This reduces the
378
+
need for users to provide endpoints manually or clients to fallback to the defined
381
+
#### 3.3 Dynamic Client Registration
383
+
Since clients do not know the set of MCP servers in advance, we strongly recommend the
384
+
implementation of dynamic client registration. This allows applications to automatically
385
+
register with the MCP server, and removes the need for users to obtain client ids
anil.recoil.org
