When token passthrough is allowed, every intermediary becomes a credential capture point and every downstream service inherits more trust than intended. A stolen bearer token can be replayed against the wrong resource if audience checks are weak or absent. That turns transport convenience into broad privilege exposure.
Why Token Passthrough Breaks the MCP Trust Model
token passthrough in MCP weakens the boundary between the client, the host, and every downstream tool the agent can reach. Instead of a controlled delegation path, you get a shared bearer credential that can be copied, replayed, and over-scoped across services. That is why current guidance on agentic systems prefers explicit workload identity and runtime authorisation, as reflected in the OWASP Agentic AI Top 10 and NHI governance patterns.
The practical failure is not only theft. Passthrough also collapses auditability, because downstream systems cannot easily distinguish whether a call was intended by the user, the agent, or an intermediary service. NHIMG research on the Salesloft OAuth token breach shows how stolen oauth token can become a direct path into business data when trust is too broad. In practice, many security teams only discover this pattern after a token is reused against a system that was never meant to inherit it.
How to Contain the Blast Radius in Practice
Safer MCP designs avoid passing the original bearer token through the tool chain. Instead, they use workload identity for the agent, short-lived JIT credentials for each task, and policy decisions made at request time. That means the agent proves what it is, the platform decides what it may do right now, and every downstream call is scoped to the minimum necessary audience. This is closer to zero standing privilege than to traditional session forwarding, and it aligns with the direction described in the Guide to the Secret Sprawl Challenge.
- Issue ephemeral tokens per action, not per session, and revoke them as soon as the task completes.
- Bind each token to a specific audience, tool, and context so replay is useless outside that path.
- Use intent-based authorisation so the decision reflects what the agent is trying to do, not only its static role.
- Log the original request, the policy decision, and the downstream target for forensic traceability.
Framework guidance is converging on this model: OWASP Top 10 for Agentic Applications 2026 focuses attention on tool misuse and excess authority, while NIST AI risk guidance pushes teams toward governance that can withstand autonomous behavior. These controls tend to break down when legacy MCP integrations assume long-lived user sessions because the protocol then inherits permissions it cannot continuously verify.
Where the Edge Cases Still Hurt
Tighter controls often increase implementation overhead, so organisations have to balance user convenience against token isolation. That tradeoff is real in high-throughput environments where teams want seamless tool chaining, but best practice is evolving toward separation of identity, authorisation, and secret handling rather than all three riding on one token. The hardest cases are delegated workflows, cross-tenant tools, and brokered API calls, where audience restrictions, consent boundaries, and revocation timing must all be correct at once.
Agentic systems make this harder because behaviour is dynamic, not pre-scripted. An AI agent can chain tools, pivot into a new workflow, or request a follow-on action that was never anticipated at design time. That is why NHIMG coverage of the OWASP Agentic Applications Top 10 remains relevant here, and why the Analysis of Claude Code Security is a useful reminder that agent tooling must assume unexpected execution paths. In practice, token passthrough breaks most visibly when a downstream system treats a forwarded bearer as proof of both identity and intent.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A1 | Token passthrough enables excess tool authority and replay risk. |
| CSA MAESTRO | IAM | Addresses identity, delegation, and privilege boundaries for agents. |
| NIST AI RMF | Covers governance for autonomous systems with unpredictable actions. |
Use workload identity and per-task delegation instead of forwarding user tokens.
