Claude Code MCP token theft shows why runtime auth matters

At a glance

What this is: This analysis explains how Claude Code MCP token theft works and why OAuth scopes alone do not protect AI coding-agent tool calls.

Why it matters: It matters because IAM teams now have to govern local routing integrity, bearer-token use, and runtime authorisation together across AI agent, NHI, and human identity flows.

By the numbers:

• Only 18% of MCP server deployments implement any form of access scoping for tool permissions.
• 53% of MCP servers expose credentials through hard-coded values in configuration files.

👉 Read PermitIO's analysis of Claude Code MCP token theft and runtime authorisation

Context

Claude Code MCP token theft is a runtime authorisation problem, not just a secrets problem. The attack path matters because an attacker can rewrite local MCP routing, capture valid OAuth tokens, and make downstream SaaS activity look normal while the original tool call has already been compromised.

For IAM and NHI teams, the failure is in assuming that a valid token plus correct scope is enough to establish trust. In AI coding-agent environments, local configuration integrity, endpoint trust, and execution-time policy decisions all become part of the identity control plane.

That is a typical failure pattern in agentic workflows that stitch together developer workstations, MCP servers, and SaaS APIs.

Key questions

Q: How should security teams implement runtime authorisation for AI coding agents?

A: Start by placing a policy decision point in front of every sensitive tool call, not just at login or token issuance. The policy should evaluate the agent session, the requested action, the target system, and current risk signals. That gives you call-time control over what the token can actually do.

Q: Why do valid OAuth scopes still fail to protect AI tool integrations?

A: Because scopes describe potential capability, not the trustworthiness of the current execution path. If local routing, workstation config, or package-install behaviour is compromised, a valid token can be replayed through attacker-controlled infrastructure. Scope-only security cannot see that the call path has already been hijacked.

Q: What breaks when local MCP configuration can be rewritten by untrusted code?

A: The organisation loses trust in the endpoint path that carries bearer tokens to the service. Even if the token is legitimate, the routing layer can proxy or capture it before the SaaS provider ever sees the request. That turns workstation configuration into an identity control plane with no effective boundary.

Q: Who is accountable when an AI agent uses a stolen token to access SaaS data?

A: Accountability sits across the human operator, the agent platform, and the organisation that failed to protect the call path. The practical question is whether governance covered local config integrity, token scope, and runtime authorisation together. If any one of those layers was missing, the control failure is on the programme, not just the user.

Technical breakdown

How MCP routing tampering turns a valid token into a theft path

The attack begins before any SaaS authorisation check. A malicious package or local compromise rewrites MCP endpoint definitions in files such as ~/.claude.json, then the agent sends traffic through attacker-controlled infrastructure. The OAuth bearer token remains valid, which is why the downstream service often sees normal-looking API calls. The weakness is that bearer possession proves issuance, not routing integrity. Once the endpoint path is controlled locally, the attacker can proxy, read, or replay the token without needing to break the SaaS provider’s controls.

Practical implication: monitor local MCP config drift and endpoint changes as part of identity control-plane security.

Why OAuth scopes are necessary but insufficient for AI tool calls

OAuth scopes define what a token can do in principle, but they do not decide whether a specific tool call should be allowed now. AI coding agents make repeated, cross-system calls, so standing scope creates a large abuse surface if the token is stolen. Runtime authorisation adds the missing decision point by evaluating identity context, target resource, action type, and policy state at execution time. That is the control difference between issuing credentials and governing their use.

Practical implication: pair scope design with runtime policy enforcement for every high-risk MCP-connected tool.

Why SaaS audit logs can look clean during agent token abuse

SaaS logs often show a structurally valid identity, expected scopes, and normal egress patterns, even when the initiating path was tampered with. That is because provider-side telemetry records the API action, not the local trust chain that produced it. For investigators, that means audit data is necessary but incomplete. Without endpoint lineage, package-install telemetry, and local config history, the incident can look like legitimate automation rather than token theft.

Practical implication: correlate workstation events, agent logs, and SaaS logs before concluding an API request was legitimate.

Threat narrative

Attacker objective: The attacker wants reusable SaaS access through stolen bearer tokens while keeping the activity disguised as legitimate agent execution.

1. Entry occurs when a developer installs a malicious npm package that executes during installation.
2. Credential access follows when the package rewrites local Claude Code MCP routing and captures OAuth bearer tokens sent to the attacker-controlled endpoint.
3. Impact occurs when the attacker reuses valid tokens to invoke SaaS APIs and blend stolen activity into apparently normal automation.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• Dropbox Sign breach — compromised Dropbox Sign service account exposed API keys and OAuth tokens.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Runtime authorisation, not bearer possession, is now the decisive control boundary for AI coding agents. Claude Code MCP token theft shows that a valid token can coexist with a compromised execution path. The identity event is not simply stolen secret use, but stolen secret use after the local trust chain has already been rewritten. Practitioners should treat tool-call authorisation as an execution-time control problem, not a credential-issue problem.

Endpoint routing integrity has become part of identity governance. The control gap is not limited to secret storage or scope design. If local MCP configuration can be modified by untrusted install hooks, the organisation has delegated identity trust to the workstation file system without compensating controls. Practitioners need to recognise endpoint rewriting as an identity-path compromise, not a mere developer inconvenience.

Valid OAuth scopes do not create runtime legitimacy for autonomous or agentic tool use. The same scope that is acceptable for a human-initiated workflow can be unsafe when an AI coding agent can chain calls at machine speed. That changes the governance question from “who owns the token” to “who can authorise each action at the point of use.” Practitioners should re-evaluate scope design for agent-connected services.

Claude Code MCP token theft is a policy enforcement failure disguised as a token problem. The attack succeeds because downstream services trust a credential that has already been separated from its original routing context. That is the failure mode: credential validity outlives trust in the call path. Practitioners should design for call-time validation, not just token issuance and rotation.

Ephemeral credential trust debt: AI coding environments accumulate trust assumptions faster than traditional IAM review cycles can remove them. The article shows how quickly a local configuration change can turn a short-lived action into a durable replay path. The implication is that AI agent governance must account for session-local compromise, not only standing privilege.

From our research:

• 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases, according to The State of Secrets in AppSec.
• Only 44% of developers are reported to follow security best practices for secrets management, which shows how often identity hygiene depends on inconsistent human behaviour.
• For related context, see Guide to the Secret Sprawl Challenge for the lifecycle controls that reduce secret exposure before it becomes a token theft path.

What this signals

Runtime tool-call governance will become a standard control requirement for AI-assisted development. Teams that only secure token issuance will keep missing the local trust path, which is where this class of attack actually starts. The practical shift is to treat developer workstations, package execution, and MCP routing as part of the identity perimeter, not adjacent infrastructure. Pair that with the OWASP Top 10 for Agentic Applications 2026 as the agentic threat baseline.

Endpoint drift should now be monitored as an identity signal. If a configuration file can redirect MCP traffic, then the file change is not just a platform event, it is an authorisation event. That means file integrity monitoring, package-install telemetry, and policy-denied call logging need to be joined into one investigation path. The NIST AI Risk Management Framework is a useful governance anchor for that integration.

Valid token reuse will keep blurring the line between compromise and automation. The more AI coding agents become part of delivery workflows, the more teams need a named control concept for the problem. Endpoint trust debt: accumulated confidence in local routing, package execution, and token transport that is no longer justified by the actual control state. Practitioners should reduce that debt before it becomes repeatable exposure.

For practitioners

• Monitor local MCP routing integrity Baseline approved endpoint definitions in files such as ~/.claude.json and alert on any host, protocol, or URL drift. Tie file changes to the process lineage that made them so a package-install event cannot blend into normal developer activity.
• Correlate install hooks with agent tool calls Review preinstall and postinstall package execution paths in developer environments, then correlate them with subsequent MCP tool usage and SaaS API activity. If the package install and the token use line up, treat the workstation as the compromised control plane.
• Replace standing OAuth scope with runtime policy checks Put a policy decision point in front of high-risk tool calls so identity context, action type, and target resource are evaluated at execution time. Use denial rules for destructive actions and separate read-only from write paths where possible.
• Revoke credentials only after restoring routing trust If MCP routing has been tampered with, clean the local configuration and endpoint trust first, then rotate tokens and reissue credentials. Rotating inside a poisoned path only creates a fresh secret for the attacker to intercept.

Key takeaways

• Claude Code MCP token theft shows that local routing compromise can turn a valid OAuth token into a reusable access path.
• The evidence is a control-plane failure, not a simple secrets leak, because downstream SaaS logs can still look legitimate.
• Runtime authorisation, endpoint integrity monitoring, and post-compromise routing cleanup are the controls that change the outcome.

Key terms

• MCP routing integrity: The assurance that tool traffic reaches the intended endpoint without local tampering or silent redirection. In AI coding environments, routing integrity is part of the identity trust chain because the agent’s credentials are only as trustworthy as the path that carries them.
• Runtime authorisation: A decision made at the moment a tool call is executed, using identity context, policy state, and request details. It is different from credential issuance because it can block a valid token from doing something unsafe in the current session.
• Bearer token replay: Reuse of a captured token by an attacker to make authorised-looking API calls. The token may still be structurally valid, which is why replay prevention depends on path integrity, short lifetimes, and context-aware enforcement rather than token format alone.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by PermitIO: Claude Code MCP Token Theft Shows Why OAuth Tokens Need Runtime Tool-Call Authorization. Read the original.