TL;DR: OAuth 2.1 removes the implicit and password grants, requires PKCE for all authorization code flows, and tightens redirect URI matching while encouraging refresh token rotation, according to Descope. Those changes matter because delegated access for AI agents and MCP servers still depends on assumptions about stable, reviewable sessions that modern attack paths routinely break.
At a glance
What this is: This is Descope’s analysis of OAuth 2.1 and how its security-focused changes affect delegated access patterns, especially for AI agents and MCP servers.
Why it matters: It matters because IAM, NHI, and emerging agentic AI programmes all rely on delegated authorisation that becomes safer only when token handling, redirect handling, and lifecycle controls are tightened.
By the numbers:
- OAuth 2.0, introduced in 2012, remains the most widely used version today.
👉 Read Descope's analysis of OAuth 2.1 changes for AI agents and MCP
Context
OAuth 2.1 is a security-focused revision of delegated authorisation, designed to remove legacy flows that made token handling easier to misconfigure. For identity teams, the key issue is not whether OAuth still works, but whether current implementations still depend on assumptions that no longer hold for modern application, NHI, and AI agent access patterns.
The article is especially relevant where AI agents use OAuth to reach tools through MCP servers. In that model, the protocol is not just an app integration detail. It becomes the control plane for scoped, reviewable access, which means token replay, redirect handling, and grant choice all have direct governance impact.
Key questions
Q: How should security teams migrate from OAuth 2.0 to OAuth 2.1 without breaking integrations?
A: Start by inventorying grant types, redirect URIs, and refresh token handling across all clients. Move high-risk apps first to authorisation code flow with PKCE, remove implicit and password grants, and test exact-match redirect registration in lower environments before production cutover.
Q: Why do AI agents and MCP servers increase the importance of OAuth hardening?
A: AI agents depend on delegated access to tools and data, so weak OAuth choices directly become tool-use risk. If token scope, redirect handling, or refresh behaviour is loose, the agent can obtain broader or longer-lived access than the task justifies.
Q: What do security teams get wrong about refresh token rotation?
A: Teams often treat refresh rotation as a token hygiene setting instead of a replay-control measure. The point is to make stolen refresh tokens single-use, reduce the window for abuse, and create a clear invalidation signal when replay occurs.
Q: Who is accountable when OAuth flows are used in AI agent access paths?
A: Accountability sits with the team that designs and approves the delegation model, not just the application developer. IAM, security architecture, and platform owners should define scopes, redirect policy, and renewal rules before agents are allowed to operate at runtime.
Technical breakdown
PKCE and code interception risk
Proof Key for Code Exchange, or PKCE, binds the authorisation request to the token exchange so an intercepted code is not enough on its own. OAuth 2.1 makes PKCE mandatory for the authorisation code flow, which removes the old split between public and confidential clients. That matters because browser apps, mobile apps, and AI-agent-driven clients all share the same interception risk once an authorisation code can be stolen in transit or via malicious scripts.
Practical implication: treat PKCE as a baseline control for every client that uses the authorisation code flow.
Redirect URI matching and token leakage
OAuth 2.0 implementations often allowed flexible redirect URI matching, which created room for open redirect abuse and token theft. OAuth 2.1 tightens this to exact string matching, forcing every permitted redirect to be pre-registered. This reduces ambiguity at the handoff point where the authorisation server returns control to the client, which is one of the easiest places for attackers to redirect tokens into the wrong application path.
Practical implication: inventory every redirect URI and eliminate wildcard-based matching before migration.
Refresh token rotation in delegated access
Refresh tokens extend sessions without forcing a fresh user login, but they also become high-value replay targets if reused after theft. OAuth 2.1 strongly encourages rotation, where each refresh token is single-use and replaced on every request. That pattern limits the lifetime of a stolen token and gives defenders a way to invalidate replay attempts immediately, which is especially important in long-lived integrations and agentic workflows.
Practical implication: move long-lived integrations to rotating refresh tokens with short-lived access tokens.
Threat narrative
Attacker objective: The attacker aims to turn delegated authorisation into durable access without ever needing the user’s password.
- Entry occurs when an attacker exploits weak OAuth implementation choices such as flexible redirect URI handling or a token intercepted during an authorisation flow.
- Escalation follows when a stolen or replayed token is used to continue access without reauthentication, especially where refresh tokens are not rotated.
- Impact is unauthorised delegated access to downstream applications, tool interfaces, or data stores that trust the OAuth session.
Breaches seen in the wild
- Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
- Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
OAuth 2.1 is best understood as a control hardening exercise, not a protocol reinvention. The article shows a standards shift from optional security behaviour to enforced defaults, which is exactly where identity governance gets more reliable. PKCE, exact redirect matching, and refresh token rotation do not change the purpose of delegated access, but they do reduce the number of ways organisations can misconfigure it. For practitioners, the real question is whether current auth architectures still depend on implementation discretion that should no longer be tolerated.
AI agent access makes OAuth decisions more operationally sensitive, not less. When an agent reaches tools through MCP, the authorisation layer becomes the boundary between scoped delegation and uncontrolled tool use. That means the security question is not just who signed in, but what the token can reach, how long it can live, and whether the session can be replayed. The implication is that IAM teams must evaluate OAuth in agent workflows as a runtime access governance problem, not a login feature.
Exact redirect URI matching is a small syntactic change with a large governance effect. Flexible matching assumes the client path is trustworthy enough to tolerate convenience. That assumption fails when redirects can be manipulated to route tokens into hostile endpoints or unintended apps. The practical conclusion is that teams should treat redirect registration as an entitlement boundary, not a developer convenience setting.
Refresh token rotation exposes the difference between short-lived access and long-lived trust. OAuth 2.1’s preference for rotation makes replay more expensive for attackers, but it also surfaces where organisations have let session continuity stand in for ongoing authorisation review. For identity programmes, that is a useful warning: access that can be renewed indefinitely without reassessment is still standing privilege in disguise.
From our research:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
- The control problem is moving faster than governance, so practitioners should pair OAuth hardening with the identity boundaries described in OWASP Agentic Applications Top 10.
What this signals
Ephemeral authorisation does not remove identity governance debt. OAuth 2.1 improves the mechanics of delegated access, but it does not answer the harder question of whether the right actor should still have the right scope at the moment of use. As AI agents become normalised, teams will need to treat token lifecycle and approval boundaries as first-class governance artefacts, not implementation details.
The adoption curve for agentic systems means OAuth posture will become a board-level identity question, not just a developer one. With 98% of companies planning to deploy more AI agents, the organisations that standardise PKCE, exact redirect policy, and token rotation now will have fewer retrofit surprises later.
Delegated access drift: when a token outlives the decision that created it, the organisation has converted a consent event into standing trust. That is the signal practitioners should watch for across IAM, NHI, and agent governance programmes.
For practitioners
- Audit OAuth grant types in production Identify every application still using implicit or password grant flows and map them to authorisation code plus PKCE migration paths. Prioritise internet-facing apps, mobile clients, and any integration that feeds AI agents or MCP servers.
- Lock down redirect URI registration Replace wildcard and substring redirect matching with exact pre-registered URIs, and test for open redirect abuse in every client registration workflow. Treat redirect drift as a security defect, not a cosmetic configuration issue.
- Rotate refresh tokens by default Enforce single-use refresh tokens with short access-token lifetimes, and invalidate replayed tokens immediately. Where possible, add sender constraints so a stolen token is useless outside the original client context.
- Review agent and MCP authorisation paths Trace how AI agents obtain consent, which scopes they request, and whether the resulting access is broader than the task requires. If the token can call multiple tools, document the approval boundary and reduce scope before deployment.
Key takeaways
- OAuth 2.1 reduces common delegated-access failure modes by making PKCE mandatory, tightening redirect matching, and encouraging refresh token rotation.
- AI agent and MCP use cases make OAuth weaknesses operational, because token scope and renewal rules now determine what autonomous or semi-autonomous software can reach.
- Practitioners should treat migration as a governance project, with grant-type cleanup, redirect inventory, and replay-resistant token handling as the immediate priorities.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | OAuth delegated access underpins AI agent tool use and token abuse risk. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | Refresh rotation and token handling are core non-human identity governance issues. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Exact redirect matching and scoped access align with continuous access restriction. |
Review token lifecycle controls and eliminate replayable NHI credentials wherever possible.
Key terms
- Authorization Code Flow With PKCE: An OAuth flow that exchanges an authorization code for tokens while binding the exchange to a client-generated verifier. It reduces interception risk because a stolen code is not enough without the matching verifier, which matters for browsers, mobile apps, and agent-driven clients.
- Refresh Token Rotation: A token handling pattern where each refresh token is used once and then replaced. If a token is replayed, it can be invalidated immediately. This turns token theft from a durable access event into a shorter-lived incident with clearer containment signals.
- Exact Redirect URI Matching: A validation rule that requires the authorization server to accept only pre-registered redirect URIs with no wildcard or substring flexibility. It closes a common abuse path where attackers manipulate the return location to intercept tokens or redirect users into malicious flows.
- MCP Authorization Path: The sequence by which an AI agent obtains delegated permission to use tools through a Model Context Protocol server. In practice, this path becomes a governance boundary, because scope choice, token lifetime, and consent prompts determine what the agent can actually do.
What's in the full article
Descope's full blog post covers the operational detail this post intentionally leaves for the source:
- Step-by-step migration considerations for teams still using implicit or password grant flows
- Detailed comparison of OAuth 2.0 and 2.1 behaviour across SPAs, mobile apps, and API-first integrations
- Implementation guidance for refresh token rotation and exact redirect URI registration
- Why the author recommends OAuth over API keys for agentic workflows on MCP servers
👉 Descope's full post covers the migration checklist, flow-by-flow differences, and MCP auth guidance.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-03-24.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org