Notifications
Clear all
Topic starter
08/06/2026 4:32 pm
TL;DR: MCP’s move to OAuth 2.1, PKCE, metadata discovery, and dynamic client registration gives AI-native tools a more standardised way to authenticate and authorise access, but it also exposes implementation burden around token handling, delegation, and server-side identity infrastructure, according to WorkOS. The deeper issue is that protocol standardisation does not remove the governance gap between model-driven action and review-based identity controls.
NHIMG editorial — based on content published by WorkOS: Introduction to MCP authentication
By the numbers:
- Only 18% of MCP server deployments implement any form of access scoping for tool permissions.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
Questions worth separating out
Q: How should security teams handle trust assumptions when using MCP authentication?
A: Treat MCP as a delegated access model, not a simple login wrapper.
Q: Why do MCP servers create new identity governance challenges for IAM teams?
A: Because the server often becomes part of the authorisation path, not just the application path.
Q: When does API key authentication become too risky for MCP workloads?
A: API keys become risky when they are reused across tasks, shared across environments, or attached to servers that can reach sensitive systems.
Practitioner guidance
- Classify each MCP server as an identity control point Document whether the server is acting as a tool endpoint, a delegated authorisation layer, or a mixed trust boundary.
- Separate API-key use from user-consented delegation Use static keys only for tightly bounded service-to-service access and reserve OAuth device flow or equivalent user-consented patterns for user-scoped actions.
- Require explicit tool scoping for every MCP deployment Define which tools, data sources, and actions are available to each client or session, then review that mapping during change control.
What's in the full article
WorkOS's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step OAuth 2.1 flow diagrams for MCP client, server, and identity provider interactions.
- Configuration patterns for metadata discovery, dynamic client registration, and PKCE enforcement.
- Implementation guidance for user-level device flow versus server-level API key authentication.
- The spec-level discussion of where MCP servers must still issue their own access tokens.
👉 Read WorkOS's guide to MCP authentication and authorisation patterns →
MCP authentication and authorisation: what IAM teams need to know?
Explore further
08/06/2026 6:13 pm
OAuth standardisation does not solve the governance problem if the server still becomes the identity choke point. MCP can make auth flows cleaner, but cleaner flows are not the same as lower governance burden. When the server must still issue its own scoped token, validate upstream sessions, and preserve auditability, the identity control plane shifts rather than disappears. The implication is that teams should treat MCP servers as governed access intermediaries, not as simple integration endpoints.
A few things that frame the scale:
- 53% of MCP servers expose credentials through hard-coded values in configuration files, according to The State of MCP Server Security 2025.
- Only 30.9% of organisations store long-term credentials directly in code, which shows that hardcoded secret exposure is not confined to AI-native protocols.
A question worth separating out:
Q: What should teams do when an MCP server must rely on a third-party identity provider?
A: Define the server’s role in the delegation chain before deployment. If the server still issues its own access token after upstream validation, that intermediate step needs logging, scope controls, and revocation handling. Teams should not assume the external provider removes the server’s governance burden, because the MCP server still remains an identity boundary.
👉 Read our full editorial: MCP authentication shows where AI agent identity breaks down
