Token passthrough is the practice of forwarding an authentication token through intermediaries instead of validating it at each trust boundary. In MCP this is prohibited because it prevents the server from proving who is actually authorised to act. The result is weaker accountability and a larger attack surface for stolen or replayed credentials.
Expanded Definition
Token passthrough is not just a transport choice, it is an authorization design decision. In NHI and MCP environments, a token should be validated at each trust boundary so the receiving system can confirm issuer, audience, scope, expiry, and the identity actually acting on the request. When an intermediary simply forwards a token, it may preserve convenience, but it also weakens attribution and makes delegated access harder to govern. That is why the MCP security discussion now treats passthrough as a pattern to avoid, while broader identity guidance such as NIST Cybersecurity Framework 2.0 still expects organisations to verify and constrain access at each control point.
Definitions vary across vendors when the token is used for delegation, proxying, or backend-to-backend exchange, but the operational rule is consistent: if the recipient cannot prove who is truly authorised, the trust model is too loose. Token passthrough is often confused with federation, yet federation exchanges trust through a bounded mechanism, while passthrough reuses the same credential across layers. The most common misapplication is forwarding a user or agent token through multiple services when the downstream service is expected to make its own authorization decision but never receives a fresh, auditable identity assertion.
Examples and Use Cases
Implementing token handling rigorously often introduces latency and integration overhead, requiring organisations to weigh simpler plumbing against stronger accountability and narrower blast radius.
- A developer platform forwards the same oauth token from a chat agent to a file service and then to a ticketing API. A secure design would exchange that token for a downstream-scoped credential instead of passing it through unchanged.
- An MCP server receives a user token through an intermediary agent. If the server only sees the intermediary, not the actual user context, it cannot enforce proper authorization or logging. Guidance in the Salesloft OAuth token breach shows how stolen tokens become especially dangerous when they are accepted too broadly.
- A workflow engine uses token exchange at each hop, minting a short-lived token for each backend. This adds design complexity, but it sharply reduces replay risk and helps contain compromise.
- Secret sprawl becomes more likely when teams store passthrough tokens in logs or config files, a pattern consistent with the Guide to the Secret Sprawl Challenge and with modern secret handling guidance from the NIST Cybersecurity Framework 2.0.
- An AI agent is allowed to call multiple tools using one inherited token. If the token is reused across services, a compromise in one tool can silently become access to every connected system.
Why It Matters in NHI Security
Token passthrough matters because NHIs fail differently from humans. Service credentials are often copied into automation layers, reused across apps, or left active long after the original trust context has disappeared. In the 2025 State of NHIs and Secrets in Cybersecurity from Entro Security, 44% of NHI tokens were reported exposed in the wild, showing how quickly a forwarding pattern can turn into a propagation problem. That exposure risk is amplified when tokens are accepted without revalidation, because incident responders lose the ability to separate legitimate delegation from stolen replay.
For governance, token passthrough is a direct challenge to Zero Trust Architecture and to NHI controls that depend on explicit authentication, scoped authorization, and revocation. It also complicates detection, since logs may show the intermediary instead of the true actor. The safest response is to replace passthrough with token exchange, short-lived credentials, or authenticated service identity, depending on the architecture. Teams that study JetBrains GitHub plugin token exposure and Dropbox Sign breach examples see the same pattern: once a token escapes its intended boundary, the design assumption has already failed. Organisations typically encounter token passthrough as a root cause only after a stolen credential or agent abuse event forces them to trace access they can no longer confidently attribute.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Addresses improper secret handling and token exposure across NHI workflows. |
| NIST Zero Trust (SP 800-207) | AC-4 | Zero Trust requires explicit policy enforcement instead of inherited trust. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions must be managed and constrained for each identity and resource. |
Replace passthrough with scoped, short-lived credentials and validate at every trust boundary.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
