Identity for AI

Securing MCP servers

When connecting artificial intelligence (AI) agents to external tools with the Model Context Protocol (MCP), you should ensure that each MCP server enforces sufficient authentication and authorization. Following security best practices helps protect sensitive data, prevent unauthorized access, and maintain trust in agentic workflows.

With MCP, the same modularity and flexibility that enables interoperability between agents and tools also carries considerable security risks. Developers face the following challenges when building secure MCP servers and tools:

  • Overly permissive access tokens: Static or long-lived tokens can grant overly broad access to all tools. If these tokens are compromised, they could allow unrestricted access to tools. To prevent this, use scoped, short-lived tokens or OAuth 2.0 flows with refresh mechanisms to limit exposure.

  • Insufficient authorization checks: Authentication alone isn’t enough. MCP servers must enforce fine-grained authorization to ensure clients only access capabilities they have permissions for. To adhere to least-privilege principles, apply access policies on a per-tool and per-action basis.

  • Potentially unsafe tools: Registered tools can introduce vulnerabilities if not properly vetted. Limit tool registration to trusted sources and consider capability restrictions to mitigate risk.

The role of OAuth 2.0

OAuth 2.0 plays a pivotal role in securing MCP servers by providing a standardized framework for authentication and authorization. By leveraging OAuth 2.0, MCP servers can ensure that only authorized clients access tools, resources, and prompts.

Authorization server architecture

There are different ways to implement OAuth 2.0 with MCP, depending on the architecture and responsibilities of each component:

Native authorization server

The MCP server can act as an OAuth 2.0 authorization server, directly handling:

  • Authorization code issuance.

  • Token generation and refresh.

  • Scope-based access control.

This approach gives the MCP server full control over security and the token lifecycle, but it requires deeper infrastructure and policy management.

Proxy to external authorization server

The MCP server exposes standard OAuth 2.0 endpoints (/authorize, /token) but proxies requests to an external authorization server, such as PingOne Advanced Identity Cloud. This architecture enables:

  • Seamless integration with existing identity providers.

  • Delegation of token issuance and verification.

  • Use of familiar login and consent mechanisms.

Agent redirected to external authorization server

The MCP server doesn’t directly expose OAuth 2.0 endpoints. Instead, it:

  • Instructs the client agent to begin the OAuth 2.0 flow with an external authorization server.

  • Relies on the client agent to manage tokens and present them back to the MCP server.

This architecture minimizes operational burden for the MCP server by entrusting the agent with token security and refresh logic.

Authorization server requirements

When deploying an MCP server for AI agents, your choice of authorization server is critical to ensuring secure client onboarding, token issuance, and delegated access. The authorization server should support the following:

  • Authorization Code Flow: This flow ensures that AI agents acting as confidential clients can securely exchange authorization codes for tokens, reducing the risk of token exposure when compared to implicit flows. This flow provides a secure foundation for agent-user interactions.

    Learn more about the Authorization code grant in the Advanced Identity Cloud documentation.

  • Proof Key for Code Exchange (PKCE): PKCE is important for public clients, such as AI agents running in browsers or user devices, that can’t safely store a client secret. By requiring a dynamically generated code verifier and challenge, PKCE mitigates code interception attacks during the Authorization Code Flow.

    Learn more about the Authorization code grant with PKCE in the Advanced Identity Cloud documentation.

  • Dynamic Client Registration (DCR): DCR enables new AI agents to onboard without manual administrative intervention. This is critical in environments where agents are created dynamically or updated frequently. DCR enables automatic provisioning of credentials and redirect URIs in a standardized, secure way.

    Learn more about Dynamic client registration in the Advanced Identity Cloud documentation.

  • Fine-grained scopes and claims: Your authorization server should allow granular token scopes and claims to ensure tokens issued to AI agents follow the principle of least privilege. For example, one agent might require the prices:read scope, while another requires the orders:write scope. Narrow scopes reduce negative impact if a token is exposed or misused.

    Learn more about Scopes in the Advanced Identity Cloud documentation.

  • Token introspection and UserInfo endpoints: Downstream services integrated with the MCP server often need to validate tokens before serving requests. Introspection and UserInfo endpoints allow the MCP server to verify token status, audience, and claims, ensuring that expired, revoked, or mis-scoped token are rejected.

    You can find information about OAuth 2.0 endpoints supported by Advanced Identity Cloud in OAuth 2.0 endpoints in the Advanced Identity Cloud documentation.

Learn more

Use the following resources in the MCP specification to learn more about securing MCP servers: