Skills
MCP Server Authorization: OAuth 2.1 Resource Indicators and CIMD Client Identity
The March 2026 MCP spec update mandated Resource Indicators (RFC 8707) to prevent token misuse across MCP servers — without them, a malicious server can collect tokens intended for a different service. Adding resource=https://your-mcp-server.example.com to authorization requests scopes tokens to a single audience, and validating the JWT aud claim server-side closes the cross-server token replay attack. Replacing dynamic client registration with Client Identifier Metadata Documents (CIMD) at a stable well-known URL gives authorization servers auditable, domain-verified client identities and eliminates registration race conditions in multi-agent deployments.
Source
↳ Follow the thread