datarekha
MLOps Hard Asked at MicrosoftAsked at AnthropicAsked at Google

Why is OAuth token passthrough dangerous in an MCP server?

The short answer

Forwarding a client token intended for a downstream API erases the MCP server's own audience boundary and can create a confused deputy. The server should accept tokens intended for itself, authorize the client, and obtain a distinct downstream credential with the target audience and minimum scope.

How to think about it

Token passthrough lets one bearer credential cross several trust boundaries. Audience validation and attribution become ambiguous, and the MCP server may exercise authority the client did not intend.

Use a separate authorization relationship for the MCP server and downstream resource. Validate issuer and audience, then obtain a narrowly scoped target token through an appropriate server-side flow or token exchange.

Learn it properly MCP tool poisoning & supply-chain security

Keep practising

All MLOps questions

Explore further

Skip to content