Why is OAuth token passthrough dangerous in an MCP server?
The short answer
Forwarding a client token intended for a downstream API erases the MCP server's own audience boundary and can create a confused deputy. The server should accept tokens intended for itself, authorize the client, and obtain a distinct downstream credential with the target audience and minimum scope.
How to think about it
Token passthrough lets one bearer credential cross several trust boundaries. Audience validation and attribution become ambiguous, and the MCP server may exercise authority the client did not intend.
Use a separate authorization relationship for the MCP server and downstream resource. Validate issuer and audience, then obtain a narrowly scoped target token through an appropriate server-side flow or token exchange.