Why did the MCP spec mark OAuth 2.1 authorization as optional, and what risk does this create?
Optional OAuth made sense for local stdio servers with no network surface, but it let remote HTTP servers ship unauthenticated, exposing open endpoints to anyone who finds the URL.
Think of a vending machine inside your locked house versus one on a public sidewalk. The one inside your house needs no coin slot, only people you let in can reach it, so a lock would just be annoying. The MCP spec said the same thing about local tool servers: they run as a child process on your own machine, so no login is needed. The problem is the sidewalk machine. When you put the same server on the public internet with a web address, anyone who learns the address can walk up and use it. Because the rule said a login was optional, many builders skipped it for their public servers too, and ended up leaving the door wide open.
Detailed answer & concept explanation~7 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
4 min: split auth by transport, why stdio needs none, the OAuth 2.1 flow for remote (metadata + PKCE + resource indicators), and the optional footgun.
| Concern | Local stdio server | Remote HTTP server |
|---|---|---|
| Network surface | None, pipes to parent host | Public URL, anyone can reach it |
| Who can connect | Only the spawning host process | Any client that has the address |
| Auth model | Inherits host env and credentials | OAuth 2.1 with PKCE, scoped token |
| Token scoping | Not applicable | Resource indicators bind token to one server |
| OAuth required | No, optional is correct | Yes, mandatory in practice |
Real products, models, and research that use this idea.
- Claude Code and Claude Desktop spawn stdio servers as subprocesses, so those servers inherit the host's own credentials with no OAuth step.
- Anthropic's 2025 Streamable HTTP spec revision defined the OAuth 2.1 flow with PKCE and resource indicators for remote MCP servers.
- The 2025 OWASP MCP Top 10 catalogued unauthenticated remote endpoints as a recurring real-world deployment failure.
What an interviewer would ask next. Try answering before peeking at the approach.
QWhat do resource indicators add over a plain OAuth bearer token?
QWhy does the spec require PKCE rather than a plain authorization code grant?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Assuming optional OAuth means MCP is insecure by design. The local case genuinely needs no auth; the gap is remote servers skipping it.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.