A local stdio MCP server has no auth token. Is that a security hole?
No security hole. Local stdio servers inherit the user's OS permissions, so MCP-layer auth is redundant. Remote streamable HTTP servers need OAuth 2.1 with PKCE because the trust boundary moves to the network.
Imagine you hire a helper to work inside your apartment. You unlocked the door and let them in, so they can already reach anything you can reach. Asking them to also show an ID badge at the kitchen door would not make your apartment safer. A local MCP server is that helper already inside your home. Now imagine the helper works from a different building over the phone. You need a way to confirm it is really them on the line, because anyone could pick up the phone. That phone verification is the auth layer: OAuth for human users, tokens for automated services.
Detailed answer & concept explanation~6 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
3 min: stdio trust boundary is the OS account, no MCP auth needed. Remote streamable HTTP trust boundary is the network, OAuth 2.1 with PKCE for user-facing servers, bearer for services. Never ship a remote server without auth. Token stays out of the model context.
Real products, models, and research that use this idea.
- Claude Desktop running a local filesystem MCP server with no auth: trust is the macOS or Windows user account, which is exactly the right model for a local subprocess.
- The hosted GitHub MCP server uses OAuth 2.1 with PKCE. The user authorizes 'GitHub MCP' in a browser, scoped tokens are issued, and the host attaches them on every call.
- A backend batch-processing service calls an internal MCP server with a bearer token in the Authorization header, no user in the loop, scoped to the least privilege needed.
What an interviewer would ask next. Try answering before peeking at the approach.
QWhy does the MCP spec require OAuth 2.1 with PKCE specifically for user-facing remote servers?
QWhy should the access token never appear in the model's context window?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Adding OAuth to a local stdio server. The OS account already gates everything the server can do; OAuth on top is wasted ceremony. The reverse mistake is worse: shipping a remote server with no auth at all.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.