Your MCP Server Is a Resource Server Now. Act Like It.

The recent MCP spec update aligns the protocol with modern OAuth 2.0 resource‑server patterns, a shift that reflects broader industry pressure to treat AI‑driven agents like any other client. By publishing a `/.well-known/oauth-protected-resource` document, MCP servers announce their required authorization servers, scopes, and audience constraints, mirroring OpenID Connect discovery. This change forces developers to move beyond static API keys toward dynamic token issuance, a move that mitigates the “confused‑deputy” problem where service accounts silently act on behalf of users. As enterprises integrate generative AI into workflows, the need for verifiable delegation chains becomes a compliance imperative.

Implementing the new model involves three core components: an authorization server (Keycloak or Maverics), an identity gateway that validates inbound tokens, runs Open Policy Agent (OPA) policies, and performs RFC 8693 token exchange, and the downstream MCP services that enforce the delegated token’s audience and scope. Short‑lived, tool‑scoped tokens—often five seconds—drastically reduce the blast radius of any token leakage, while OPA policies codify fine‑grained access rules that live in Git for peer review and auditability. The gateway’s delegation token embeds both the original user (`sub`) and the acting service (`act.sub`), enabling precise reconstruction of who accessed what, when, and through which AI agent.

For organizations, the practical payoff is twofold. First, the architecture provides a clear audit trail that satisfies regulators demanding end‑to‑end visibility into AI‑initiated actions. Second, it restores the principle of least privilege across legacy systems that were never designed for autonomous agents. Adoption challenges include retrofitting existing MCP endpoints to validate JWTs and integrating OPA into CI/CD pipelines, but the open‑source Strata example demonstrates a repeatable Docker‑compose setup. Looking ahead, extensions such as step‑up authentication, identity‑continuity across IdP failovers, and real‑time observability dashboards will further harden AI‑agent ecosystems while preserving developer agility.