Skip to main content

OAuth and Open Finance Patterns for Model Context Protocol Security

· One min read
Lukasz Radosz

OAuth and Open Finance already solved this—let’s plug MCP into the same architecture.

I just finished Aaron Parecki “Let’s Fix OAuth in MCP” and couldn’t agree more:

  • Keep the roles clean. The MCP server is a Resource Server; token minting and consent belong in a separate Authorization Server.
  • Advertise endpoints once. Use the new OAuth Protected Resource Metadata (RFC 9728) instead of OIDC discovery to decouple AS and RS.
  • Gate Dynamic Client Registration. Open-banking & CDR showed that accreditation + software statements stop drive-by registrations and keep the audit trail.
  • Issue audience-restricted and client bound tokens. Zero-trust for AI agents, no “super-tokens” that leak into legacy APIs.

Open-finance, FAPI 2.0, and CDR already solved many puzzles agentic AI is about to hit—no need to reinvent the wheel.

Read Aaron’s piece: Let's fix OAuth in MCP

Take a look and support the proposed changes in the draft version of the MCP specification