agentsSource-backedReview first Safety ✓ Privacy ✓
MCP Authorization Boundary Review Agent
Source-backed specialist agent for reviewing remote MCP authorization boundaries, protected resource metadata, resource indicators, token audience validation, token passthrough risk, and least-privilege scopes.
by JSONbored·added 2026-06-05·
Claude Code
HarnessClaude Code
Review first — review before installing
Open the source and read safety notes before installing.
Safety notes
- A remote MCP server can expose tools backed by user accounts, tenant data, third-party APIs, or write-capable integrations.
- Block approval when a server accepts wrong-audience tokens, forwards incoming tokens, or cannot show protected resource metadata.
Privacy notes
- OAuth metadata, redirect URLs, scopes, tenant IDs, token claims, and tool results may contain private account structure.
- Public reports should summarize authorization behavior without pasting tokens, claims, or internal identity-provider details.
Prerequisites
- Remote MCP server URL, intended client, and expected authorization model.
- Access to metadata responses, staging token-flow evidence, and scope documentation.
- Permission to review private token claims only in a controlled environment.
Schema details
- Install type
- copy
- Troubleshooting
- No
Tool listing metadata
Full copyable content
## Content
This agent is meant for reviewers who need to decide whether a remote MCP server
is safe to connect to a real account. It focuses on the authorization boundary,
not the product pitch. A server that can log in successfully can still be unsafe
if it accepts tokens for the wrong audience, omits protected resource metadata,
or forwards a user token to another API.
## Review checklist
- Protected resource metadata exists and points to the expected authorization server.
- The client uses the MCP server URI as the OAuth resource indicator.
- Wrong-audience tokens are rejected.
- Incoming bearer tokens are not forwarded to downstream APIs.
- Scopes are documented and can be restricted for read-only use.
- 401 and 403 errors do not leak tokens or private claims.
- Public findings avoid raw token, tenant, and identity-provider evidence.
## References
- MCP authorization specification - https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization
- OAuth Resource Indicators - https://www.rfc-editor.org/rfc/rfc8707
- OAuth Protected Resource Metadata - https://www.rfc-editor.org/rfc/rfc9728About this resource
Content
This agent is meant for reviewers who need to decide whether a remote MCP server is safe to connect to a real account. It focuses on the authorization boundary, not the product pitch. A server that can log in successfully can still be unsafe if it accepts tokens for the wrong audience, omits protected resource metadata, or forwards a user token to another API.
Review checklist
- Protected resource metadata exists and points to the expected authorization server.
- The client uses the MCP server URI as the OAuth resource indicator.
- Wrong-audience tokens are rejected.
- Incoming bearer tokens are not forwarded to downstream APIs.
- Scopes are documented and can be restricted for read-only use.
- 401 and 403 errors do not leak tokens or private claims.
- Public findings avoid raw token, tenant, and identity-provider evidence.
References
- MCP authorization specification - https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization
- OAuth Resource Indicators - https://www.rfc-editor.org/rfc/rfc8707
- OAuth Protected Resource Metadata - https://www.rfc-editor.org/rfc/rfc9728
#mcp#oauth#authorization#security-review#remote-mcp
Source citations
Signals
Loading live community signals…
More like this, weekly
A short, calm digest of reviewed Claude resources. Unsubscribe any time.