guidesSource-backedReview first Safety ✓ Privacy ✓
MCP Protected Resource Metadata Verification Guide
Practical guide for checking MCP protected resource metadata, authorization server discovery, resource indicators, token audience binding, and 401 challenge behavior before trusting a remote MCP server.
by JSONbored·added 2026-06-05·
Claude Code
HarnessClaude Code
Review first — review before installing
Open the source and read safety notes before installing.
Safety notes
- Never send a production user token to an MCP server until the resource metadata and token audience have been verified.
- Treat token passthrough, missing resource indicators, or acceptance of tokens issued for another resource as release-blocking.
- Do not paste bearer tokens into prompts, PR comments, issue comments, screenshots, or public logs while debugging MCP auth.
Privacy notes
- Authorization metadata can reveal tenant URLs, identity providers, scopes, client registration behavior, and internal endpoint names.
- Verification traces may include redirect URLs, state parameters, token claims, account IDs, or workspace identifiers; redact them before public sharing.
Prerequisites
- Remote MCP server URL and expected canonical resource URI.
- OAuth authorization server metadata or discovery endpoint.
- Test account or staging credentials approved for metadata and token-flow checks.
- Ability to inspect HTTP 401 responses, WWW-Authenticate headers, and token request parameters.
Schema details
- Install type
- copy
- Troubleshooting
- No
Collection metadata
- Estimated setup
- 30 minutes
- Difficulty
- advanced
Full copyable content
Use this guide when reviewing a remote MCP server that asks Claude, Cursor, or another client to authenticate through OAuth.About this resource
What to verify
The MCP authorization specification says protected HTTP MCP servers use OAuth at the transport layer. The important review point is not just whether a login flow appears. The server must advertise protected resource metadata, direct clients to the right authorization server, require a resource indicator, and validate that presented access tokens were issued for that MCP server.
Review workflow
- Start unauthenticated and capture the server 401 Unauthorized response.
- Confirm the WWW-Authenticate challenge points to protected resource metadata for the MCP server.
- Fetch the protected resource metadata document and record the authorization_servers value.
- Fetch authorization server metadata from the advertised authorization server.
- Check whether the client sends the MCP server URI as the OAuth resource parameter during authorization and token requests.
- Inspect a staging token only in a private environment. The audience or equivalent resource binding should match the MCP server, not a generic API or another downstream service.
- Test a wrong-audience token. The MCP server should reject it instead of accepting or forwarding it.
- Test insufficient scopes. The server should return an authorization error, not expose partial tool results.
Red flags
- The server accepts bearer tokens in query strings.
- The server accepts tokens issued for another service.
- The metadata document has no authorization server or a surprising identity provider.
- The client never sends the resource parameter.
- A proxy MCP server forwards the incoming token directly to a downstream API.
- Error messages echo tokens, claims, or identity-provider responses.
Reviewer output
A useful review should include:
- MCP server URL and canonical resource URI reviewed.
- Metadata endpoints checked and whether they matched expectations.
- Authorization server used and whether discovery worked.
- Resource indicator evidence from authorization and token requests.
- Token audience validation result, including wrong-audience rejection.
- Scope behavior and least-privilege recommendation.
- Final decision: safe to connect, connect with limitations, or block.
References
- MCP authorization specification - https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization
- OAuth 2.0 Resource Indicators - https://www.rfc-editor.org/rfc/rfc8707
- OAuth 2.0 Protected Resource Metadata - https://www.rfc-editor.org/rfc/rfc9728
#mcp#oauth#authorization#resource-metadata#token-audience
Source citations
Signals
Loading live community signals…
More like this, weekly
A short, calm digest of reviewed Claude resources. Unsubscribe any time.