MCP Authorization Conformance
Why this page exists. MCP makes tool connection easy. Enterprises need the missing authorization proof: which agent was delegated, which resource the token was minted for, which scopes were granted, and whether the tool call stayed inside the workflow.
The product bet
SecurityRecipes is positioned as the secure context layer for agentic AI. Context trust, egress controls, and run receipts are not enough if MCP authorization is loose. A production reviewer will ask:
- Is the token bound to the MCP resource, not a generic upstream API?
- Does the MCP server validate audience, issuer, expiry, and scope?
- Are raw user tokens ever passed through to downstream tools?
- Is the scope tied to workflow, namespace, access mode, agent, and run?
- Was the OAuth client ID metadata document validated for this client?
- Did the client satisfy an authoritative
WWW-Authenticatescope challenge? - Is a typed step-up authorization receipt present for approval-required access?
- Can the gateway prove consent, session binding, and audit correlation?
- Which new MCP servers fail before promotion?
The MCP Authorization Conformance pack answers those questions in a machine-readable artifact and exposes a runtime evaluator for pre-call authorization decisions.
What was added
- Source profile:
data/assurance/mcp-authorization-conformance-profile.json - Generator:
- Evidence pack:
data/evidence/mcp-authorization-conformance-pack.json - Runtime evaluator:
- MCP tools:
recipes_mcp_authorization_conformance_packand
Regenerate and validate the pack:
Evaluate a runtime authorization request:
Decision model
| Decision | Meaning |
|---|---|
allow_authorized_mcp_request |
The request is bound to the expected MCP resource and stays inside the connector and workflow scope. |
hold_for_authorization_evidence |
The connector or candidate server still needs authorization metadata, gateway evidence, or conformance controls. |
hold_for_client_metadata_evidence |
The remote MCP request lacks a validated HTTPS OAuth client ID metadata document that matches client_id. |
hold_for_step_up_authorization |
Approval-required MCP access lacks a typed step-up authorization receipt. |
deny_token_passthrough |
The request would pass raw user or upstream tokens through the agent/tool path. |
deny_unbound_token |
The token is missing the expected resource indicator or audience binding. |
deny_scope_challenge_mismatch |
The token scopes do not satisfy the authoritative MCP scope challenge for the resource. |
deny_scope_drift |
The workflow, namespace, connector, or access mode is outside the approved authorization scope. |
kill_session_on_secret_or_signer_scope |
The request includes credential, signer, deploy, publish, or live-funds authority. |
What the pack proves
The generated pack joins:
- the MCP connector trust pack,
- the MCP connector intake pack,
- the workflow control plane,
- the gateway policy pack,
- and the authorization conformance profile.
For production connector namespaces, it records the gateway attestation controls that must exist: per-client consent, short-lived workload identity, token-passthrough denial, audit, session binding, and write or approval controls where applicable.
For the latest MCP authorization revision, it also records the metadata evidence a production gateway should retain: protected-resource metadata discovery, authorization-server discovery, client ID metadata document validation, resource indicator and audience values, JWKS or introspection validation, redirect policy, scope challenge policy, and step-up authorization policy.
For candidate MCP servers, it evaluates the detailed intake profile for resource indicators, audience validation, PKCE, short-lived tokens, client ID metadata documents, scope challenge handling, step-up authorization, private-network exposure, token passthrough, session binding, and audit evidence before promotion.
Industry alignment
This feature follows current primary guidance:
- Model Context Protocol Authorization for protected-resource metadata discovery, OAuth client ID metadata documents, resource indicators, audience-bound bearer tokens, HTTPS, PKCE, scope challenges, step-up authorization, and token validation.
- MCP Security Best Practices for confused-deputy prevention, token-passthrough avoidance, SSRF, session safety, scope minimization, and audit trails.
- OWASP Top 10 for Agentic Applications 2026 for tool misuse, identity abuse, agentic supply-chain risk, context poisoning, cascading failures, and rogue-agent containment.
- CISA AI Data Security for provenance, integrity, access control, monitoring, third-party data handling, and incident evidence.
- NIST AI RMF and the NIST Generative AI Profile for governed, mapped, measured, and managed AI risk.
Trusted-source path
The open pack is the proof model. The reviewed production opportunity is a hosted MCP authorization scanner:
- discover live protected-resource and authorization-server metadata,
- validate OAuth client ID metadata documents,
- diff resource indicators, audiences, scopes, and redirect policy,
- alert on scope challenge drift and token-passthrough regressions,
- enforce step-up authorization receipts for approval-required calls,
- replay confused-deputy and unbound-token tests,
- attach signed authorization receipts to agent run receipts,
- export fleet-wide evidence for AI platform review and procurement.
That is the path from open knowledge to a production MCP security platform that a model provider, AI platform vendor, or security company would understand.
MCP examples
Inspect the overall pack:
recipes_mcp_authorization_conformance_pack()
Review one connector:
recipes_mcp_authorization_conformance_pack(
connector_id="repository-contents"
)
Evaluate one runtime request:
See also
- MCP Connector Intake Scanner for pre-promotion MCP server review.
- MCP Connector Trust Registry for namespace tiers and connector evidence.
- MCP Gateway Policy Pack for default-deny tool access decisions.
- Agentic Run Receipts for run-level proof objects that can carry authorization evidence.