What is MCP authorization?

MCP authorization defines how a client proves it is allowed to call a remote MCP server. The model is OAuth 2.1: the MCP server acts as a protected resource server, an authorization server (which may be a separate identity provider) issues tokens, and the client presents a bearer token on every request. The spec layers several IETF RFCs to make this safe for agents that touch many systems in one session. Protected Resource Metadata (RFC 9728) lets the client discover which authorization server to use. PKCE is mandatory to protect the authorization code exchange. Dynamic Client Registration lets clients onboard without manual setup. Crucially, Resource Indicators (RFC 8707) require every token to name the specific server it is for, so a token cannot be replayed against a different resource, closing the confused-deputy hole. The spec also mandates that servers never forward an inbound user token to an upstream API; they must obtain their own token through a separate flow. The result is that an agent can connect to dozens of servers, each holding a token usable only against itself, with credentials it can refresh and revoke independently.