What is OAuth 2.1?

OAuth 2.1 is not a brand-new protocol but a tidied, security-hardened restatement of OAuth 2.0. Over the years OAuth 2.0 accumulated many extensions and security advisories; OAuth 2.1 gathers the current best practices into one baseline so implementers do the safe thing by default. The headline changes: PKCE is required for all authorization-code flows (not just public clients), the implicit grant and the resource-owner password grant are removed because they leak tokens or credentials, redirect URIs must be compared exactly, and bearer tokens may no longer be passed in query strings. The result is a smaller, safer surface that closes the footguns most often exploited in OAuth 2.0 deployments. This matters for the Model Context Protocol because its authorization spec builds on OAuth 2.1: a remote MCP server uses it so each user signs in through a standard browser consent flow and receives a short-lived, scoped access token, rather than every client hard-coding a shared secret. Combined with protected-resource metadata for discovery and Dynamic Client Registration, OAuth 2.1 is what makes per-user, revocable access to hosted MCP servers practical.