What is Resource indicator?

A resource indicator is the value of the `resource` parameter defined in RFC 8707, Resource Indicators for OAuth 2.0. When a client requests a token, it includes one or more resource indicators, typically the canonical URI of the target server, telling the authorization server exactly which audience the resulting token is for. The authorization server then stamps that audience into the token (and may down-scope its permissions accordingly). The receiving resource server checks that it is the named audience and rejects tokens minted for anyone else. This directly fixes the confused-deputy problem in classic OAuth, where a token issued for a low-value API could be silently accepted by a high-value one. MCP's authorization spec makes resource indicators mandatory: clients MUST include the `resource` parameter in both the authorization request and the token request, and it MUST identify the MCP server the client intends to call. For an agent that opens connections to many servers in a single session, this guarantees each connection's token is usable only against its own server, so a leak or a malicious server cannot turn one credential into access everywhere.