Episode 2
•
18:42
•
Wykeve Freeman
OAuth 2.1 for MCP Servers
Listen Now
Security implementation patterns. How to secure your MCP server with OAuth 2.1 + RFC 8707 resource indicators.
0:00 / 0:00
Episode Summary
Security is critical for MCP deployments, yet most implementations use outdated bearer token patterns. This episode walks through VoidCat RDC's OAuth 2.1 + RFC 8707 implementation—the first production-grade security layer for MCP servers.
We cover:
- Why bearer tokens fail: Token exfiltration, scope creep, and audit challenges
- OAuth 2.1 core patterns: PKCE flows, short-lived tokens, and refresh rotation
- RFC 8707 resource indicators: Precise scope binding and cross-service token prevention
- Implementation walkthrough: Authorization server setup, token validation, and scope enforcement
- Real results: Measured security improvements from VoidCat's production deployment
Key Topics
Security
OAuth 2.1
RFC 8707
MCP Servers
Resources Mentioned
- Full Implementation Guide: MCP Security with OAuth 2.1
- OAuth 2.1 Specification (IETF Draft)
- RFC 8707: Resource Indicators for OAuth 2.0
- RFC 7636: PKCE (Proof Key for Code Exchange)
Code Samples
All code examples from this episode are available in the companion blog post, including:
- PKCE flow implementation (Python)
- JWT validation with resource claims
- Scope mapping and enforcement patterns
- Production deployment checklist
About the Host
Wykeve Freeman is the founder of VoidCat RDC, building MCP-native agentic AI systems with a focus on security, observability, and production-grade deployment. VoidCat is the first to achieve OAuth 2.1 + RFC 8707 compliance for MCP production infrastructure. Connect on GitHub or via email.