MCP Mandates OAuth 2.1 and PKCE in June 2025 Security Overhaul as Open Challenges Remain

MCP mandates OAuth 2.1 and PKCE in its June 2025 security overhaul, enforcing stricter authentication for remote server deployments while separating resource and authorization servers, though open challenges around scope discovery, dynamic client registration, and token error handling over SSE connections still remain.

• MCP is adopting OAuth 2.1 with mandatory PKCE to secure remote server deployments, moving away from the minimal authentication required in earlier local environments.
• The June 2025 revision of the MCP authorization specification now mandates a clear separation between MCP servers, which act solely as resource servers, and external authorization servers, reducing complexity and aligning with enterprise identity architectures.
• Open challenges still exist around scope discovery for agents, securing Dynamic Client Registration against impersonation, and handling token errors over persistent SSE connections, with community proposals like SEP-991 and SEP-1299 actively working to address these gaps.