New Authorization Specification Extends Model Context Protocol to Agentic AI Systems

As agentic AI systems – where large language models (LLMs) power autonomous, goal-driven agents – rapidly transition from experimental prototypes

Agentic AI systems, where large language models (LLMs) power autonomous, goal-driven agents, are rapidly transitioning from experimental prototypes to production-ready services. These agents read databases, trigger API calls, write to software-as-a-service (SaaS) platforms, and stitch together workflows across systems that weren't necessarily designed to coordinate. A fundamental question arises as these systems evolve: how should identity and access be handled when no human is in the loop?

Initially introduced by Anthropic, the Model Context Protocol (MCP) aims to be the lingua franca for agentic interoperability, providing a standardized interface for agents to interact with external tools, prompts, and resources. However, as agent actions become more powerful, and potentially dangerous, robust, flexible, and secure access control becomes essential.

The recently released MCP Authorization Specification proposes an essential first step: standardizing how clients obtain authorization to access protected MCP resources using OAuth 2.1 and PKCE (Proof Key for Code Exchange).

This post unpacks what the spec introduces, why PKCE was chosen, how the flow works, and why authentication remains a critical missing piece, especially in non-human entity interactions.

Why Agentic AI Needs a New Authorization Model

In traditional web architectures, authorization typically involves browser-based login flows, session cookies, or OAuth tokens issued after a human clicks "Authorize." Agentic AI systems present unique authorization challenges because they make autonomous API calls driven by LLMs, without direct user involvement.

These agents interpret prompts and programmatically plan tasks, necessitating strong API security measures. Typically long-lived, stateless, and dynamic, these agents operate without user oversight for access approval or execution guidance.

This change creates some challenges:

The MCP authorization specification attempts to impose structure on one part of this problem: how should an MCP client discover and obtain authorization to access protected resources?

Goals of the MCP Authorization Specification

The spec introduces a consistent, standards-based authorization workflow for MCP clients. Its goals are to:

What's in a PRM Document?

A PRM document is a JSON-based resource returned by an MCP server when access is denied. It typically includes: