MCP gets enterprise authorization via Stytch-Cloudflare spec
Key Takeaways
- Stytch and Cloudflare published a draft spec adding OAuth 2.1 authorization to Anthropic's Model Context Protocol
- The spec introduces granular, revocable permissions for AI agents accessing enterprise tools and data
- Cloudflare's MCP remote server offering will support the new auth layer by default
Anthropic's Model Context Protocol has a security problem. The open spec lets AI agents connect to external tools and data sources, but it shipped without enterprise-grade authorization. Anyone building production MCP deployments had to bolt on their own auth layer or accept the risk.
Stytch and Cloudflare are proposing a fix. The two companies published a draft specification that adds OAuth 2.1-based authorization to MCP, giving enterprises the access controls they need before connecting AI agents to sensitive systems.
What was missing from MCP?
MCP defines how AI agents discover and invoke tools hosted on remote servers. Think of it as a standard interface for connecting Claude, GPT, or any other model to your company's APIs, databases, and internal services. The protocol gained traction quickly after Anthropic open-sourced it in late 2024.
The gap was authentication and authorization. MCP told agents how to call tools but not how to prove they should be allowed to call them. In a prototype or personal project, that's fine. In an enterprise with compliance requirements, audit trails, and least-privilege mandates, it's a blocker.
Security teams couldn't answer basic questions: Which user authorized this agent? What permissions does it have? Can we revoke access without killing the entire integration? The spec was silent on all of these.
How the new auth spec works
The Stytch-Cloudflare proposal layers OAuth 2.1 on top of MCP. OAuth 2.1 is the latest consolidation of OAuth best practices, stripping out deprecated flows and mandating PKCE (Proof Key for Code Exchange) for public clients. It's already the standard for securing web and mobile apps.
Under the new spec, an MCP server can require that agents present access tokens before invoking tools. Those tokens carry scopes that define exactly what the agent can do. An agent might have permission to read calendar events but not create them, or query a database but only specific tables.
The spec also addresses delegation. When a user grants an AI agent access to a third-party service, the token chain preserves that relationship. Audit logs can trace actions back to the original human who authorized them.
- Token-based auth: MCP servers issue and validate OAuth 2.1 tokens
- Granular scopes: Permissions defined per-tool, per-action
- Revocation: Tokens can be invalidated without disrupting unrelated integrations
- Audit trails: Clear provenance from agent action to authorizing user
Why Stytch and Cloudflare?
Stytch builds authentication infrastructure. The company's platform handles login flows, session management, and identity federation for thousands of applications. Adding MCP authorization fits their core business.
Cloudflare's interest is infrastructure. The company recently launched support for hosting remote MCP servers on its edge network. Without auth, those servers would be open to any agent that knew the endpoint. That's not a product enterprise customers would buy.
Cloudflare confirmed that its MCP remote server offering will implement the new auth spec by default. Developers deploying MCP servers on Cloudflare Workers will get OAuth 2.1 protection without writing custom security code.
What this means for MCP adoption
Enterprise adoption of MCP has been slower than the hype suggested. The protocol is elegant, but security gaps scared off organizations with real data to protect. Banking, healthcare, and regulated industries couldn't touch it.
A standard auth layer changes that calculus. IT teams can evaluate MCP integrations using the same security frameworks they apply to any OAuth-protected API. Compliance becomes tractable.
The spec is still a draft. Stytch and Cloudflare published it for community feedback, and Anthropic hasn't formally adopted it into the core MCP specification. But given the obvious need, some form of standardized auth will likely become official.
Open questions remain
OAuth 2.1 solves the authorization problem, but MCP deployments will face others. How do you manage tokens across multiple agents and users at scale? What happens when an agent needs to chain calls across several MCP servers, each with its own auth requirements?
The spec doesn't prescribe token storage, rotation policies, or integration with enterprise identity providers like Okta or Azure AD. Those details will be implementation-specific, which means variance and potential compatibility headaches.
Still, a standard auth layer is better than no standard. Enterprises can build on it and add their own requirements rather than starting from scratch.
Related coverage of how developer tools are adapting to AI agent workflows
Frequently Asked Questions
What is MCP authorization?
MCP authorization refers to the security layer that controls which AI agents can access which tools and data through the Model Context Protocol. The new Stytch-Cloudflare spec proposes using OAuth 2.1 tokens with granular scopes to enforce permissions.
Does Anthropic officially support the new MCP auth spec?
Not yet. Stytch and Cloudflare published the spec as a draft proposal. Anthropic has not formally incorporated it into the core MCP specification, though adoption seems likely given enterprise demand.
How does OAuth 2.1 differ from OAuth 2.0?
OAuth 2.1 consolidates best practices from OAuth 2.0 and its extensions. It removes deprecated flows like the implicit grant, mandates PKCE for all public clients, and requires stricter redirect URI validation.
Can I use the MCP auth spec with existing identity providers?
The spec doesn't prescribe specific identity provider integrations. Implementations will need to build connections to providers like Okta, Azure AD, or Auth0 based on their requirements.
When will Cloudflare support MCP authorization?
Cloudflare stated that its MCP remote server offering will support the new auth layer by default, though specific availability dates have not been announced.
Logicity's Take
This spec matters more than it looks. MCP's potential was always constrained by the auth gap. Enterprise buyers don't evaluate protocols; they evaluate risk. By aligning MCP with OAuth 2.1, Stytch and Cloudflare are translating agentic AI into language security teams already speak. The real test will be whether Anthropic formalizes this or lets competing auth approaches fragment the ecosystem.
Need Help Implementing This?
If you're building MCP integrations and need help with authorization architecture, our team can help you design a secure deployment. Contact Logicity for consulting on enterprise AI infrastructure.
Source: The New Stack / Frederic Lardinois
Manaal Khan
Tech & Innovation Writer
Related Articles
Browse all
AWS FinOps Agent Preview: Autonomous Cloud Cost Management Arrives
AWS launched a preview of its FinOps Agent at the NYC Summit this week, alongside Gemma 4 on Bedrock and new data on AI-native development productivity. The agent can query costs, surface optimizations, and open Jira tickets automatically.
AWS Names 4 New Heroes for May 2026
Amazon Web Services added four community leaders to its AWS Heroes program this month. The new heroes come from Italy, Canada, and Argentina, with three recognized for AI contributions and one for serverless expertise.
Apple Pays $250 Million Over Delayed Apple Intelligence
Apple has agreed to settle a class action lawsuit for $250 million after customers accused the company of misleading them about when Apple Intelligence features would actually work. Eligible iPhone 16 and iPhone 15 Pro owners can claim between $25 and $95 per device.
AWS Unveils Quick AI Assistant and 4 Connect Agentic Tools
At the What's Next with AWS 2026 event, Amazon announced Quick, a desktop AI assistant that works across local files and third-party apps. The company also expanded Amazon Connect from a single product into four specialized agentic AI solutions for supply chains, hiring, customer service, and healthcare.
