Home / Labs / MCP Protocol
▶ Interactive Lab

MCP + OAuth 2.1

Remote MCP server with OAuth scoped authorization.

Advertisement
Remote MCP servers use OAuth 2.1. Per-tool scopes; default-deny.

What you're seeing

Hosted MCP servers handling sensitive data require OAuth. Client gets an access token with scopes; each tool requires specific scopes. Server validates on every call.

Token short-lived (5-15 min) + refresh rotation = bounded compromise window.

★ KEY TAKEAWAY
Hosted MCP servers use OAuth 2.1. Per-tool scopes. Short-lived tokens + refresh rotation.
▶ WHAT TO TRY
  • Click through the 7 steps from /authorize to the actual tool call.
  • The token's scope is checked on each tool call, not just at issuance.
← Back to MCP Protocol