Engineering notes, in the open
Cross-App Access: Why Enterprise MCP Needs IdP-Mediated Authorization
XAA (Cross-App Access) puts the enterprise IdP in the loop for every agent-to-tool connection. Here's how ID-JAG works, why it matters, and how AuthPlane implements it.
OAuth 2.1 + PKCE Is the Only Right Way to Secure MCP
The MCP authorization spec mandates OAuth 2.1 with mandatory PKCE for a reason. Here's exactly why every alternative falls apart.
What We Saw When Teams Shipped MCP Without Auth
Four real attack patterns observed in unprotected MCP deployments: token replay, log scraping, scope escalation, and zero audit trail.
Reading RFC 9728
Protected Resource Metadata is how MCP agents discover authorization servers. Here is the full walkthrough of the spec and how AuthPlane implements it.
No posts match the current filter.
and browse everything.