<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>AuthPlane Blog</title>
    <link>https://authplane.ai/blog/</link>
    <atom:link href="https://authplane.ai/blog/rss.xml" rel="self" type="application/rss+xml" />
    <description>Engineering notes from the AuthPlane team: the MCP authorization spec, DPoP, the Token Vault, and release news.</description>
    <language>en</language>
    <lastBuildDate>Sat, 21 Mar 2026 00:00:00 GMT</lastBuildDate>
    <item>
      <title>Cross-App Access: Why Enterprise MCP Needs IdP-Mediated Authorization</title>
      <link>https://authplane.ai/blog/cross-app-access-enterprise-mcp-authorization/</link>
      <guid isPermaLink="true">https://authplane.ai/blog/cross-app-access-enterprise-mcp-authorization/</guid>
      <pubDate>Sat, 21 Mar 2026 00:00:00 GMT</pubDate>
      <description>XAA (Cross-App Access) puts the enterprise IdP in the loop for every agent-to-tool connection. Here&apos;s how ID-JAG works, why it matters, and how AuthPlane implements it.</description>
      <category>SPEC</category>
    </item>
    <item>
      <title>OAuth 2.1 + PKCE Is the Only Right Way to Secure MCP</title>
      <link>https://authplane.ai/blog/why-mcp-needs-oauth-21-pkce/</link>
      <guid isPermaLink="true">https://authplane.ai/blog/why-mcp-needs-oauth-21-pkce/</guid>
      <pubDate>Wed, 04 Mar 2026 00:00:00 GMT</pubDate>
      <description>The MCP authorization spec mandates OAuth 2.1 with mandatory PKCE for a reason. Here&apos;s exactly why every alternative falls apart.</description>
      <category>SPEC</category>
    </item>
    <item>
      <title>What We Saw When Teams Shipped MCP Without Auth</title>
      <link>https://authplane.ai/blog/what-happens-without-mcp-auth/</link>
      <guid isPermaLink="true">https://authplane.ai/blog/what-happens-without-mcp-auth/</guid>
      <pubDate>Sun, 01 Mar 2026 00:00:00 GMT</pubDate>
      <description>Four real attack patterns observed in unprotected MCP deployments: token replay, log scraping, scope escalation, and zero audit trail.</description>
      <category>SECURITY</category>
    </item>
    <item>
      <title>Reading RFC 9728</title>
      <link>https://authplane.ai/blog/reading-rfc-9728-protected-resource-metadata/</link>
      <guid isPermaLink="true">https://authplane.ai/blog/reading-rfc-9728-protected-resource-metadata/</guid>
      <pubDate>Thu, 26 Feb 2026 00:00:00 GMT</pubDate>
      <description>Protected Resource Metadata is how MCP agents discover authorization servers. Here is the full walkthrough of the spec and how AuthPlane implements it.</description>
      <category>SPEC</category>
    </item>
  </channel>
</rss>
