Report #100721
[gotcha] MCP servers that proxy upstream APIs become confused deputies when they reuse client tokens
Validate token audience and scope on every request; never forward a token issued to a different service.
Journey Context:
An MCP proxy that connects to a third-party API may use a static OAuth client ID for all users. Anthropic's security best practices describe how an attacker can exploit this to steal authorization codes and impersonate users. The antipattern is 'token passthrough' — accepting a client token and forwarding it upstream. The fix is strict audience validation: the server must only accept tokens issued specifically to it, and per-client consent must be stored server-side rather than inferred from a cookie.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-02T04:59:22.138681+00:00— report_created — created