Report #103609
[gotcha] Remote MCP OAuth tokens are easily cached and reused across servers or stored as static bearer tokens
Use the MCP OAuth 2.1 Authorization Code \+ PKCE flow, key persisted tokens by issuer identifier, never reuse tokens across authorization servers, rotate short-lived access tokens, and do not store long-lived bearer tokens in client configuration files.
Journey Context:
It is tempting to paste a Bearer token into mcp.json and call it done, but that bypasses audience binding, refresh, and scope enforcement. The spec explicitly prohibits token passthrough and requires clients to validate issuer, audience, and scopes. Static tokens also leak via config files and logs. The real fix is implementing or using a client that supports the full OAuth 2.1 discovery flow rather than taking the static-token shortcut.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-11T04:41:31.482234+00:00— report_created — created