pragma.vision Your technology observatory

Verification register Security & Identity

Readiness verdict

MCP OAuth 2.1 Authorization Profile

A dated reading of what is claimed, reported, and independently verified in the current evidence.

As of
2026-06-28
Revision
1
Method
v1.0.0

Current reading

The readiness gap, in one scan

AI-assisted assembly · derived results

Claimed
80

Public ambition and stated capability

Reported
74

Observed practitioner reporting

Verified
65

Independently supported evidence

Gap
+15

Claimed minus verified

Evidence strength Strong

Decision

What the current evidence supports

Human editorial judgment · 2026-06-28

Adopt with guardrails

Why
This is a ratified spec with very-high real-world adoption that directly governs how our agent MCP tools authenticate — but the optionality plus the confused-deputy/token-passthrough footguns mean we must implement the specific MUSTs and consent gates deliberately, not assume the profile is safe by default.
Next
Audit our MCP servers against the 2025-11-25 normative MUSTs: RFC 9728 Protected Resource Metadata + WWW-Authenticate 401, mandatory audience validation (reject tokens not issued for us), S256 PKCE enforcement, and explicit-no-token-passthrough to upstream APIs; prefer Client ID Metadata Documents / pre-registration over DCR.

Constraints

Blockers

No named blocker is present in the current public projection.

Evidence summary

Derived counts

AI-assisted assembly

Total
6
Tier 1
0
Tier 2
2
Tier 3
4
Supports
3
Contradicts
2
Context
1
Latest observed
2026-04-01

Counts and dates only. Raw signals, private excerpts, trust records, and internal corpus material are not published here.

Publication record

Revisions

Initial public reading

This is the initial public reading. No earlier readiness change is recorded.

Your opinion

Tell us anything.

What works, what doesn't, what's missing — especially about our watches, lenses, and the register itself. Anonymous is fine; leave an email if you'd like a reply.