- Why MCP Needs Auth at All
- API Keys vs OAuth for MCP
- The MCP OAuth Flow, Step by Step
- The Pieces: OAuth 2.1, PKCE, and Dynamic Client Registration
- Why This Is More Secure Than a Key in a File
- What a Good MCP Auth Setup Looks Like
- FAQs
- Related Reading
Connect a modern remote MCP server and you'll notice something: it never asks for an API key. You add a URL, a browser window opens, you sign in, and the tools are live. That's OAuth doing the work — and it's now the standard way MCP clients authenticate to remote servers. Here's what's happening under the hood, and why it's a better deal than pasting a key into a config file.
Why MCP Needs Auth at All
An MCP server exposes tools a model can call, and those tools often act on your behalf — reading a database, sending a message, provisioning infrastructure. The server needs to know who is asking so it can scope actions to your account and keep an audit trail. Authentication is how the client proves your identity to the server before any tool runs.
The question is only how you prove it. For years the default answer was an API key. For remote MCP servers, the answer has moved to OAuth.
API Keys vs OAuth for MCP
An API key is a long-lived secret. To use one you generate it in a dashboard, copy it, and paste it into a config file or environment variable. It works, but it has sharp edges: the key sits in plaintext on disk, it often can't be scoped narrowly, it doesn't expire on its own, and if it leaks — in a committed dotfile, a screenshot, a log — anyone who has it is you, until you remember to rotate it.
OAuth replaces the pasted secret with a sign-in. Instead of holding a static key, the client obtains a short-lived token through a browser consent flow, and refreshes it automatically. You can revoke access from the server side without touching any files, and nothing long-lived lives on your disk. For a tool that an AI model calls on your behalf, that's a meaningfully better security posture.
The MCP OAuth Flow, Step by Step
When you connect a remote MCP server that uses OAuth, this is what happens:
- Discovery. The client fetches the server's OAuth metadata from a well-known URL and learns where to send the user to sign in.
- Registration. The client registers itself with the server's authorization server — automatically, if the server supports dynamic client registration — so there's no app to set up by hand.
- Consent. Your browser opens to the server's consent screen. You sign in and approve the access the client is requesting.
- Token exchange. The server hands the client a short-lived access token (and a refresh token), which the client uses to authorize its tool calls.
- Refresh. When the access token expires, the client uses the refresh token to get a new one silently. You're not asked again unless you revoke access.
From your side it's just "add URL, sign in once." Every step above is the client and server negotiating so that you never handle a secret by hand.
The Pieces: OAuth 2.1, PKCE, and Dynamic Client Registration
Three standards do the heavy lifting:
- OAuth 2.1 is the modern, consolidated version of OAuth — it bakes in the security best practices that used to be optional and removes the flows that turned out to be unsafe.
- PKCE (Proof Key for Code Exchange) protects the authorization step so an intercepted authorization code can't be redeemed by an attacker. It's what makes the browser flow safe for apps that can't keep a client secret.
- Dynamic Client Registration (RFC 7591) lets the client register itself with the server on the fly. This is why you don't create an "app," copy a client ID, and paste a client secret — the client and server handle it, and you just sign in.
Put together, they're what lets a remote server say, credibly, "no API keys — just sign in."
Why This Is More Secure Than a Key in a File
The security win isn't abstract. Tokens are short-lived, so a leaked one expires instead of granting access forever. There's no static secret sitting in a config file or environment variable to accidentally commit. Access is revocable from the server without you hunting through machines to delete keys. And because the model's client authenticates as you through a scoped grant, the server can log every action against your identity.
The Matagi MCP server is built this way: OAuth 2.1 with PKCE and dynamic client registration, no API keys anywhere. You add https://mcp.matagi.ai/mcp to your client, sign in with your work email, and approve — the client registers itself and tokens refresh automatically. The credentials for the 3,000+ downstream tools your agents call are a separate matter, and Matagi keeps those in a server-side proxy so they never touch the generated code or the model context either.
What a Good MCP Auth Setup Looks Like
If you're choosing a remote MCP server, treat auth as a feature. The signs of a good one: it uses OAuth rather than asking you to paste a key; it supports dynamic client registration so there's no manual app setup; access tokens are short-lived and refresh silently; you can revoke access from the server; and every action taken on your behalf is logged. If a server instead wants a long-lived key in a config file, that's a step backward — and, if it's a server your AI can act through, a risk worth avoiding. Verify, don't trust.
FAQs
Do MCP servers require an API key? Modern remote ones generally don't — they use OAuth. With dynamic client registration, like Matagi's, there's nothing to paste; you just sign in.
What is dynamic client registration in MCP? A standard (RFC 7591) that lets the MCP client register itself with the server automatically, so you don't create an app or copy a client ID and secret by hand.
Is OAuth safer than an API key? Generally yes: tokens are short-lived and refreshable, nothing long-lived sits on your disk, and access is revocable server-side without editing files.
What happens when my token expires? The client uses a refresh token to get a new access token silently. You won't be prompted again unless you revoke access or sign out.
Where do my downstream tool credentials live? On a well-built server, in a server-side proxy — injected at runtime and kept out of the generated code and the model's context. That's how Matagi handles the tools your agents call.
Related Reading
- What Is a Remote MCP Server? (Remote vs Local)
- MCP vs API: What's the Difference?
- How to Connect ChatGPT to an MCP Server (Developer Mode)
- How to Add an MCP Server to Claude Desktop
- How to Add an MCP Server to Claude Code
No keys, just sign in: connect the Matagi MCP server — OAuth 2.1 with PKCE and dynamic client registration, so your AI authenticates as you and your secrets stay proxied and revocable.
Build your first AI agent free
Describe what you want done in plain English. Matagi provisions the infrastructure, wires the integrations, and deploys it.
Get started