PE
Protocol Explorer
MCP Authorization

MCP Auth — Authorization Code with PKCE

The Model Context Protocol Authorization flow utilizing OAuth 2.1, PKCE, and Protected Resource Metadata for secure client-server communication.

MCP Auth Draft
MCP ClientUser / BrowserMCP ServerAuth Server1POST /mcp4012GET Resource Metadata3GET Auth Metadata4Redirect → /authorize5User Authenticates6POST /token7Authenticated POST
POST https://api.example.com/mcp401

The MCP Client attempts an unauthenticated request to the MCP Server. The server rejects it, providing the location of its Protected Resource Metadata.

The server returns a 401 Unauthorized status.

The WWW-Authenticate header directs the client to the metadata endpoint.

1 / 7
speed

Step 1: POST /mcp

Request / response
POSThttps://api.example.com/mcp
Content-Type?

application/json

Body
{
  "jsonrpc": "2.0",
  "method": "initialize",
  "params": {}
}