MCP’s First Year:
The Missing Security Pieces Are Finally Falling Into Place
(Part 1)

If you’re an active user of AI Agents, and even if not, the latest updates in the Agentic AI domain should make you very interested to experiment!

First, there’s a new specification for the Model Context Protocol (MCP) – the main technology driving AI Agents’ capabilities and abilities. 

While ‘new specification’ might sound frightening, it’s actually very simple: it’s an update to how AI Agents connect with servers, exposing tools they are able to use. The update is based on feedback and knowledge gathered from the past few months, and has some exciting new solutions.

One thing in particular stands out – we now have MCP Authorization Extensions! These provide additional authorization mechanisms that provide a solution for a few hard-to-crack problems that have hindered the ability of large organizations to adopt AI Agents.

In the meantime, Anthropic has been making significant strides in understanding how agents actually utilize tools and enrich their context to enhance task performance. This comes by reflecting on a year of MCP and also on improving how their flagship agent – Claude – interacts with tools.

This 2-part blog series takes a practitioner’s point of view and digs deeper into how this changes shape the Agentic AI space.

In Part 1 below, we explore how MCP’s first year addressed the foundational security and authorization challenges that previously blocked enterprise adoption — from safer client identity models to incremental scoping and enterprise-managed authorization. But securing the protocol is only half the story.

My three Highlights from MCP’s Spec 25-11-2025

1. Client ID Metadata Documents

In the preliminary version of authentication for MCP Servers, the maintainers had decided to use OAuth and treat MCP servers as OAuth resource servers. 

In doing so, the MCP maintainers ran into a problem: how do we know which client is connecting to a server that we own?

We could give each MCP Client (like Claude, Cursor, Copilot, etc) a unique ID, but given the decentralized model of MCP, where there are millions of resource servers maintained by many different owners (in most cases, each instance of an MCP server is a resource server), this method breaks down quickly (custom identity providers, multi-user access, etc).

The previous spec introduced a solution: Dynamic Client Registration, which basically requires authorization servers to allow for programmatic creation of new OAuth clients.

Now, a few months later, cracks have started to appear in this solution as well. Most notably, security issues stem from exposing such a sensitive endpoint to the world.

The new spec attempts to address this by utilizing Client ID Metadata Documents instead, where MCP clients provide a URL they control to eliminate the need for dynamic registration. This strongly ties the client to a DNS record, which the internet already utilizes for trust in various places. MCP servers can rely on this method to allow for an almost seamless configuration of a new client without requiring explicit registration.

I do see a few hurdles that the spec needs to address before this is fully adopted, mainly how desktop MCP clients can rely on CIMD (hosting keys in a remote URL, redirecting to a local address) and making it easy for developers to set this up if they are developing an internal-facing MCP server.

2. Incremental Scoping 

Perhaps the change I’m most excited about: the ability to create fine-grained scoped tokens according to the current necessities of the MCP server!

The new spec expects servers to expose which scopes they require in order to make the current tool call. Then, clients can utilize the so-called “Step-Up” Authorization flow to increase the set of scopes they request from the authorization server before continuing.

I really like this approach because, as we all know, using MCP for high-permission operations is very beneficial, but those instances don’t happen too often. Having every MCP client hold an always-available token with these high-permission scopes is concerning, and I’m glad to see this problem addressed early on in the spec instead of being left for later.

Now I’m expecting to see the spec also take a stand at the best practice of separating tools into sensitivity buckets and attaching granular scopes for each (so we’ll hopefully stop seeing just mcp:read and mcp:write in examples)

3. Auth Extensions

Finally, and perhaps most importantly, we have an official repository for MCP Authorization Extensions! It contains all those features that are just a bit too difficult to add into the official spec, but that still solve very difficult authorization problems when large organizations try to adopt MCP.

Currently, there are two extensions available:

Client Credentials: This extension allows registered clients to access MCP servers without human intervention by authentication with their provided credentials, or, most commonly, with a signed JWT from their authorization server. This is especially exciting since it enables agents to run autonomously and communicate with MCP servers without additional hurdles.

Enterprise Managed Authorization: To complete the picture of enterprise-centric agentic identity, this extension allows decision makers to define policies on the enterprise identity provider. Such policies could be something like: “the user’s AI agent can access MCP servers with this specific set of permissions”. The auth extension explains how the identity provider can mint tokens that embed this information inside, so that any MCP server conforming to this extension can understand it and grant the agent the necessary permissions seamlessly, all based on the enterprise user’s permissions.

Summary: MCP Advances Towards Enterprise Security

The recent updates to the Model Context Protocol (MCP) specification represent a crucial step toward stabilizing Agentic AI for widespread adoption in enterprises. We’ve detailed how Client ID Metadata Documents (CIMD) enhance client-server trust and security by replacing risky dynamic registration with DNS-tied authentication. Furthermore, Incremental Scoping introduces a “Step-Up” Authorization flow to prevent agents from permanently holding high-permission tokens, a significant security improvement for high-value operations.

Finally, the introduction of official MCP Authorization Extensions, notably Client Credentials for autonomous agent operation and Enterprise Managed Authorization for policy-driven identity, directly addresses the difficult, real-world authorization challenges that have hindered large organizations. These advancements solidify the MCP’s foundation and pave the way for its secure and scalable implementation across the enterprise.

In Part 2, we’ll shift focus from how agents are authorized to how agents actually behave in practice. We’ll look at the real-world challenges that emerged as MCP adoption exploded, and how Anthropic is evolving Claude through advanced tool discovery and Agent Skills to make agents more scalable, reliable, and enterprise-ready.