MCP Client — Just Another OAuth Client?

A talk given by Michal Trojanowski from Curity at the 2025 Platform Summit in Stockholm, Sweden.

Model Context Protocol (MCP) allows AI applications to call APIs, and calling APIs requires proper authorization. Fortunately, the protocol takes this into consideration and requires implementations to use OAuth — a well-established standard. But does that mean an MCP client is just another OAuth client that will work with your existing infrastructure, or do you need additional components, special considerations, or enhanced features?

In this talk, Michal takes a closer look at authorization in MCP and talk about:

how securing access to the MCP server differs from securing your APIs,
best practices for using OAuth features such as consent and refresh tokens with MCP,
whether you need an MCP gateway to ensure proper protections,
what security concerns and attack vectors you might face when dealing with MCP.

Call for speakers for Platform Summit 2026 open - apply now.

More Live presentations videos

Identity: The Kill Switch For API-Driven Digital Sovereignty

Ghosts, Zombies, and Robots: Handing Off Control to the Non-Humans

How to Design Secure MCP Deployments

Panel Discussion: API Security in the Age of AI

How to Build a Fortress with the Security of a Tent

Who Needs That FAPI Thing, Anyway?

Panel Discussion: API Authorization

The Swedish Chef Would Be Proud: Cooking up a Secure API in Minutes – Instructions Included

OAuth Well Played – Mods and Combos for the Cloud Native API Security Game

Show Me Your Wallet to Tell Me Who You Are - Using Verifiable Credentials with OAuth

Ditch the Browser, Native API-Driven App Authentication with Passkeys

Military-Grade Security for APIs

Decentralized Identities Changes Everything, Even Your APIs

Addressing Top API Security Risks

Browserless OAuth Flows in Mobile Apps Using a Hypermedia API

OAuth and OpenID Connect - What's next?

Curity on ProgrammableWeb's Developers Rock Podcast

OAuth Tokens As Your Identity API

OAuth Claims Ontology: Using Claims in OAuth and How They Relate to Scopes

Jacob Has a Horse, Says Travis – a Tale of Truths In a Microservice Architecture

Scalable API Security Using OAuth

Financial Grade APIs Using OAuth and OpenID Connect

Security Is a Concern, Let’s Make It an Enabler

Securing APIs in a Cloud Native Environment Using OAuth

Securing APIs and Microservices with OAuth and OpenID Connect

OAuth and OpenID Connect for PSD2 and Third-Party Access

Next steps

Ready for the Next Generation of IAM?

Build secure, flexible identity solutions that keep pace with innovation. Start today.

Start a Free Trial

Book a Call

Speak to an Identity Specialist

Explore learning resources