ragidi
← back

How to Secure Agents using OAuth — Jared Hanson (Keycard, Passport.js)

7.9K views · Jul 30, 2025 · 18:58 min · Watch on YouTube ↗
Takeaway

Stop pasting long-lived API keys into MCP configs — treat MCP servers as OAuth resource servers and let a real authorization server mediate agent access.

Summary

  • Jared Hanson (Keycard, Passport.js creator) argues today's MCP keys-in-env pattern is a security crisis at scale; OAuth's delegated-access pattern is the fix.
  • Recaps OAuth roles (client/resource server/authorization server), authorization-code flows, and OpenID Connect as an identity layer adding ID tokens.
  • Critiques the March MCP spec for collapsing the OAuth authorization server role into the MCP server — sparked viral 'MCP auth is a mess' posts from Christian Posta and Aaron Parecki.
  • Argues MCP servers should be OAuth resource servers only, with a separate authorization server — exactly his January spec review comment that wasn't initially adopted.
oauthmcpsecurity
Original description 
We all know sharing passwords is bad (unless you want free TV), so why are we sharing API keys with AI?  We shouldn't, and that’s why we need to talk about OAuth.

In this talk, we will give a brief intro to OAuth.  Then we will talk about the state of authorization in MCP.  We will show how an MCP client uses OAuth to authenticate a user and securely access private resources and tools hosted by an MCP server.  Then we’ll look at ways autonomous agents can use OAuth on their own behalf, talking to other agents and MCP servers directly.  We’ll learn how to use OAuth to build agents that humans and machines can trust.

About Jared Hanson
Jared Hanson is the co-founder of Keycard, a company building identity infrastructure for the agent-native world. Previously at Okta and Auth0, Jared is an expert on OpenID, OAuth, and all things identity. He’s also the author of Passport.js, the popular authentication framework for Node.js. At Keycard, he is applying that knowledge to securing AI and infrastructure.

Recorded at the AI Engineer World's Fair in San Francisco. Stay up to date on our upcoming events and content by joining our newsletter here: https://www.ai.engineer/newsletter