MCPJamMCPJam
Back to all posts

A look at MCP OAuth in 2026 - Scalekit & MCPJam

Matthew Wang & Akshay Parihar (Scalekit)5 min read

At the beginning of last year, MCP authorization barely existed. Most people were running MCP servers via stdio, and auth / identity was handled by passing in a hard coded API key as an environment variable or search params.

We then saw the maturation of MCP OAuth in the latter half of the year. OAuth 2.1 spec stabilized in November, and MCP OAuth was no longer a toy. We were dealing with redirects, secrets, tokens, scopes. We saw this spec being adopted at enterprise, providing a pleasant experience for their customers using their server.

OAuth remains hard to debug in 2026

Though the spec stabilized, it didn't make OAuth easy to implement and debug. The spec came in multiple shapes (CIMD & DCR) and developers were using different versions of the OAuth spec.

Working with OAuth implementors, we saw the same bugs come up over and over:

  • Incorrect WWW-Authenticate header: Client never starts OAuth flow and can't find the resources.
  • Redirect URI mismatches: Subtle mismatch of URLs until you look closely and find trailing slash, encoding differences, port mismatch
  • PKCE / Code Exchange Issues: Authorization step succeeds, but token step fails. Binding is incorrect, or challenge is computed incorrectly.
  • Scopes that don't work: Auth server and MCP server handle use different formats (org:write vs orgs:write)

These are some of the most common bugs we see, but there are so many fragile points of failure in the flow that are difficult to debug.

Building the MCP debugging stack for OAuth

Teams we've worked with have spent days stuck with debugging OAuth. Having the observability at every step of the OAuth flow is needed to unblock your implementation.

We built the visual OAuth debugger in MCPJam to help with observability and debugging.

  • Visual guide to observe every network call and step in the OAuth flow. We also catch where your MCP server / authorization server is missing a correct implementation.
  • Ability to drop in your own client ID and secret to match what happens when you plug your MCP server into your own identity provider.
  • Test with DCR or CIMD, your choice. If you choose DCR, we guide you through the DCR flow. With CIMD, we provide our own MCPJam hosted document for testing.
  • Choose between different spec versions. This is helpful to compare your flow to newer versions if you're looking to upgrade.
MCPJam OAuth Debugger
MCPJam OAuth Debugger

You can read more about our OAuth debugger in this blog post. The OAuth debugger is on the latest version of MCPJam, feel free to give it a spin!

Skip the headache with Scalekit

We tried implementing OAuth for some of our MCP projects and found it much easier to use a drop-in service from an identity provider rather than implementing an OAuth server ourselves.

Our friends at Scalekit put together a really great product that brings authorization to MCP servers. What I like about Scalekit:

  • Really clean docs and dashboard. It was easy to follow setting up the authorization server on the dashboard. They also have really good integration guides for FastMCP and express server.
  • Once you set up the server, it's pretty easy copy paste their code snippets into my express server
  • Supports DCR and CIMD out of the box. I can set up both of them to ensure that it works across all MCP clients.
  • Customization on the login screen is really flexible.
Scalekit Dashboard
Scalekit Dashboard

It wasn't much of a headache to use, I was able to get an OAuth implementation working the same day. I highly recommend trying out their product!