u/Sharp_Commercial_166

Spent the prev weekend reading the MCP auth spec and the more i read it, the more it feels like the spec authors assumed everyone is greenfielding their auth stack.

OAuth 2.1, PKCE, DCR, scoped tokens per tool, dynamic client registration are all great but my users live incognito.

Our sessions are cookie-based. half our internal stuff still runs on an old homegrown JWT issuer that nobody in the team wants to touch.

Am i missing something or is the answer simply down to "rip out your auth and rebuild for MCP"?

The only sane path i see is putting an MCP-compliant layer in front of the existing auth (descope's BYOA does this, ory does something close), but it feels like nobody's writing about this and i can't tell if that's because it's obvious or because nobody's tried it yet.

Spent the prev weekend reading the MCP auth spec and the more i read it, the more it feels like the spec authors assumed everyone is greenfielding their auth stack.

OAuth 2.1, PKCE, DCR, scoped tokens per tool, dynamic client registration are all great but my users live incognito.

Our sessions are cookie-based. half our internal stuff still runs on an old homegrown JWT issuer that nobody in the team wants to touch.

Am i missing something or is the answer simply down to "rip out your auth and rebuild for MCP"?

The only sane path i see is putting an MCP-compliant layer in front of the existing auth (descope's BYOA does this, ory does something close), but it feels like nobody's writing about this and i can't tell if that's because it's obvious or because nobody's tried it yet.