Workflow · Production

Arcade.dev proposes MCP URL elicitation to fix OAuth credential security gap in AI agent tool-calling

The problem

MCP (Model Context Protocol) has no secure mechanism for servers to obtain third-party credentials such as OAuth tokens, leaving developers forced to use insecure workarounds like hardcoded credentials or passing tokens through untrusted MCP clients.

First attempt

Existing workarounds including service account tokens with excessive scopes, hardcoded server credentials, and client-side credential storage all violate security principles and create risks such as token exfiltration.

Workflow diagram · grounded in source
1
Agent tool call requires auth
trigger
“Your AI agent needs to search Gmail for that weekly report. You've built an MCP server, the tool definition, everything's wired up perfectly.”
2
Server checks for valid token
validation
“if not has_valid_token(user_id): state = generate_secure_state()”
3
Server raises URL elicitation
output
“raise ElicitationRequired([{ "id": f"github-auth-{state}", "mode": "url", "url": auth_url, "message": "Authorize GitHub access"”
4
Client opens auth URL
human_review
“if (e.code === "ELICITATION_REQUIRED") { // Client opens URL, user auths, server stores token window.open(e.elicitations[0].url);”
5
Server stores token and retries
integration
“// Client opens URL, user auths, server stores token window.open(e.elicitations[0].url); // Retry after auth completes”
Reported outcome

Arcade.dev submitted PR #887 extending MCP's elicitation framework with a URL mode that routes sensitive credential flows through the browser directly to auth providers, keeping the untrusted MCP client out of the credential path entirely.

Reported metrics
PR contributors examining security50+
Arcade secure auth integrations100+
Reported stack
MCPOAuth 2.0Arcade
Source
https://blog.arcade.dev/mcp-server-authorization-guide
Read source ↗

Frequently asked questions

What did this team achieve with this AI workflow?

Arcade.dev submitted PR #887 extending MCP's elicitation framework with a URL mode that routes sensitive credential flows through the browser directly to auth providers, keeping the untrusted MCP client out of the cre…

What tools did this team use?

MCP, OAuth 2.0, Arcade.

What results were reported?

PR contributors examining security: 50+; Arcade secure auth integrations: 100+ (source-reported, not independently verified).

What failed first in this deployment?

Existing workarounds including service account tokens with excessive scopes, hardcoded server credentials, and client-side credential storage all violate security principles and create risks such as token exfiltration.

How is this workflow AI workflow structured?

Agent tool call requires auth → Server checks for valid token → Server raises URL elicitation → Client opens auth URL → Server stores token and retries.