Blog

Engineering insights

Deep-dives on MCP security, RFC explainers, and war stories from the field.

Deep Dive March 21, 2026 · 10 min read

Cross-App Access: Why Enterprise MCP Needs IdP-Mediated Authorization

XAA (Cross-App Access) puts the enterprise IdP in the loop for every agent-to-tool connection. Here's how ID-JAG works, why it matters for regulated industries, and how AuthPlane implements it.

XAAEnterpriseOAuthMCPID-JAG

→

Deep Dive March 4, 2026 · 8 min read

OAuth 2.1 + PKCE Is the Only Right Way to Secure MCP

The MCP authorization spec mandates OAuth 2.1 with mandatory PKCE for a reason. Here's exactly why every alternative falls apart — and what your MCP server needs to implement correctly.

SecurityOAuthMCPPKCE

→

War Story March 1, 2026 · 6 min read

What We Saw When Teams Shipped MCP Without Auth

Four real attack patterns we observed in unprotected MCP deployments: token replay, log scraping, scope escalation, and zero audit trail. What goes wrong and how to fix it.

SecurityThreatsMCP

→

Spec Guide Feb 26, 2026 · 5 min read

Reading RFC 9728 So You Don't Have To

Protected Resource Metadata is the mechanism MCP agents use to discover authorization servers. Here's the full walkthrough of the spec, how AuthPlane implements it, and what it means for your MCP server.

RFCSpecDiscovery

→