Free · Apache 2.0 · No signup

MCP-OAuth scanner

Paste your MCP server's URL. Get a graded report against RFC 7591, 7636, 8414, 8707, 9207, 9449, 9728, and the MCP 2026-07-28 auth spec — including the confused-deputy patterns disclosed by Obsidian Security.

Loopback / private IPs are blocked. Backend: detecting…

Playground

7-step interactive demo of nested-act delegation chains.

MCP quickstart

Configs for Claude Desktop, Cursor, Continue, VS Code MCP, ChatGPT.

Standards report

Per-section spec → file:line map for every RFC and IETF draft authgent implements.

What this checks

MCP-PRM-001 — RFC 9728 Protected Resource Metadata present and well-formed.

MCP-AS-001 — RFC 8414 Authorization Server Metadata reachable.

MCP-PKCE-001 — PKCE S256 advertised; plain rejected (OAuth 2.1).

MCP-AUD-001 — RFC 8707 Resource Indicators required (confused-deputy mitigation).

MCP-ISS-001 — RFC 9207 / SEP-2468 iss parameter on /authorize.

MCP-DCR-MIRROR-001 — Distinct DCR registrations yield distinct client_ids (Obsidian Jan 2026).

MCP-CSRF-001 — Implicit grant response_type=token not advertised.

MCP-REFRESH-001 — Refresh tokens issued with DPoP (RFC 9449) sender-constraint.

MCP-DCR-001 — Dynamic Client Registration (RFC 7591) advertised.

MCP-PASSTHROUGH-001 — Tool endpoints don't respond 200 unauthenticated.