Resource Indicators (RFC 8707) in MCP is the OAuth extension that lets clients explicitly tell the authorization server which MCP server an access token should be scoped for. The client adds a “resource” parameter to the authorization request, naming the target MCP server by its URI. The authorization server then issues a token with an aud claim bound to that resource. Without resource indicators, authorization servers issue generic tokens that may technically work against any service sharing the same auth domain, creating the conditions for token passthrough and confused deputy attacks. The MCP specification recommends resource indicators as the foundation for proper audience binding across multi-server deployments.
How Resource Indicators Work in MCP
The MCP client sends an authorization request that includes a resource parameter: resource= https://mcp.example.com. The authorization server treats this as the audience for the token it’s about to issue. After the user grants consent, the server includes the resource URL as the aud claim in the issued access token. When the client uses the token against the MCP server, the server checks the aud claim and confirms it matches its own resource identifier. If the client requested multiple resources, the server can issue separate tokens for each one or a single token with multiple audiences, depending on the authorization server’s implementation.
Certified MCP Security Expert
Attack, defend, and pen test MCP servers in 30+ hands-on labs. Get certified.
Why Resource Indicators Are Relevant for MCP Security
Without resource indicators, the authorization server has no idea which MCP server the client plans to use the token against. It issues a generic token that the client can present to any service. Audience validation then becomes either impossible (no aud claim) or trivially bypassed (aud set to a wildcard or the authorization server itself). Resource indicators force the authorization server to commit to a specific audience at token-issue time. This makes cross-service token reuse impossible because the aud claim no longer matches any other service’s resource identifier.
How to Implement Resource Indicators Correctly
Require the resource parameter on every authorization request from MCP clients. Validate that the requested resource is a registered MCP server before issuing the token. Include the resource URL as the aud claim in the issued token. On the MCP server side, validate aud against your canonical resource identifier with exact matching, not prefix matching. Reject tokens with missing or wildcard aud claims.
Summary
Resource Indicators (RFC 8707) is the OAuth extension that binds access tokens to specific MCP servers at issue time, enabling proper audience validation and blocking the token passthrough patterns that cause cross-service breaches. The Certified MCP Security Expert (CMCPSE) certification trains engineers to design RFC 8707-compliant MCP authorization flows that hold up against cross-tenant attacks.
