What Are Resource Indicators (RFC 8707) in MCP?

Resource Indicators (RFC 8707) in MCP is the OAuth extension that lets clients explicitly tell the authorization server which MCP server an access token should be scoped for. The client adds a “resource” parameter to the authorization request, naming the target MCP server by its URI. The authorization server then issues a token with an […]

Resource Indicators (RFC 8707) in MCP is the OAuth extension that lets clients explicitly tell the authorization server which MCP server an access token should be scoped for. The client adds a “resource” parameter to the authorization request, naming the target MCP server by its URI. The authorization server then issues a token with an aud claim bound to that resource. Without resource indicators, authorization servers issue generic tokens that may technically work against any service sharing the same auth domain, creating the conditions for token passthrough and confused deputy attacks. The MCP specification recommends resource indicators as the foundation for proper audience binding across multi-server deployments.

How Resource Indicators Work in MCP

The MCP client sends an authorization request that includes a resource parameter: resource= https://mcp.example.com. The authorization server treats this as the audience for the token it’s about to issue. After the user grants consent, the server includes the resource URL as the aud claim in the issued access token. When the client uses the token against the MCP server, the server checks the aud claim and confirms it matches its own resource identifier. If the client requested multiple resources, the server can issue separate tokens for each one or a single token with multiple audiences, depending on the authorization server’s implementation.

Certified MCP Security Expert

Attack, defend, and pen test MCP servers in 30+ hands-on labs. Get certified.

Certified MCP Security Expert

Why Resource Indicators Are Relevant for MCP Security

Without resource indicators, the authorization server has no idea which MCP server the client plans to use the token against. It issues a generic token that the client can present to any service. Audience validation then becomes either impossible (no aud claim) or trivially bypassed (aud set to a wildcard or the authorization server itself). Resource indicators force the authorization server to commit to a specific audience at token-issue time. This makes cross-service token reuse impossible because the aud claim no longer matches any other service’s resource identifier.

How to Implement Resource Indicators Correctly

Require the resource parameter on every authorization request from MCP clients. Validate that the requested resource is a registered MCP server before issuing the token. Include the resource URL as the aud claim in the issued token. On the MCP server side, validate aud against your canonical resource identifier with exact matching, not prefix matching. Reject tokens with missing or wildcard aud claims.

Summary

Resource Indicators (RFC 8707) is the OAuth extension that binds access tokens to specific MCP servers at issue time, enabling proper audience validation and blocking the token passthrough patterns that cause cross-service breaches. The Certified MCP Security Expert (CMCPSE) certification trains engineers to design RFC 8707-compliant MCP authorization flows that hold up against cross-tenant attacks.

Start your journey today and upgrade your security career

Gain advanced security skills through our certification courses. Upskill today and get certified to become the top 1% of cybersecurity engineers in the industry.