Authentication in MCP: What 518 Production Servers Actually Do

Authentication in MCP: What 518 Production Servers Actually Do Stack Overflow's engineering blog recently published a thorough explanation of how authentication should work in MCP. The spec is clear. The tooling is improving. But I've been scanning real production MCP servers for the past three months. Here's what they actually do. The Numbers I scanned 518 MCP servers from the official registry and the broader ecosystem. Here's the breakdown: 304 servers (59%) — authentication present (OAuth, API keys, or bearer tokens) 214 servers (41%) — no authentication at all 156 servers — no auth and expose callable tools to anyone 41% without auth isn't a tail risk. It's the default behavior for a significant portion of the ecosystem. Three Architectures I Found Architecture 1: MCP-Layer Auth (Enterprise) Tools like Slack, Linear, and GitHub's official MCP servers enforce OAuth at the MCP protocol level. The client must authenticate before the server will respond to any tool calls. This matches

Authentication in MCP: What 518 Production Servers Actually Do

Related Articles

immich vs ente photos - the photo backup showdown

One Way or Another, Most of Our Electricity Comes From Solar Power

The most useful command in the age of agentic

️ The 5IR Hardware Patch: The Syntropic Processor

These 5 Amazon Spring Sale deals are HSA and FSA eligible

Related Articles

News
immich vs ente photos - the photo backup showdown
Lobsters • 4d ago

News
One Way or Another, Most of Our Electricity Comes From Solar Power
Wired • 4d ago

News
The most useful command in the age of agentic
Dev.to • 4d ago

News
️ The 5IR Hardware Patch: The Syntropic Processor
Medium Programming • 4d ago

News
These 5 Amazon Spring Sale deals are HSA and FSA eligible
ZDNet • 4d ago