Disclosure, I work for an auth provider (details in profile).

This was a great read. Very straightforward, explaining how to layer on all the functionality that is optional for an OAuth2 server but required by MCP[0]. I also liked the test MCP server[1] they provide, which will be useful for anyone else running an MCP gateway. I also liked the real world lessons toward the end, including the public/private client note.

They omitted some commercial OAuth servers out there with MCP support. Not sure if that was intentional or not. I'm aware of Stytch and WorkOS, but there may be others.

I had a question for the greater HN community, though. How many of you are using MCP with OAuth authentication for production use cases? Not MCP with OAuth for exploration or MCP without OAuth or MCP over stdio.

I've been looking to talk to folks about this tech and having a hard time finding them. I'm not sure if it is because I'm talking to the wrong people, asking the wrong questions, if MCP is in early days, or if MCP is a fad. (I don't think the last one is the case given the activity in the spec and the discord listed on the communication page[2], but include it for completeness.)

If you are actively working on MCP with OAuth in production contexts, would love to learn more about where you're hanging out.

0: https://modelcontextprotocol.io/specification/2025-06-18/bas...

1: https://github.com/hyprmcp/mcp-who-am-i/

2: https://modelcontextprotocol.io/community/communication

Hi HN, I am one of the developers behind the hyprmcp gateway, we summarized all our learnings regarding MCP authentication in this blog post. I am happy to answer related questions here.

Curious about MCP server authentication? There's this idea for an OAuth-like solution inspired by Supabase, aiming to be simpler than traditional identity systems. For those who haven’t heard, Supabase is like a PostgreSQL + auth system that’s surprisingly efficient and developer-friendly.

If MCP servers are your thing, maybe lean into building something similar but tailored for this use case. The idea could help streamline identity management in a way that feels refreshingly flexible and developer-experienced.

The core would be to keep the implementation minimal while providing an API-like endpoint that developers (and their sanity) can rely on. Bonus points if you integrate WebSockets for real-time app dev experience, making it super smooth without the wait.

Scalability is a must, especially if this is a long-term project. But considering these are start-ups, flexibility trumps any rigid rules here. If you're into building something that challenges your dev org (and satisfies the curious folks), let’s chat! Thinks: ╯,