Authlete Supports CIMD, Introduces New Features to Enhance MCP Server Security

We’re pleased to announce that Authlete 3.0 has introduced support for OAuth Client ID Metadata Documents (CIMD) and a set of security- and developer-friendly features for building authorization servers compliant with the latest Model Context Protocol (MCP).

With Authlete, public institutions and service providers that offer data or functionality to AI agents via MCP—such as SaaS vendors, businesses leveraging data in healthcare, finance, and legal sectors, and retail/e-commerce operators—can securely and efficiently implement an OAuth-compliant authorization server in their MCP service infrastructure.

MCP is an open-source standard for connecting AI applications to external systems. Since its introduction by Anthropic in 2024, MCP has been adopted by companies such as Amazon Web Services, Cloudflare, Google, Microsoft, and OpenAI, and the latest version was released in November 2025.

Organizations that expose MCP servers on the internet must build OAuth-compliant authorization servers to securely grant access to MCP clients used by customers and partners. 

In addition to CIMD, Authlete supports all OAuth specifications adopted by the latest MCP, including OAuth 2.1 (IETF Draft), Authorization Server Metadata (RFC 8414), Dynamic Client Registration Protocol (RFC 7591), and Resource Indicators for OAuth 2.0 (RFC 8707).

What is CIMD?

CIMD enables an authorization server to retrieve client metadata from the URL a client presents during the OAuth authorization flow, eliminating the need for traditional client pre-registration. This approach is particularly useful for MCP environments, which are designed for dynamic federation between clients and authorization servers.

Authlete’s Security Enhancement Features

Implementing CIMD for authorization servers requires not only enabling “dynamic client registration,” but also mechanisms to prevent unintended client registrations and appropriately process retrieved client metadata. Therefore, in addition to CIMD-compliant APIs, Authlete provides the following proprietary features:

• Prevention of unintended or malicious registrations: Domains and URLs can be pre-registered as “allowlists,” restricting URLs accepted as client IDs.
• Metadata Content Adjustment: Security requirements can be defined as a “metadata policy” and applied to adjust retrieved client metadata before registering client information.

Authlete's Developer-Friendly Features for Efficient Development

Authlete provides the following configurations to streamline the development of authorization servers.

• Disabling metadata cache: Configuring Authlete to retrieve client metadata for each request rather than caching it improves efficiency during authorization server development.
• Allowing HTTP scheme: Accepting the http scheme in addition to https for URLs indicating client IDs simplifies the development of web servers hosting client metadata.

For details on these features, refer to the developer documentation. 

Why Use Authlete for MCP Authorization?

• Simplified OAuth implementation: By offloading complex OAuth protocol operations to Authlete, you simplify the development of a secure authorization server for your MPC service. Various OAuth settings, including CIMD, can be easily modified via Authlete's management console.‍
• Greater flexibility in authorization server configuration: As a headless service that provides OAuth protocol processing and token management via Web APIs, Authlete enables the flexible development and operation of authorization servers tailored to MCP service requirements.‍
• Keeping up to date with OAuth specification evolution: OAuth specs adopted in MCP are expected to evolve. Authlete tracks these changes for you, enabling you to stay updated.‍
• Enhanced security and development efficiency: Authlete's unique features, such as allowlists and metadata policies, enable secure implementation of authorization functionality for your MCP server exposed to the internet. Additionally, development efficiency features, such as disabling metadata caching and allowing the http scheme, speed up the development of the MCP service infrastructure.

Try Authlete for free to build an MCP-compliant authorization server: https://console.authlete.com/register. 

‍