MCP (Model Context Protocol) makes it easy for agents to expose tools. It works great… until your agent needs OAuth.

Example: you’ve got an MCP server for Gmail. The client and tool definitions all work. But there’s no secure way in the protocol to get an OAuth token. Current hacks? Hardcoded credentials, service accounts with way too much scope, or passing tokens through untrusted clients. All bad.

At Arcade.dev we’ve been working on a proposal to fix this: PR #887

. It extends MCP’s new elicitation system with a url mode. That means:

Form elicitation → for non-sensitive parameters (preferences, configs)

URL elicitation → for sensitive flows like OAuth, payments, WebAuthn

Clients just open the URL in a browser. Servers handle tokens and scopes. Credentials never touch the LLM or the client — mirroring how web auth has worked for 15+ years.

Why it matters:

Scoped OAuth without leaking secrets

Proper token refresh + revocation

Works cleanly for multi-provider auth (Gmail + Slack + GitHub, etc.)

Moves MCP closer to being production-ready, not just local demos

Spec PR link again: https://github.com/modelcontextprotocol/modelcontextprotocol...

Curious what the HN crowd thinks: does this strike the right balance between flexibility and security?