Part 8 | MCP Prompt Injection: Why Your AI Agents Can’t Defend Against It Alone (Coming Soon)
Part 9 | MCP PII Data Security: How Tool Calls Leak PII and How to Stop It (Coming Soon)
Part 10 | MCP Enterprise Architecture That Actually Works: The Complete Reference (Coming Soon)
In the last post, I walked through what OAuth actually requires you to build when you are securing an MCP server. The short version: it is more than most teams expect, and it has nothing to do with what your MCP server is supposed to do.
That is a problem for one server. It becomes a different kind of problem when you have ten.
What Happens When MCP Scales
When teams start with MCP, they usually build one server. Maybe two. Auth is annoying but manageable — you implement it once, it works, you move on.
Then the requests come in. The data team wants an MCP server for their BI platform. HR wants one for employee data. Legal wants one for contract research. The customer support team wants one connected to the ticketing system.
Each of those servers needs OAuth. Each one needs token storage, refresh logic, scope configuration, and callback handling. Each one gets built by a different team, on a different timeline, to a different standard.
Six months later you have six MCP servers and six OAuth implementations. Some are solid. Some are not. None of them share anything.
The MCP Identity Management Problem
This is what identity sprawl looks like in practice. Here is what it costs you:
No central visibility. There is no single place to see what tokens have been issued across your MCP infrastructure. If you want to know who has access to what, you are checking six different systems.
No single revocation point. An employee leaves. A token is compromised. You need to cut off access fast. Instead of one operation, you are tracking down credentials across six servers — hoping nothing was missed.
Inconsistent security posture. The BI server’s OAuth implementation was built by a senior engineer with time to do it right. The customer support server was built in a sprint. They are not equivalent, but there is no obvious way to tell from the outside.
Audit gaps. Your compliance team wants a unified trail of who called what and when across your MCP infrastructure. It does not exist. The logs are spread across six servers with different formats and retention policies.
Maintenance drag. App teams need to update OAuth scopes. A new security vulnerability requires patching. You are doing that work six times instead of once — and the weakest implementation is your actual security floor.
None of this is unusual. It is what happens when teams build independently without a shared MCP enterprise architecture strategy. The technical term for it is identity sprawl. The practical experience of it is an audit you are not prepared for.
The Pattern That Fixes It
The insight is straightforward: OAuth complexity is undifferentiated infrastructure. It is the same problem in every MCP server. So solve it once.
The control plane pattern moves all of that — DCR endpoint, OAuth to your IdP, callback handling, token exchange, token storage — into a single layer that sits between your MCP clients and your MCP servers. Your MCP servers get to focus on tools, resources, and prompts. MCP identity management becomes someone else’s problem.
Here is what the architecture looks like before and after:
Before: Every MCP server carries its own OAuth stack. Each one is a separate implementation, a separate token store, and a separate point of failure.
After: One control plane handles auth for all of them. MCP servers are reduced to business logic. The control plane becomes the single point of visibility, governance, and revocation. If you are weighing whether a single MCP gateway or multiple independent servers is the right model for your organization, this is the architectural question at the center of that decision.
Try Obot Today
⬇️ Download the Obot open-source gateway on GitHub and begin integrating your systems with a secure, extensible MCP foundation.
What the Control Plane Actually Handles
It is worth being specific about what moves into the control plane and what stays in the MCP server.
The control plane handles:
Dynamic Client Registration (DCR) — so MCP clients can register once without per-server static configuration
OAuth to your IdP — Entra, Okta, or whatever your organization uses
Static callback handling — for providers that do not support DCR natively (more on this in the next post)
Token exchange and storage — clients get a scoped token from the control plane; the raw OAuth token never leaves the control plane
Audit logging — every tool call, every user, every timestamp, in one place
Revocation — cut off access at the control plane and it is done across all servers simultaneously
The MCP server handles:
Tools
Resources
Prompts
That is it. A new MCP server does not need to think about auth at all. It connects to the control plane and inherits everything. This is the core promise of centralized MCP identity management: new servers are secure by default, not by effort.
What This Unlocks for Your Security Team
The single biggest benefit is not developer productivity — it is being able to answer the questions your security team is going to ask.
“Who has access to which MCP servers?” — answered from one place.
“Can we revoke access immediately if someone leaves?” — yes, one operation.
“Do we have an audit trail of every tool invocation?” — yes, unified, in one system.
“Where are OAuth tokens stored?” — in the control plane, encrypted, not scattered across servers.
These are not hypothetical questions. If your MCP OAuth enterprise deployment is touching HR data, financial data, or customer records, your security team will ask them before you go to production. The control plane pattern means you have answers ready. For a broader look at what secure MCP access requires across authentication, authorization, encryption, and auditing, that post covers the full picture.
Where to Go From Here
The control plane pattern is the foundation of a sound MCP enterprise architecture. Understanding what an MCP gateway is and how it implements this control plane is the natural next step if you are evaluating how to deploy this pattern in your organization. But there are also a few specific auth challenges worth understanding in detail before you build — particularly if your organization runs on Microsoft Entra, which has a quirk that affects every MCP deployment.
That is what the next post covers.
Next in the series: Dynamic Client Registration: Why It Matters and Why Entra Breaks It
This post is part of Obot’s series on enabling MCP at enterprise scale. Obot is an open source MCP gateway with a built-in identity and governance control plane. Learn more at obot.ai.
