// GLOSSARY -- AI AGENT SECURITY

What is Token Passthrough?

2 min read Updated

Token passthrough is the anti-pattern in which an MCP server accepts access tokens that were not issued for it, or forwards the token it received from the client unmodified to upstream APIs. The MCP specification explicitly forbids it.

WHY IT MATTERS

The spec's language is unambiguous: MCP servers MUST validate that tokens were issued specifically for them as the intended audience, MUST reject tokens whose audience claim does not include them, and "MUST NOT accept or transit any other tokens". If a server calls upstream APIs, it must act as its own OAuth client to them — the upstream token is a separate token issued by the upstream's authorisation server, never the one the MCP client presented.

Passthrough is forbidden because it breaks OAuth's audience binding and creates a confused deputy: the downstream API sees a syntactically valid token and trusts it as though the MCP server had obtained and validated it, when in fact the server is blindly relaying whatever it was handed. Concretely this means:

  • A token stolen from one service can be replayed against an MCP server that skips audience validation, then laundered onward to downstream APIs.
  • Controls at the downstream layer — rate limits, allowlists, anomaly detection — see the wrong principal, so requests appear to come from a trusted intermediary.
  • Audit trails cannot attribute actions correctly, because the identity in the token does not match the path the request actually took.

The pattern usually arises from convenience: a server that proxies a SaaS API simply forwards the inbound Authorization header rather than managing its own credentials. The mitigations are mandated by MCP Authorization: clients send the RFC 8707 resource parameter so tokens are bound to one server, and servers validate audience before processing any request.

PolicyLayer puts a deterministic check in front of every tool call — the enforcement layer this page assumes.

GOVERN YOUR MCP SERVERS →

Enforced before the call runs. Nothing to install.

HOW POLICYLAYER USES THIS

PolicyLayer's gateway issues its own per-person scoped tokens for client access and holds upstream credentials server-side, so client tokens never transit to upstream servers. Every tools/call is policy-evaluated and logged against the person who made it, keeping attribution intact across the chain.

See the MCP Security reference →

FREQUENTLY ASKED QUESTIONS

Why does the MCP specification forbid token passthrough?
Because it breaks audience binding and enables confused deputy attacks: downstream APIs trust a forwarded token as if the MCP server had validated it, controls see the wrong principal, and audit attribution is lost.
What should an MCP server do instead of passing tokens through?
Validate that inbound tokens were issued for it specifically, and act as a separate OAuth client to any upstream API, using its own token issued by the upstream's authorisation server.
How does the resource parameter help prevent passthrough?
RFC 8707 Resource Indicators bind each access token to the canonical URI of one MCP server, so a token minted for one service fails audience validation everywhere else.

FURTHER READING

Let agents act without letting them run wild.

Route your MCP servers through PolicyLayer and every tool call is checked against your policy before it runs — allow, deny, or require approval. Per-identity grants. Full audit log. Live in minutes.

GOVERN YOUR MCP SERVERS →

Free to start. No card required.

43,000+ MCP servers and 220,000+ tools scanned and risk-classified.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.