
TL;DR
MCP's new Enterprise-Managed Authorization removes per-user OAuth friction. Anthropic, Okta, Figma, and Linear ship centralized auth for AI agent tooling.
Model Context Protocol (MCP) has solved the "how do AI agents call external tools" problem. But it created another: every employee has to individually authorize every MCP server they want to use. For enterprises deploying AI tooling at scale, this means dozens of OAuth flows per person, no centralized audit trail, and constant risk of employees accidentally connecting personal accounts instead of corporate ones.
Anthropic just shipped a fix. Enterprise-Managed Authorization (EMA) lets organizations control MCP server access centrally through their identity provider - Okta, in this first release.
The technical implementation uses Identity Assertion JWT Authorization Grants (ID-JAG), a new token format working its way through the OAuth Working Group:
The result: MCP servers that the admin pre-authorizes connect automatically on first login, scoped to the user's existing roles and groups.
From the official announcement:
"The per-user authorization tax keeps most of them switched off. Enterprise-Managed Authorization enables organizations to control MCP server access centrally through their trusted identity provider."
Launch partners include Figma, Linear, Asana, and Atlassian on the MCP server side, with Anthropic's Claude and Visual Studio Code as initial clients.
The Hacker News discussion runs 90+ comments and surfaces the expected debate between MCP advocates and skeptics, plus some substantive security discussion.
The Security Tradeoff
The top concern is predictable: removing friction also removes a checkpoint. One commenter raises the prompt injection scenario:
"Suppose I start a conversation and enter some highly third-party-prompt-injectable request, perhaps 'Fork github.com/some_third_party/coolproject and submit a PR to do such-and-such.' That repo injects a prompt that attempts to do a tool call to steal all my money. If I indeed have a bank MCP configured, I absolutely want to be prompted!"
The response from proponents: this is exactly why EMA is enterprise-focused. The IT admin, not the employee, decides what gets connected. If the organization trusts Claude with their Linear and Figma accounts, that's a policy decision made at the org level, not per-conversation.
The "MCP is Dead" Crowd
As expected, comments include variations of "I thought we were over this collective delusion called MCP." The counterargument from practitioners:
"The real valuable capability MCP offers over skills/CLI is isolating the auth flow outside of the agent's context window, and potentially out of the harness completely... Maybe the idealized form of MCP is just an auth gateway for the API and nothing else. That'd still be a win."
This frames MCP less as a protocol for tool calling and more as infrastructure for managing agent permissions - a much narrower but more defensible value proposition.
Enterprise vs Consumer Identity
A nuanced thread distinguishes why EMA makes sense for employees but not consumers:
"In Enterprise, the IDP is the single owner for the identity, so it essentially can represent the user uniquely and sort of pretty much do anything it wishes for (includes deleting the identity). For consumer identity, the resource server owns the identity/user explicitly."
The concern is that removing consent from the flow only works when the organization legitimately owns the identity. For consumer use cases, this would be inappropriate.
The Microsoft Entra Gap
Several commenters flag that Microsoft Entra ID (Azure AD) doesn't support Dynamic Client Registration, making this harder to implement for Microsoft-heavy enterprises. One developer shares a workaround:
"What we ended up doing was the app proxying the OAuth flow, to inject a hardcoded client_id. So we lie to the MCP client telling it we support DCR while behind the hood we use a standalone client_id as usual for the MCP."
This suggests the ecosystem still has rough edges beyond the Okta happy path.
The Atlassian Implementer
An Atlassian engineer shows up in the thread:
"I implemented the RAS end of this for Atlassian. There will certainly be iterations around this flow - CIMD, better tenancy support, etc., but all the folks involved in delivering this at Anthropic, Okta, and here at Atlassian were fantastic."
This confirms major SaaS vendors are taking MCP auth seriously.
Newsletter
Get the weekly deep dive
Tutorials on Claude Code, AI agents, and dev tools, delivered free every week.
From the archive
Jun 18, 2026 • 6 min read
Jun 18, 2026 • 6 min read
Jun 18, 2026 • 7 min read
Jun 18, 2026 • 7 min read
The broader story is AI agent infrastructure maturing. MCP started as a way to give LLMs tool access - essentially structured function calling with a discovery mechanism. But tool access without auth management isn't enterprise-ready.
EMA addresses the specific pain point of "I want my whole engineering team using Claude with access to our Jira, GitHub, and Slack, without each person going through 15 OAuth flows and potentially connecting wrong accounts."
For developers building MCP servers, this means:
The auth story for AI agents is still early. Questions remain around fine-grained permissions (OAuth scopes are notoriously coarse), multi-hop delegation (what happens when one agent calls another agent), and auditability (who accessed what, through which agent, when). But having basic enterprise SSO working is a prerequisite for everything else.
The ID-JAG spec is being formalized through the OAuth Working Group. WorkOS has published an overview of the open drafts covering multi-hop delegation for AI agents - essentially, what happens when agents need to delegate permissions to other agents.
One of the MCP maintainers points to additional work in progress:
"There are some active discussions on task level authz and multi-hop delegation in the OAuth WG right now."
The draft for attenuating agent tokens - inspired by macaroons and capability-based access control - is available on the IETF datatracker.
For now, EMA solves the immediate problem of getting enterprise users onto MCP tooling without an onboarding nightmare. The harder problems - permissions that narrow based on context, audit trails that track agent decision chains, policies that prevent overly-permissive tool access - remain active work.
Read next
MCP's new enterprise-managed authorization flow is not just less login friction. It moves agent tool access into identity, policy, and audit systems enterprises already understand.
8 min readVercel acquires the open-source authentication framework that became the go-to Next.js auth solution. HN weighs in on open source sustainability and vendor lock-in concerns.
5 min readOak rethinks version control for agentic workflows with virtual mounts, faster snapshots, and lower VCS-related token overhead. Here's what the HN community thinks about this Show HN.
8 min readTechnical content at the intersection of AI and development. Building with AI agents, Claude Code, and modern dev tools - then showing you exactly how it works.
Gives AI agents access to 250+ external tools (GitHub, Slack, Gmail, databases) with managed OAuth. Handles the auth and...
View ToolDrop-in auth for React/Next.js. Pre-built sign-in UI, session management, user profiles, org management. This site uses...
View ToolA hosted infinite canvas your headless AI agents drive over MCP. Any MCP-speaking agent - Claude Code, Codex, Cursor, or...
View ToolPre-configured or dynamic OAuth for remote MCP servers.
Claude CodeConfigure Claude Code for maximum productivity -- CLAUDE.md, sub-agents, MCP servers, and autonomous workflows.
AI AgentsWhat MCP servers are, how they work, and how to build your own in 5 minutes.
AI Agents
Security researchers discovered a prompt injection vulnerability in GitHub's Agentic Workflows that allows attackers to...

Vercel acquires the open-source authentication framework that became the go-to Next.js auth solution. HN weighs in on op...

Cloudflare announces native support for the x402 HTTP payment protocol, letting developers charge for API calls and web...

Armin Ronacher's new essay explores the tension between letting AI agents loop autonomously and maintaining the engineer...

A developer used OpenAI Codex to build a fully open-source WYSIWYG editor for TikZ figures. The technical approach and r...

Oak rethinks version control for agentic workflows with virtual mounts, faster snapshots, and lower VCS-related token ov...

New tutorials, open-source projects, and deep dives on coding agents - delivered weekly.