Arcade identified a critical security gap in the Model Context Protocol (MCP) where AI agents needed secure access to third-party APIs like Gmail but lacked proper OAuth 2.0 authentication mechanisms. They developed two solutions: first introducing user interaction capabilities (PR #475), then extending MCP's elicitation framework with URL mode (PR #887) to enable secure OAuth flows while maintaining proper security boundaries between trusted servers and untrusted clients. This work addresses fundamental production deployment challenges for AI agents that need authenticated access to real-world systems.
Arcade is a company focused on making AI infrastructure production-ready, with team members bringing years of experience from authentication systems at companies like Okta, Stormpath, and Redis. This case study examines their technical contributions to the Model Context Protocol (MCP) ecosystem, specifically addressing critical security gaps that prevent AI agents from safely accessing third-party services in production environments.
The core problem Arcade identified was fundamental: while MCP handles client-server authentication effectively, it completely lacks mechanisms for servers to securely obtain third-party credentials needed for real-world integrations. This represents a significant barrier to deploying AI agents in production settings where they need authenticated access to services like Gmail, Slack, or other enterprise systems.
The authentication challenge in MCP represents a classic distributed systems security problem. AI agents operating through MCP servers need to make authenticated requests to external APIs, but the protocol provides no secure credential gathering mechanism. This forces developers into several problematic workarounds that violate security best practices:
Current approaches include using service account tokens with excessive scopes, hardcoding credentials in server configurations, passing tokens through MCP clients (violating least privilege principles), and storing credentials client-side, which creates token exfiltration risks. These patterns are particularly problematic because MCP clients are often untrusted code running on user devices, classified as OAuth 2.0 “public clients” that cannot securely store secrets.
The security architecture flaw becomes apparent when considering that MCP clients operate in untrusted environments while needing to facilitate secure authentication flows. This creates a fundamental tension between security requirements and architectural constraints that Arcade set out to resolve through protocol-level improvements.
Arcade developed their solution through two distinct technical approaches, both aimed at establishing proper security boundaries while enabling production-ready authentication flows.
Phase One: User Interaction Capability (PR #475)
Their initial proposal introduced a new client capability specifically for user interactions, leveraging the browser as a trusted security context. This approach followed established OAuth 2.0 patterns that have proven successful for over 15 years. The implementation added a userInteraction capability with a clean interface supporting prompts, URLs, and timeout parameters.
This design allowed servers to redirect users to secure endpoints for credential gathering while keeping sensitive data entirely out of the client execution context. The proposal generated extensive community discussion with over 50 contributors examining attack vectors, CSRF protections, and state management approaches, demonstrating the complexity and importance of the security considerations involved.
Phase Two: Extended Elicitation Framework (PR #887)
When MCP shipped with an elicitation capability for dynamically rendering forms and gathering user data, Arcade evolved their approach rather than introducing competing capabilities. They extended the existing elicitation framework with a new URL mode, creating clear separation of concerns between different types of user interactions.
The extended framework distinguishes between form mode for client-rendered UI handling non-sensitive data like preferences and parameters, and URL mode for direct browser navigation handling sensitive flows including OAuth 2.0, payments, WebAuthn, and SAML. This architectural decision maintains consistency within the protocol while providing the necessary security guarantees.
The security model implemented through URL elicitation establishes explicit trust boundaries that align with established web security patterns. The architecture defines three distinct security zones: untrusted MCP clients that facilitate navigation and handle retry logic, trusted servers that manage tokens, validate state, and enforce scopes, and trusted authentication providers that handle user authentication and consent.
This separation prevents entire classes of security vulnerabilities including token exfiltration via compromised clients, scope escalation through client manipulation, and “confused deputy” problems where clients might be tricked into performing unauthorized actions.
The implementation provides concrete benefits for production deployments. Before URL elicitation, developers were forced to pass tokens through clients, creating security nightmares with localStorage token storage. After implementation, the authentication flow becomes clean and secure, with clients simply opening URLs while servers handle all sensitive operations behind the scenes.
Arcade’s work addresses several critical aspects of production AI agent deployment. The solution enables proper scoped access where servers can request minimum necessary permissions, token refresh handling for expiry without user intervention, comprehensive audit trails tracking actions taken with specific authorizations, and user-controlled revocation through authentication providers.
The multi-provider authentication capability is particularly important for real-world AI agents that need to integrate with multiple services. The URL elicitation pattern handles this elegantly by supporting multiple concurrent authorization flows, allowing agents to gather credentials from various providers as needed for complex workflows.
The implementation timeline reflects a practical approach to ecosystem adoption. Arcade’s tools already implement these authentication patterns, providing real-world validation of the approach. The URL elicitation standardization through PR #887 aims to establish these patterns across the broader MCP ecosystem.
From an LLMOps perspective, this work addresses one of the most significant barriers to deploying AI agents in production environments. Without secure authentication mechanisms, AI agents are limited to demo scenarios or first-party API access only. The authentication gap prevents agents from accessing the real-world data and systems they need to provide genuine business value.
The security-first approach taken by Arcade reflects mature understanding of production deployment requirements. Their emphasis on proper OAuth 2.0 implementation, security boundary enforcement, and attack vector mitigation demonstrates the kind of infrastructure thinking necessary for enterprise AI deployments.
However, it’s important to note that while Arcade presents compelling technical solutions, the case study is written from the perspective of a company promoting their own products and services. The claims about production readiness and security effectiveness, while technically sound, should be evaluated alongside broader ecosystem adoption and independent security reviews.
The proposed solutions address genuine technical problems in the MCP ecosystem, and the authentication patterns follow established security best practices. The separation of concerns between form and URL elicitation modes is architecturally sound and aligns with OAuth 2.0 design principles.
However, several considerations warrant attention. The success of these authentication patterns depends heavily on broader ecosystem adoption by both MCP client and server implementations. The security model assumes proper implementation by all parties, and the complexity of OAuth 2.0 flows may create implementation challenges for some developers.
Additionally, while URL elicitation solves the credential gathering problem, it introduces user experience complexity with redirect flows and multiple authorization steps. This may impact adoption in scenarios where simpler authentication mechanisms might be preferred despite security trade-offs.
Arcade’s work on MCP authentication represents broader trends in AI infrastructure maturation. As AI agents move from experimental prototypes to production deployments, security, reliability, and integration capabilities become critical differentiators. The focus on proper authentication flows, security boundaries, and production-ready patterns reflects the evolution of the AI tooling ecosystem.
The emphasis on respecting established web security patterns rather than inventing new mechanisms shows mature engineering judgment. By leveraging OAuth 2.0, browser security contexts, and proven authentication flows, the solution builds on decades of security research and real-world validation.
This approach to AI infrastructure development, prioritizing security and production readiness from the beginning, represents a significant shift from the “move fast and break things” mentality often seen in early AI tooling. As AI systems become more integral to business operations, this kind of security-first thinking becomes essential for sustainable deployment and adoption.
This podcast discussion between Galileo and Crew AI leadership explores the challenges and solutions for deploying AI agents in production environments at enterprise scale. The conversation covers the technical complexities of multi-agent systems, the need for robust evaluation and observability frameworks, and the emergence of new LLMOps practices specifically designed for non-deterministic agent workflows. Key topics include authentication protocols, custom evaluation metrics, governance frameworks for regulated industries, and the democratization of agent development through no-code platforms.
Snorkel developed a specialized benchmark dataset for evaluating AI agents in insurance underwriting, leveraging their expert network of Chartered Property and Casualty Underwriters (CPCUs). The benchmark simulates an AI copilot that assists junior underwriters by reasoning over proprietary knowledge, using multiple tools including databases and underwriting guidelines, and engaging in multi-turn conversations. The evaluation revealed significant performance variations across frontier models (single digits to ~80% accuracy), with notable error modes including tool use failures (36% of conversations) and hallucinations from pretrained domain knowledge, particularly from OpenAI models which hallucinated non-existent insurance products 15-45% of the time.
Anthropic developed a production multi-agent system for their Claude Research feature that uses multiple specialized AI agents working in parallel to conduct complex research tasks across web and enterprise sources. The system employs an orchestrator-worker architecture where a lead agent coordinates and delegates to specialized subagents that operate simultaneously, achieving 90.2% performance improvement over single-agent systems on internal evaluations. The implementation required sophisticated prompt engineering, robust evaluation frameworks, and careful production engineering to handle the stateful, non-deterministic nature of multi-agent interactions at scale.
