## Case Study Overview Arcade is a company focused on making AI infrastructure production-ready, with team members bringing years of experience from authentication systems at companies like Okta, Stormpath, and Redis. This case study examines their technical contributions to the Model Context Protocol (MCP) ecosystem, specifically addressing critical security gaps that prevent AI agents from safely accessing third-party services in production environments. The core problem Arcade identified was fundamental: while MCP handles client-server authentication effectively, it completely lacks mechanisms for servers to securely obtain third-party credentials needed for real-world integrations. This represents a significant barrier to deploying AI agents in production settings where they need authenticated access to services like Gmail, Slack, or other enterprise systems. ## Technical Problem Analysis The authentication challenge in MCP represents a classic distributed systems security problem. AI agents operating through MCP servers need to make authenticated requests to external APIs, but the protocol provides no secure credential gathering mechanism. This forces developers into several problematic workarounds that violate security best practices: Current approaches include using service account tokens with excessive scopes, hardcoding credentials in server configurations, passing tokens through MCP clients (violating least privilege principles), and storing credentials client-side, which creates token exfiltration risks. These patterns are particularly problematic because MCP clients are often untrusted code running on user devices, classified as OAuth 2.0 "public clients" that cannot securely store secrets. The security architecture flaw becomes apparent when considering that MCP clients operate in untrusted environments while needing to facilitate secure authentication flows. This creates a fundamental tension between security requirements and architectural constraints that Arcade set out to resolve through protocol-level improvements. ## Solution Architecture: Two-Phase Approach Arcade developed their solution through two distinct technical approaches, both aimed at establishing proper security boundaries while enabling production-ready authentication flows. **Phase One: User Interaction Capability (PR #475)** Their initial proposal introduced a new client capability specifically for user interactions, leveraging the browser as a trusted security context. This approach followed established OAuth 2.0 patterns that have proven successful for over 15 years. The implementation added a `userInteraction` capability with a clean interface supporting prompts, URLs, and timeout parameters. This design allowed servers to redirect users to secure endpoints for credential gathering while keeping sensitive data entirely out of the client execution context. The proposal generated extensive community discussion with over 50 contributors examining attack vectors, CSRF protections, and state management approaches, demonstrating the complexity and importance of the security considerations involved. **Phase Two: Extended Elicitation Framework (PR #887)** When MCP shipped with an elicitation capability for dynamically rendering forms and gathering user data, Arcade evolved their approach rather than introducing competing capabilities. They extended the existing elicitation framework with a new URL mode, creating clear separation of concerns between different types of user interactions. The extended framework distinguishes between form mode for client-rendered UI handling non-sensitive data like preferences and parameters, and URL mode for direct browser navigation handling sensitive flows including OAuth 2.0, payments, WebAuthn, and SAML. This architectural decision maintains consistency within the protocol while providing the necessary security guarantees. ## Security Model and Implementation Details The security model implemented through URL elicitation establishes explicit trust boundaries that align with established web security patterns. The architecture defines three distinct security zones: untrusted MCP clients that facilitate navigation and handle retry logic, trusted servers that manage tokens, validate state, and enforce scopes, and trusted authentication providers that handle user authentication and consent. This separation prevents entire classes of security vulnerabilities including token exfiltration via compromised clients, scope escalation through client manipulation, and "confused deputy" problems where clients might be tricked into performing unauthorized actions. The implementation provides concrete benefits for production deployments. Before URL elicitation, developers were forced to pass tokens through clients, creating security nightmares with localStorage token storage. After implementation, the authentication flow becomes clean and secure, with clients simply opening URLs while servers handle all sensitive operations behind the scenes. ## Production Readiness Considerations Arcade's work addresses several critical aspects of production AI agent deployment. The solution enables proper scoped access where servers can request minimum necessary permissions, token refresh handling for expiry without user intervention, comprehensive audit trails tracking actions taken with specific authorizations, and user-controlled revocation through authentication providers. The multi-provider authentication capability is particularly important for real-world AI agents that need to integrate with multiple services. The URL elicitation pattern handles this elegantly by supporting multiple concurrent authorization flows, allowing agents to gather credentials from various providers as needed for complex workflows. The implementation timeline reflects a practical approach to ecosystem adoption. Arcade's tools already implement these authentication patterns, providing real-world validation of the approach. The URL elicitation standardization through PR #887 aims to establish these patterns across the broader MCP ecosystem. ## LLMOps and Production Impact From an LLMOps perspective, this work addresses one of the most significant barriers to deploying AI agents in production environments. Without secure authentication mechanisms, AI agents are limited to demo scenarios or first-party API access only. The authentication gap prevents agents from accessing the real-world data and systems they need to provide genuine business value. The security-first approach taken by Arcade reflects mature understanding of production deployment requirements. Their emphasis on proper OAuth 2.0 implementation, security boundary enforcement, and attack vector mitigation demonstrates the kind of infrastructure thinking necessary for enterprise AI deployments. However, it's important to note that while Arcade presents compelling technical solutions, the case study is written from the perspective of a company promoting their own products and services. The claims about production readiness and security effectiveness, while technically sound, should be evaluated alongside broader ecosystem adoption and independent security reviews. ## Technical Assessment and Limitations The proposed solutions address genuine technical problems in the MCP ecosystem, and the authentication patterns follow established security best practices. The separation of concerns between form and URL elicitation modes is architecturally sound and aligns with OAuth 2.0 design principles. However, several considerations warrant attention. The success of these authentication patterns depends heavily on broader ecosystem adoption by both MCP client and server implementations. The security model assumes proper implementation by all parties, and the complexity of OAuth 2.0 flows may create implementation challenges for some developers. Additionally, while URL elicitation solves the credential gathering problem, it introduces user experience complexity with redirect flows and multiple authorization steps. This may impact adoption in scenarios where simpler authentication mechanisms might be preferred despite security trade-offs. ## Broader Implications for AI Infrastructure Arcade's work on MCP authentication represents broader trends in AI infrastructure maturation. As AI agents move from experimental prototypes to production deployments, security, reliability, and integration capabilities become critical differentiators. The focus on proper authentication flows, security boundaries, and production-ready patterns reflects the evolution of the AI tooling ecosystem. The emphasis on respecting established web security patterns rather than inventing new mechanisms shows mature engineering judgment. By leveraging OAuth 2.0, browser security contexts, and proven authentication flows, the solution builds on decades of security research and real-world validation. This approach to AI infrastructure development, prioritizing security and production readiness from the beginning, represents a significant shift from the "move fast and break things" mentality often seen in early AI tooling. As AI systems become more integral to business operations, this kind of security-first thinking becomes essential for sustainable deployment and adoption.