AuthProbe

Pinpoint MCP OAuth failures

authprobe pinpoints MCP OAuth failures. Scan any MCP endpoint and get deterministic findings mapped to RFCs.

Get started GitHub

Open-source. Apache 2.0 licensed. Written in Go.

Deterministic diagnosis

Six-step staged probe walks the entire MCP OAuth discovery flow. Every finding maps to a specific RFC section with evidence.

CLI-first

Single binary, zero config. Scan any MCP endpoint and get a funnel view of what passed, failed, or was skipped.

CI-ready

GitHub Action included. Gate deployments on OAuth compliance. Upload Markdown reports, JSON results, and evidence bundles.

RFC conformance

Checks against RFC 9728, RFC 8414, RFC 7591, RFC 7636, and MCP 2025-11-25. Strict mode for full compliance testing.

AI-driven root cause analysis

Feed in an OpenAI or Anthropic key and get a deep, RFC-grounded explanation of every failure — not a summary, a verdict.

Evidence bundles

Export sanitized Markdown, JSON, or ZIP evidence bundles. Attach to GitHub issues for concrete, reproducible reports.

The scan funnel

 [1] Discovery ──► [2] MCP Init ──► [3] PRM ──► [4] Auth Server ──► [5] Token ──► [6] DCR
       │                │              │              │                │              │
       ▼                ▼              ▼              ▼                ▼              ▼
    401 + WWW-     initialize +    Fetch PRM     Fetch issuer       POST           DCR
    Authenticate   tools/list      metadata      metadata          probe          probe

Each step maps to specific RFCs: MCP, RFC 9728, RFC 8414, RFC 7591, RFC 7636.

Get Started →

Used in the wild

Anthropic MCP Python SDK

Used AuthProbe to validate an OAuth interoperability issue in the Python SDK and document the behavior seen in the wild.

Sentry MCP

Used AuthProbe to identify and fix RFC 9728 PRM compliance gaps for mcp.sentry.dev.

Kiro

Used AuthProbe to pinpoint an MCP server metadata/authorization detection issue.

Yargi MCP

Used AuthProbe to surface a protocol-compliance bug with JSON-RPC request IDs.

RivalSearchMCP

Used AuthProbe to identify and fix MCP_JSONRPC_ID_NULL_ACCEPTED by rejecting JSON-RPC requests with a null request ID.

Your MCP project

Found a bug with AuthProbe? Open an issue or PR and we can feature your fix here.

Like authprobe? Give it a on GitHub — it keeps us going.