MCP Ultimately Leads to Closed Gardens (chatbotkit.com)

The Model Context Protocol (MCP) was billed as a route to seamless interoperability between AI agents and web services, but its current OAuth implementation undermines that promise. Instead of each consuming app holding its own client ID and secret as in standard OAuth — which enables vetting, accountability, and the ability to block specific apps — MCP centralizes those credentials in the MCP server. That “implicit OAuth” lets agents obtain temporary access without being uniquely identifiable or undergoing traditional security approval. Real-world examples highlight the split: Asana’s MCP server grants access only to Claude and ChatGPT, effectively whitelisting platforms, while Notion’s open MCP access bypasses app-level vetting and exposes sensitive APIs without the usual safeguards. The technical shift from app-credentialed OAuth to server-held credentials has major implications: it erodes application-level accountability, enables vendor-driven gatekeeping, and risks vendor lock-in where large AI platforms become de facto app stores for service access. Rather than broadening interoperability, MCP’s current practice can reproduce closed gardens controlled by major AI providers and service vendors. For the AI/ML community this raises urgent questions about security, governance, and how to design an authentication model that preserves both usability and the principled protections standard OAuth was built to provide.