Client Registration and Enterprise Management in the Nov 2025 MCP Auth Spec (aaronparecki.com)

The Model Context Protocol’s 2025-11-25 authorization spec landed with two major changes aimed at scaling MCP beyond hobby projects into enterprise environments. First, MCP adopts Client ID Metadata Documents (CIMD) to replace brittle Dynamic Client Registration. Instead of registering separately with every authorization server, a client identifies itself by a URL (e.g., https://example-app.com/client.json) that serves a JSON metadata document (logo, redirect URIs, public keys). Authorization servers fetch and validate that document, creating a decentralized, DNS-backed trust model that eliminates registration friction, reduces server-side abuse and database bloat, and enables strong client authentication by publishing public keys. There are still deployment considerations (desktop clients, new attack surfaces), but early implementations (VSCode, client.dev) are already testing the flow. Second, the spec adds Enterprise-Managed Authorization (Cross App Access/XAA) using an Identity Assertion Authorization Grant pattern to bring enterprise IdPs back into the loop. The client performs SSO, exchanges the ID token with the corporate IdP for a short-lived ID-JAG after policy checks, and presents that to the MCP authorization server to obtain an access token—no user consent dialogs, full admin visibility and revocation, and centralized policy enforcement that prevents “shadow” agent-server connections. Together, CIMD and XAA remove the key scalability and governance blockers to enterprise MCP adoption.