Dynamic OAuth 2.1 & DCR auditor for deployed MCP servers.
6 HTTP-level checks. Catches the phishing primitives the MCP spec
requires you to handle — and most servers don’t.
pipx install git+https://github.com/veloxlabsio/mcp-oauth-audit.git Static AST analysis. Runs before you deploy. Catches code-level bugs in MCP server authors’ own implementations.
Dynamic black-box. Runs against a live server. Catches misconfigurations you can only see from the outside — the ones integrators inherit blind.
A scanner that only reads source misses what the deployment actually exposes. A prober that only hits HTTP misses bugs hiding in logic. Run both.
Probes the /register endpoint
redirect_uri on unrelated domains — the phishing primitive.javascript: or data: as redirect target. Direct XSS on the authorization response.token_endpoint_auth_method=“none” but still returns a secret. Confused threat model.Fetches /.well-known/oauth-authorization-server
issuer, authorization_endpoint, token_endpoint) missing or wrong type.response_types_supported contains token. RFC 9700 §2.1.2 forbids this for new deployments.plain advertisedcode_challenge_methods_supported absent or lists plain. Downgrade risk; only S256 is safe.Simulated run against an MCP server with all 6 common misconfigurations. The auditor flags 5 findings, exits non-zero, and finishes in ~2 seconds — CI-ready.
$ mcp-oauth-audit https://vulnerable-mcp.example.com
mcp-oauth-audit target: https://vulnerable-mcp.example.com
checks run 6
findings 5
Summary by severity
━━━━━━━━━━━━━━━━━━━━━━━━
critical 1
high 3
medium 1
low 0
info 0
── CRITICAL MOA-011 DCR accepts javascript: redirect_uri
Registration returned 201 for redirect_uri='javascript:alert(1)'
── HIGH MOA-010 DCR accepts arbitrary external redirect_uri
Registered client with redirect_uri='http://attacker.example.com/cb'
── HIGH MOA-020 Implicit flow advertised in metadata
response_types_supported contains 'token' — RFC 9700 forbids this
── HIGH MOA-030 Public client issued a client_secret
token_endpoint_auth_method='none' but server returned client_secret='abc123...'
── MEDIUM MOA-021 PKCE 'plain' method advertised
code_challenge_methods_supported contains 'plain' — downgrade risk
✓ audit complete · 5 findings · 2.1s · exit 1 (HIGH/CRITICAL present)javascript: redirect_uriclient_secretplain method advertised$ pipx install git+https://github.com/veloxlabsio/mcp-oauth-audit.git$ mcp-oauth-audit https://my-mcp-server.example.com$ mcp-oauth-audit https://my-mcp-server.example.com --output json$ mcp-oauth-audit https://localhost:8443 --insecureNo source access needed. Runs against any reachable MCP server, whether you wrote it or inherited it.
Same server, same findings. No LLM, no heuristic scoring. Each check is a spec assertion against the HTTP response.
No token endpoint probing. No rate-limit abuse. Only checks that would pass a responsible-disclosure review.
Non-zero exit on HIGH or CRITICAL. JSON output. Finishes in 2–3 seconds. Drop it into a deploy gate.
A security tool that silently skips coverage is worse than none. Here’s what’s deliberately out of scope today:
/register. Abuse-adjacent against third-party servers. Ethical default: don’t flood.state validation. Requires redirect-driven browser automation. On the roadmap.Roadmap: GitHub Issues ↗