Comment by EtienneK

> Most people understand these two things to be, collectively, the "provider" side of OAuth

Citation needed. As another commenter already noted, the term "Provider" is rarely used in OAuth itself. When it is mentioned, it's typically in the context of OpenID Connect, where it refers specifically to the Authorization Server - not the Resource Server.

> the service provider, who is providing an API that requires authorization

That’s actually the Resource Server.

I understand that the current MCP spec [1] merges the Authorization Server and Resource Server roles, similar to what your library does. However, there are strong reasons to keep these roles separate [2].

In fact, the MCP spec authors acknowledge this [3], and the latest draft [4] makes implementing an Authorization Server optional for MCP services.

That’s why I’m being particular about clearly naming the roles your library supports in the OAuth flow. Going forward, MCP servers will always act as OAuth Resource Servers, but will only optionally act as Authorization Servers. Your library should make that distinction explicit.

[1]: https://modelcontextprotocol.io/specification/2025-03-26/bas...

[2]: https://aaronparecki.com/2025/04/03/15/oauth-for-model-conte...

[3]: https://github.com/modelcontextprotocol/modelcontextprotocol...

[4]: https://modelcontextprotocol.io/specification/draft/basic/au...