MCP OAuth in Practice: Lessons from Building Authentication for AI Agents

As AI agents increasingly integrate into development workflows, Semaphore is transitioning from a traditional CICD platform to a robust foundation for securely managing AI-powered developer processes at scale, with OAuth implementation being a critical component. The shift to OAuth for MCP servers addresses the growing need for secure, flexible authentication as these servers move to remote environments, surpassing the capabilities of API keys by providing more secure interactions while maintaining developer control over permissions. However, implementing OAuth in the rapidly evolving MCP ecosystem presents challenges, such as varying support for the MCP spec across different agents and inconsistent OAuth flows, necessitating frequent real-world testing and a focus on compatibility rather than theoretical completeness. This process highlighted the complexity of client registration and discovery, the necessity of custom authorization logic beyond identity providers like Keycloak, and the importance of starting with stable specs and iterating based on practical tests. These efforts are foundational to Semaphore’s broader vision of enabling agent-driven workflows, secure automation, and developer-controlled AI systems, ultimately leading to more intelligent and programmable development workflows without compromising transparency or control.