WeSearch

GitHub shipped a compliant MCP server. Most authors can't

·6 min read · 0 reactions · 0 comments · 2 views
GitHub shipped a compliant MCP server. Most authors can't

Weekly security audits of remote MCP servers. OAuth 2.1, PKCE, DCR, token hygiene, and the spec gaps nobody's reading. - korrel-dev/mcp-audits

Original article
GitHub
Read full at GitHub →
Opening excerpt (first ~120 words) tap to expand

GitHub shipped a compliant MCP server. Most authors can't. Audit 01. GitHub Remote MCP Server. 2026-04-27. GitHub's remote MCP server is a careful OAuth 2.1 implementation. It works because GitHub has owned its OAuth infrastructure for over a decade. Most MCP server authors don't have that, and the spec quietly assumes they will. This is the first in a weekly series auditing remote MCP servers against the OAuth 2.1 authorization requirements of the Model Context Protocol specification. I picked GitHub first because it's the highest-stakes, most-integrated, most-resourced MCP server in the ecosystem. If anyone is going to get the spec right, it's them. They got the structural pieces right. Where they fell short, the gaps point to something about the ecosystem, not something about GitHub.

Excerpt limited to ~120 words for fair-use compliance. The full article is at GitHub.

Anonymous · no account needed
Share 𝕏 Facebook Reddit LinkedIn Threads WhatsApp Bluesky Mastodon Email

Discussion

0 comments

More from GitHub

Max/MSP external for running neural amplifier captures
GitHub·1
Show HN: My friend and his AI homies wrote SGI Indy emulator in Rust
GitHub·1
TealKit – A cross-platform UI for local AI agents and MCP
GitHub·1
BookStack Moves from GitHub to Codeberg
GitHub·2
Warp is now Open-Source
GitHub·1
Claude Leak Confirms It: LLM Systems Are Architecture, Not Prompts (Orca)
GitHub·3