OAuth 2.1 Server MCP Authentication: CIMD Support Soon?
authHello Supabase Team,
As you probably know, Dynamic Client Registration (DCR) has been painful in practice for MCP clients: it can bloat the OAuth Apps list (lots of one-off client_ids) and creates security/operational concerns. Supabase’s current MCP auth guidance also highlights DCR as the default path today.
The Model Context Protocol authorization spec has now evolved to de-emphasize DCR and instead prioritize Client ID Metadata Documents (CIMD) (URL-based client identity / metadata).
Related:
• PR: https://github.com/modelcontextprotocol/modelcontextprotocol/pull/1296/files
• Spec section: https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#client-registration-approaches
Question: Are you planning to add support for Client ID Metadata Documents (CIMD) in the Supabase OAuth server, and if so, do you have an expected timeline?
As you probably know, Dynamic Client Registration (DCR) has been painful in practice for MCP clients: it can bloat the OAuth Apps list (lots of one-off client_ids) and creates security/operational concerns. Supabase’s current MCP auth guidance also highlights DCR as the default path today.
The Model Context Protocol authorization spec has now evolved to de-emphasize DCR and instead prioritize Client ID Metadata Documents (CIMD) (URL-based client identity / metadata).
Related:
• PR: https://github.com/modelcontextprotocol/modelcontextprotocol/pull/1296/files
• Spec section: https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#client-registration-approaches
Question: Are you planning to add support for Client ID Metadata Documents (CIMD) in the Supabase OAuth server, and if so, do you have an expected timeline?
