OAuth Resource Indicators
OAuth Resource Indicators give a client a standard way to say which protected resource a requested access token is meant for, so the token can be shaped and audience-restricted before an agent uses it.
Definition
OAuth Resource Indicators are the Standards Track extension defined in RFC 8707, Resource Indicators for OAuth 2.0, by Brian Campbell, John Bradley, and Hannes Tschofenig. RFC 8707 was published in February 2020. It adds a resource request parameter that lets an OAuth client explicitly signal the protected resource, also called the resource server, where it intends to use an access token.
The basic distinction is simple. A scope says what kind of access is requested, such as reading files or posting calendar entries. A resource indicator says where the resulting token is intended to be used. In multi-resource systems, that difference is not cosmetic. The same scope string can mean different things at different APIs, and a token that is valid everywhere is harder to contain after leakage or confused delegation.
For AI agents, resource indicators matter because agents often discover tools, connectors, and servers at runtime. A coding agent, browser agent, or workflow runner may ask an authorization server for a token while holding a URL for a specific tool server. RFC 8707 gives that request a standardized place to carry the intended destination.
How It Works
A client includes the resource parameter when it sends an authorization request or token request to the authorization server. RFC 8707 says the value is an absolute URI and must not contain a fragment component. Multiple resource parameters can be used when a requested token is intended for more than one resource.
The authorization server can use the resource value to decide whether the request is acceptable, which token format to issue, which audience value to place in the token, and which effective scope to return. RFC 8707 defines the invalid_target error for an invalid, missing, unknown, malformed, or unacceptable resource.
In an authorization-code flow, the resource requested at the authorization endpoint applies to the authorization grant. A later token request can ask for an access token aimed at a subset of the originally granted resources. RFC 8707 also says the authorization server should audience-restrict issued access tokens to the indicated resources.
Agent Context
The Model Context Protocol makes this concrete. The MCP 2025-11-25 authorization specification says MCP clients must implement Resource Indicators for OAuth 2.0 and include the resource parameter in both authorization requests and token requests. It also says the parameter must identify the MCP server the client intends to use the token with.
That rule addresses a common agent failure mode: a tool URL is discovered at runtime, but the token is minted as if all tools behind the same authorization server are interchangeable. If the requested resource is explicit, the authorization server can issue a token for that destination and the resource server can reject tokens aimed elsewhere.
Resource indicators do not decide whether the agent's instruction is safe. A malicious prompt can still ask an agent to request access to the wrong server, and a resource server can still be compromised. The point is narrower: the token request should carry the destination boundary instead of leaving it implicit in prose, UI state, or model-generated code.
Governance and Safety
RFC 9700, the OAuth 2.0 Security Best Current Practice, recommends audience restriction to reduce replay of captured access tokens on other resource servers. Resource indicators are one way to give the authorization server the destination information needed to make that audience boundary explicit.
Audit trails should preserve the client identifier, requested resource URI, canonicalized resource value, authorization server, granted scope, effective scope returned in the token response, token audience, resource server decision, and any invalid_target failure. In an agent incident, those records answer a basic question: did the agent ask for a token for the server it actually used?
The main governance mistake is treating the resource parameter as decoration. It should drive policy and validation. If the authorization server ignores it, if the resource server fails to validate token audience, or if an agent runtime lets untrusted text choose the resource URI, the boundary collapses back into ambient authority.
Defense Pattern
- Require a resource for agent tokens. Do not mint broad connector tokens when the client knows the target tool or resource server.
- Canonicalize carefully. Use absolute URIs, reject fragments, and define how trailing slashes, paths, ports, and aliases map to resource identities.
- Validate at the resource server. A resource indicator helps only if the resource server checks token audience before serving the request.
- Keep scope separate. Use scopes or Rich Authorization Requests for the action, and resource indicators for the destination.
- Pair with sender constraint. Combine audience boundaries with sender-constrained tokens where token replay would create material harm.
- Do not trust model-chosen endpoints. Treat resource selection as a policy decision, not as arbitrary text from the current prompt context.
Source Discipline
Claims about OAuth Resource Indicators should identify the exact requested resource URI, authorization request, token request, token audience, effective scope, and resource-server validation behavior. Do not collapse it into OAuth Protected Resource Metadata, OAuth Token Exchange, sender constraint, ordinary scopes, or a legal conclusion that a user consented. Resource says where; scope and authorization details say what; sender constraint says who can present the token.
Spiralist Reading
Spiralism reads resource indicators as an address written onto authority. A token should not float as a general permission slip through whatever server an agent happens to meet next.
The address is not trust. It is a boundary. The institution still has to check the request, limit the action, and remember which resource was named when authority changed hands.
Open Questions
- Should agent platforms refuse authorization flows when a target resource cannot be derived from a trusted server identity?
- How should consent screens explain the difference between scope and resource without burying users in protocol terms?
- When multiple resources are requested, should the authorization server issue one token or separate audience-specific tokens?
- How should incident reports represent resource selection when model output suggested the endpoint?
Related Pages
- AI Agent Identity
- Capability-Based Security
- Confused Deputy Problem
- OAuth Protected Resource Metadata
- OAuth Token Exchange
- Rich Authorization Requests
- Pushed Authorization Requests
- JWT-Secured Authorization Requests
- OAuth Client ID Metadata Documents
- OAuth Attestation-Based Client Authentication
- Sender-Constrained Tokens
- Model Context Protocol
- AI Agent Sandboxing
- AI Audit Trails
- Prompt Injection
- Secure AI System Development
- Agent Tool Permission Protocol
Sources
- B. Campbell, J. Bradley, and H. Tschofenig, IETF, RFC 8707: Resource Indicators for OAuth 2.0, February 2020.
- D. Hardt, IETF, RFC 6749: The OAuth 2.0 Authorization Framework, October 2012.
- IETF, RFC 9700: Best Current Practice for OAuth 2.0 Security, January 2025.
- Model Context Protocol, Authorization specification, version 2025-11-25.