What CIMD Means for MCP: Safer OAuth Without DCR — Max Gerber (Stytch)

Description

𝗖𝗜𝗠𝗗 (𝗖𝗹𝗶𝗲𝗻𝘁 𝗜𝗗 𝗠𝗲𝘁𝗮𝗱𝗮𝘁𝗮 𝗗𝗼𝗰𝘂𝗺𝗲𝗻𝘁𝘀) is a new approach that lets MCP clients use a 𝗱𝗼𝗺𝗮𝗶𝗻-𝘃𝗲𝗿𝗶𝗳𝗶𝗲𝗱 𝗨𝗥𝗟 𝗮𝘀 𝘁𝗵𝗲 𝗰𝗹𝗶𝗲𝗻𝘁 𝗜𝗗, so auth servers can fetch trusted client metadata on the fly—no endless Dynamic Client Registration (DCR) sprawl, fewer phishing risks, and clearer visibility for users and operators. In this 𝘛𝘩𝘦 𝘊𝘰𝘯𝘵𝘦𝘹𝘵 session, 𝗠𝗮𝘅 𝗚𝗲𝗿𝗯𝗲𝗿 (𝗦𝗼𝗳𝘁𝘄𝗮𝗿𝗲 𝗘𝗻𝗴𝗶𝗻𝗲𝗲𝗿, 𝗦𝘁𝘆𝘁𝗰𝗵) explains: Why DCR became a bottleneck for MCP (client sprawl, ops overhead, impersonation risks) How CIMD works (client metadata at a public URL; domain = trust anchor) What MCP clients need to ship (publish JSON, detect CIMD support, fall back to DCR) What auth servers need to ship (fetch/validate metadata, caching, SSRF protections) What’s next for the ecosystem (client registries, attestation for local clients) https://client.dev/ https://stytch.com/ https://x.com/r3turnofthemax