Spring Office Hours Spring Office Hours: S4E28 - Securing MCP Servers with Spring AI
16 snips
Oct 24, 2025 
Join Spring Security expert Daniel Garnier-Moiroux as he unpacks the world of MCP server security. With a focus on OAuth2 and API key integrations, he emphasizes the importance of secure public MCP servers to protect sensitive data. Daniel discusses the evolution of the MCP specification around security, best practices for implementing authorization, and the role of tools like the MCP Inspector for testing OAuth flows. Whether you're building enterprise applications or exploring new projects, Daniel's insights are crucial for a secure Spring AI ecosystem.
AI Snips
Chapters
Transcript
Episode notes
MCP Is Rapidly Becoming A Core AI Protocol
- MCP adoption exploded quickly and resembles a unifying protocol for AI tooling.
- It may become as foundational to AI as HTTP was to the internet, though standards are still evolving.
Choose Streamable Or Stateless Transport Deliberately
- Use streamable HTTP when you need ongoing two-way interactions like forms, sampling, or progress updates.
- Use stateless POST responses for simple request/response flows to avoid session complexity.
Spec Initially Required Token Issuance
- Daniel recalled the March spec that initially required MCP servers to act as resource and authorization servers.
- The community reaction led to rapid revision because requiring token issuance was impractical.