Posts
All the articles I've posted.
-
Unwrapping MCP Security: A Walkthrough with the PayPal MCP Server
• 11 min readA walkthrough of connecting Claude Desktop to PayPal’s remote MCP server over HTTP, highlighting the full OAuth 2.0 flow with Postman from discovery to authorization
-
Unwrapping MCP: A Walkthrough with the GitHub MCP Server
• 10 min readMCP explained from the inside out, starting with a real developer workflow then unwrapping the protocol layer by layer: roles, messages, connection lifecycle, and STDIO transport.
-
Protected Resource Metadata Is the Missing Piece in OAuth 2.0 Discovery
• 9 min readOAuth 2.0 could automate client registration and AS discovery, but clients still had to hardcode which authorization server protects a given resource. Protected Resource Metadata fixes that. Here's how PRM completes the dynamic integration story, and why AI agents made it urgent.
-
mTLS and OAuth2 — Certificate-Bound Tokens
• 11 min readmTLS and OAuth2 — Certificate-Bound Tokens
-
mTLS for OAuth2 Client Authentication: A Stronger Alternative to Shared Secrets
• 13 min readShared secrets can be stolen, leaked, or brute-forced. mTLS-based client authentication uses certificates to prove private key possession. Learn how to apply TLS handshake–based authentication to meet OAuth 2.0 client authentication requirements.
-
Secure OAuth2: A Simple Story of Two Keys — PKCE
• 11 min readSimple Story of Two Keys — PKCE
-
Secure OAuth2 (Part -4): Securing Response Using JWT Secured Authorization Response Mode (JARM)
• 11 min readSecuring Response Using JWT Secured Authorization Response Mode (JARM)
-
Secure OAuth2 (Part -3): Push Authorization Request (PAR) to Rescue
• 13 min readPush Authorization Request (PAR) to Rescue
-
Secure OAuth2 (Part -2): Put it in a JAR (JWT-Secured Authorization Request)
• 9 min readSecure OAuth2 (Part -2): Put it in a JAR (JWT-Secured Authorization Request)
-
Is Authorization Code Grant Type Secure Enough?
• 10 min readIs Authorization Code Grant Type Secure Enough?