Standards and specifications.

The authorization framework. Emcy generates MCP servers that act as OAuth 2.1 resource servers -- validating bearer tokens issued by your authorization server.

How Emcy uses it: Token acquisition for MCP server authentication. All browser-based flows use the authorization code grant.

Proof Key for Code Exchange. Mitigates authorization code interception attacks for public clients (browsers, native apps).

How Emcy uses it: AI clients (Claude, ChatGPT) use PKCE when authenticating with your authorization server. Your MCP server validates the resulting bearer token.

The foundational OAuth 2.0 authorization framework. Defines authorization code, implicit, and client credentials grants.

How Emcy uses it: Authorization code grant (section 4.1) for interactive user flows. Foundation for OAuth 2.1.

Defines how to use bearer tokens in HTTP requests. Authorization header with Bearer scheme.

How Emcy uses it: MCP servers accept bearer tokens in the Authorization header. Tokens pass through Emcy to upstream APIs.

Allows clients to indicate the resource they intend to access during token acquisition, enabling audience-restricted tokens.

How Emcy uses it: Audience validation to prevent token misuse across different MCP servers.

Defines a metadata endpoint for OAuth-protected resources, enabling clients to discover authorization server details.

How Emcy uses it: Gateway-backed MCP servers expose /.well-known/oauth-protected-resource for client auto-configuration.

The Model Context Protocol. Defines how AI agents discover and invoke tools, resources, and prompts from servers.

How Emcy uses it: Generated MCP servers implement the full MCP specification. Tools, resources, and server capabilities.

The standard for describing HTTP APIs. Defines endpoints, request/response schemas, authentication, and more.

How Emcy uses it: Input format for MCP server generation. The CLI reads OpenAPI specs and maps operations to MCP tools.