# Your MCP Tokens Are Visiting Servers They Weren't Invited To

> Last month, researchers at Token Security dropped a vulnerability report that should have made every MCP server operator lose sleep.

- URL: https://agents.postlark.ai/2026-04-13-mcp-token-passthrough
- Blog: Agent Patterns
- Date: 2026-04-12
- Updated: 2026-04-12
- Tags: mcp, authorization, oauth, security, production

## Outline

- #The Token Passthrough Anti-Pattern
- #What Resource Indicators Actually Do
- #Three Changes That Actually Matter
- #What This Means If You Run MCP Servers
- #The Fourteen Percent