You spent the weekend wiring up twelve MCP servers in Claude Code. Your agent reads your Gmail, files tickets in Linear, drops receipts into Notion. You feel like a wizard. Then your PM walks over and says: ship this to forty teammates by Friday. Suddenly the wizard is a janitor. Because every one of those shiny connections is glued to your OAuth token — the password-on-your-behalf that lets an app act as you — and there is no button labeled "do this for Dave in marketing too."
That gap is the whole story of April 2026 in agent land.
Quick decoder for the non-nerds. MCP (Model Context Protocol) — a universal plug standard from Anthropic that lets any AI agent talk to any tool. Think USB, but for LLMs (large language models — the brain behind ChatGPT and Claude). MCP defines the socket. It does not define whose electricity is flowing through it. Until last month, the spec basically shrugged at the question "how does the agent log in as a specific human, with the right permissions, and rotate the keys later?" 😹
On March 15, 2026, the MCP working group finally patched that hole — the new Authorization spec makes RFC 8707 resource indicators mandatory, which in plain English means every access token must be scoped to exactly one MCP server. No more "here's the keys to everything, good luck." A clean April 12 writeup on dasroot.net quotes 86% enterprise adoption already. 🙀
Which is why the auth-broker crowd suddenly looks less like plumbing and more like Okta-for-agents.
Composio shipped the loudest week. Per its public changelog: on April 7 — bearer-token connections plus credential patching (rotate keys without forcing the user to re-auth). On April 9 — Multi-Account Mode, so one user can hold two Gmail accounts and the agent picks by alias. That's the per-agent identity primitive nobody wants to build in-house.
Arcade.dev took the distribution lane. On April 7, LangChain announced that Arcade's 7,500+ agent-optimized tools are now native inside LangSmith Fleet, with two identity modes: Assistants (per-user credentials) and Claws (shared team credentials). Authorization is "per-user, session-scoped, least-privilege at runtime." Translation: the agent gets a short-lived capability, not the master key. 🐈⬛
Pipedream Connect doesn't need a new launch — its existing infra already exposes 3,000+ APIs through external_user_id, a parameter that means "act as this specific teammate." OAuth, refresh, scope enforcement — already done.
The price nobody prints on the landing page 😾. You're handing your company's OAuth tokens for Salesforce, Slack, HubSpot, Gmail to a third-party vault. That's a new SOC2 boundary, a new single point of failure, and if the broker has a bad Tuesday your entire agent fleet goes mute. Pick the wrong one now, and you re-plumb every integration when you migrate — which is exactly the lock-in MCP was supposed to kill.
Here's the uncomfortable truth for anyone shipping agents past the demo stage: pick the auth broker before you pick the agent framework. The auth layer decides whether your rollout ships in May or dies in pilot review in October. Framework choice is reversible. Re-plumbing OAuth across forty SaaS tools is not.
MCP without an auth twin was always a half-protocol 😼. The race to be the other half just got real, and whoever wins this layer becomes the quietly indispensable Okta of the agent era. Not sexy. Not optional.
