OAuth

Anthropic restricted subscription OAuth tokens to work only with the official Claude Code CLI, blocking tools like OpenCode, Moltbot, and integrations in Cursor. Users who built workflows around third-party tools were locked out mid-project, forcing them to either downgrade subscriptions or abandon the platform entirely.

The Azure AD v2 endpoint only supports OpenID Connect and OAuth, excluding older protocols like SAML and WS-Federation. Additionally, only a small set of APIs are accessible (own API, Outlook, Microsoft Graph), requiring fallback to v1 endpoint for other APIs. No migration path exists for v1 applications.

Every project requires implementing the same authentication patterns (OAuth, JWT, sessions, MFA, password resets, social login, RBAC), but implementations differ. Auth libraries break between framework versions, self-hosted auth creates security liability, and third-party auth introduces vendor lock-in with per-MAU pricing.

APIs offer confusing authentication mechanisms with multiple versions (especially OAuth), inconsistent implementations, and poor documentation of authentication flows. Getting credentials and understanding the correct authentication method is often one of the trickiest initial steps, especially when API teams and customers have mismatched use-case assumptions.

Earlier FastMCP versions lacked RFC 7662 token introspection support, making it difficult to integrate with enterprise OAuth patterns and requiring workarounds for standard token validation flows.