Update authorization.mdx

localden · web-flow · commit efb9058a9e36 · 2025-05-05T20:30:10.000-07:00
diff --git a/docs/specification/draft/basic/authorization.mdx b/docs/specification/draft/basic/authorization.mdx
@@ -326,6 +326,6 @@ MCP servers **MUST** only accept tokens specifically intended for themselves.
 
 If the MCP server makes requests to upstream APIs, it may act as an OAuth client to them. The access token used at the upstream API is a seperate token, issued by the upstream authorization server. The MCP server **MUST NOT** pass through the token it received from the MCP client.
 
-Additional safeguards may be implemented to protect against token misuse, as defined in [RFC 8707](https://www.rfc-editor.org/rfc/rfc8707.html).
+If the authorization server supports the `resource` parameter, it's is recommended that implementers follow [RFC 8707](https://www.rfc-editor.org/rfc/rfc8707.html) to prevent token misuse.
 
 

Original file line number	Diff line number	Diff line change
`@@ -326,6 +326,6 @@ MCP servers MUST only accept tokens specifically intended for themselves.`
`326`	`326`
`327`	`327`	`If the MCP server makes requests to upstream APIs, it may act as an OAuth client to them. The access token used at the upstream API is a seperate token, issued by the upstream authorization server. The MCP server MUST NOT pass through the token it received from the MCP client.`
`328`	`328`
`329`		`-Additional safeguards may be implemented to protect against token misuse, as defined in [RFC 8707](https://www.rfc-editor.org/rfc/rfc8707.html).`
	`329`	+If the authorization server supports the `resource` parameter, it's is recommended that implementers follow [RFC 8707](https://www.rfc-editor.org/rfc/rfc8707.html) to prevent token misuse.
`330`	`330`
`331`	`331`