alt Hacker NewsBut this is no different to using an API key with access controls and curl and you get the same thing.
MCP is just as worse version of the above allowing lots of data exfiltration and manipulation by the LLM.
Replies
regularfry • today at 9:47 AM
An MCP server lets you avoid giving the agent your API key so it can't leak it. At least in theory.
You could do the same with a CLI tool but it's more of a hassle to set up.
But MCP uses Oauth. That is not a "worse version" of API keys. It is better.
The classic "API key" flow requires you to go to the resource site, generate a key, copy it, then paste it where you want it to go.
Oauth automates this. It's like "give me an API key" on demand.