AI
Why Dynamic Client Registration Failed
MCP’s first spec had zero OAuth guidance. DCR arrived in version two but required bespoke infrastructure. Three problems emerged: unbounded growth (each VS Code instance registered 5-10 times daily per user), silent expiry (no way to know active clients), and impersonation (any client could declare itself as Claude). Enterprise customers found DCR too complex because identity providers didn’t support it. Developers had to build authorization server logic themselves.
SIMD: A JSON Blob Hosted at the Client’s Domain
Paul Carlton and Aaron Perereki proposed Client ID Metadata Documents (SIMD). Instead of a registration dance, each client hosts a JSON blob at its own domain. The file contains client ID, name, URI, and redirect URIs. Trust comes from DNS: if the domain is cloud.ai, the metadata belongs to Claude. Authorization servers fetch this document and validate the domain. No cryptographic key exchange needed. VS Code, Claude, and Cloud Code each have one metadata document.
Solving Unbounded Growth, Silent Expiry, and Impersonation
With SIMD, each client has exactly one metadata document. Unbounded growth disappears. Silent expiry is irrelevant because nothing expires. Impersonation ends because the domain proves identity. Authorization servers can restrict clients by domain, block traffic from certain countries, or enforce redirect URI matching. The November spec makes SIMD the recommended path. DCR remains supported but will be deprecated. Pre-registered clients continue to work.
Future Work: DPOP, Workload Identity, and Cross-App Access
The auth stack for MCP is not done. Proposals include DPOP (device-bound tokens), workload identity federation, and cross-app access. These go beyond SIMD. Den recommends attending Paul and Max’s talk at 2:30 in the same room. For now, developers building MCP servers should use SIMD. A new spec arrives in June 2026. The SIMD draft is available as an IETF document and a blog post explains implications for server developers. Feedback is welcome.
Q&A
How does the authorization server enforce redirect URI restrictions? The authorization server can require that the redirect URI in the SIMD document matches the client ID origin, rejecting any mismatch. ▶ Watch (13:58)
Which clients currently support SIMD? Claude, VS Code, and Cloud Code support it; ChatGPT is not yet confirmed but work is ongoing with major clients. ▶ Watch (14:24)
Can DCR and SIMD be supported in tandem? Technically yes, but DCR is deprecated; SIMD is the recommended approach. ▶ Watch (21:33)
Does SIMD protect against malicious servers? No, it protects against client impersonation; any server can connect but a malicious server cannot pretend to be Claude because the domain check fails. ▶ Watch (24:21)
Notable Quotes
Unbounded growth it’s gone because it’s no longer unbounded. There’s one metadata document per client. Den Delimarsky · ▶ Watch (8:42)
Impersonation is also solved because now you have a very clear case for how you can value the clients. Den Delimarsky · ▶ Watch (9:00)
We’re making it easier for developers to build MCP servers without having to bake in this custom registration and client management logic into the servers and the clients. Den Delimarsky · ▶ Watch (12:21)
You now have this uh essentially a trust boundary of saying that as long as I have access to DNS to verify that cloud.AI is actually cloud.ai, you’re good. Den Delimarsky · ▶ Watch (6:05)
Key Takeaways
- Client ID Metadata Documents (SIMD) replace DCR by hosting a single JSON document per client at a verified domain.
- Authorization servers gain the ability to restrict access by domain and redirect URI without custom registration infrastructure.
- The November 2025 MCP spec makes SIMD the recommended authorization path; DCR remains supported but will be deprecated.
About the Speaker(s)
Den Delimarsky is a Member of Technical Staff at Anthropic, leading MCP technical programs. He is an avid reverse engineer, passionate about APIs, protocols, and security. Prior to Anthropic, he built authentication and authorization libraries used by millions of developers around the globe.