The majority of widely used AI clients like:

• Claude Code
• Claude Desktop
• Cursor
• LibreChat
• Amazon Q CLI

have not implemented the critical refresh-token flow of the OAuth standard.

This is forcing developers to issue long lived tokens creating a serious security regression in an already solved problem.

This write up includes a matrix table of 14 major clients with notes linking to feature requests, pull requests, and multiple forum discussions.

It is not all gloom and doom though!

There is a work-around solution that security conscious users are using as a stop-gap also discussed, along with a best practices guide for developers implementing their own MCP OAuth Solution.

The plan is to update this reference on a monthly basis to track if there is any movement on this open requests.