{"slug": "three-ways-to-gate-an-mcp-server-oauth-l402-and-proof-of-work", "title": "Three ways to gate an MCP server: OAuth, L402, and proof-of-work", "summary": "Sentry engineers encountered a rate-limiting bug when Cursor Automations exhausted a human-sized bucket of 60 requests per 60 seconds in seconds, highlighting the challenge of gating MCP servers for agent traffic. Three real-world authorization methods exist today: OAuth 2.1 for enterprise human-driven clients, L402 for Lightning-based micropayments per tool call, and proof-of-work for anonymous abuse prevention without wallets or accounts. The `@powforge/captcha-mcp` middleware also supports a dual-rail approach, letting callers pay sats via L402 instead of burning CPU.", "body_md": "Somebody at Sentry filed a bug last month: Cursor Automations started hitting rate-limit errors almost immediately after authenticating. The bucket was sized for humans — 60 requests per 60 seconds — and an agent tore through it in seconds.\n\nThat's the MCP auth problem in miniature. You've got a server exposing tools. Agents call those tools. You want to slow down abuse, charge per call, or just make sure you don't blow up your LLM budget on some runaway loop. How do you do that without wiring up a full OAuth stack that breaks the first time an agent doesn't have a browser to open?\n\nThree real options exist right now. Here's how they compare.\n\nThe MCP spec mandates OAuth 2.1 for authorization. If you're building a production server for enterprise customers — actual humans with accounts — this is the right call. You get scoped access, token revocation, audit trails. SSO works. Compliance teams stop emailing you.\n\nThe problem is agents. OAuth 2.1 has an authorization code flow that requires a redirect URI. An agent running headless doesn't have a browser. DPoP and Workload Identity Federation are on the MCP roadmap but not shipped yet. If you need auth today and your callers are mostly agents, OAuth puts you in a hole.\n\nGood fit: enterprise SaaS, human-driven clients, compliance-heavy contexts.\n\nBad fit: anonymous agents, public APIs, pay-per-call services.\n\nL402 is an HTTP extension where a server responds to an unauthorized request with `402 Payment Required`\n\nand an invoice in the `WWW-Authenticate`\n\nheader. The client pays it over Lightning and retries with the preimage as a credential.\n\nTwo npm packages ship L402 for MCP right now: `lightning-wallet-mcp`\n\nand `l402-kit-mcp`\n\n. The model is clean: each tool call costs a fixed number of sats. No accounts, no sessions, no user. An agent with a Lightning wallet (Alby, Phoenixd, NWC) can handle the whole flow programmatically.\n\n```\n# First call — server responds with 402\ncurl -X POST https://your-mcp-server/tools/call \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\"name\": \"expensive_tool\", \"arguments\": {}}'\n# HTTP/1.1 402 Payment Required\n# WWW-Authenticate: L402 invoice=\"lnbc...\", macaroon=\"...\"\n\n# Pay the invoice over Lightning, get the preimage\n# Retry with credentials\ncurl -X POST https://your-mcp-server/tools/call \\\n  -H \"Authorization: L402 <macaroon>:<preimage>\" \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\"name\": \"expensive_tool\", \"arguments\": {}}'\n# HTTP/1.1 200 OK\n```\n\nGood fit: agents with Lightning wallets, micropayment-per-call APIs, Bitcoin-native monetization.\n\nBad fit: agents without wallets, free tiers, contexts where payment friction kills adoption.\n\nPoW is the weird one. Instead of paying money, the caller burns CPU to solve a hashcash-style puzzle. The server sets a difficulty. The caller grinds until they find a nonce. No wallet required.\n\n```\n# Get a challenge\ncurl https://your-mcp-server/api/challenge\n# {\"challenge\": \"abc123\", \"difficulty\": 4, \"algorithm\": \"sha256\"}\n\n# Solve it\nnpx @powforge/captcha solve --challenge abc123 --difficulty 4\n# {\"nonce\": \"7f3a...\", \"solution\": \"0000...\"}\n\n# Submit with solution in header\ncurl -X POST https://your-mcp-server/tools/call \\\n  -H \"X-PoW-Solution: challenge=abc123,nonce=7f3a...\" \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\"name\": \"tool\", \"arguments\": {}}'\n```\n\nThe cost scales with difficulty. A legitimate caller solving once is fine. An abuser trying to hammer 10,000 calls hits a wall because each requires fresh compute. No central authority. No wallet. No redirect.\n\n`@powforge/captcha-mcp`\n\nships this as middleware for existing MCP servers. Wrap your server, set a difficulty, and callers solve before tool calls go through. It also supports L402 as an escape valve: pay sats instead of grinding if you'd rather not burn CPU.\n\nGood fit: anonymous agents, public APIs, abuse prevention without monetization, PoW-or-pay dual rail.\n\nBad fit: high-throughput legitimate callers (CPU cost adds latency), real-time tools where every millisecond counts.\n\n| OAuth 2.1 | L402 Lightning | Proof-of-Work | |\n|---|---|---|---|\n| Requires user account | Yes | No | No |\n| Requires Lightning wallet | No | Yes | No |\n| Works headless today | Partial | Yes | Yes |\n| Revenue per call | No | Yes (sats) | No |\n| Stateless | No | Yes | Yes |\n\nAn Astrix Security study this year found 88% of MCP servers require credentials of some kind but document almost none of it. The OpenClaw scan found 42,000+ unauthenticated MCP instances publicly exposed in January 2026. Most of those aren't enterprise installs — they're side projects and weekend builds.\n\nFor that crowd, OAuth is overkill. L402 is elegant if the caller has a wallet. PoW gives you friction without a wallet requirement — callers can always get through, they just can't do it for free at scale.\n\nThe Sentry rate-limit bug is fixable with any of these. But if you're building for agents first, OAuth is the last thing you reach for — not the first.\n\n`@powforge/captcha-mcp`\n\n(PoW + L402 middleware): `@powforge/captcha`\n\n(standalone solver):", "url": "https://wpnews.pro/news/three-ways-to-gate-an-mcp-server-oauth-l402-and-proof-of-work", "canonical_source": "https://dev.to/zekebuilds/three-ways-to-gate-an-mcp-server-oauth-l402-and-proof-of-work-3392", "published_at": "2026-05-31 02:39:09+00:00", "updated_at": "2026-05-31 03:11:58.268817+00:00", "lang": "en", "topics": ["ai-agents", "ai-infrastructure", "ai-tools", "ai-products", "artificial-intelligence"], "entities": ["Sentry", "Cursor", "MCP", "OAuth", "L402"], "alternates": {"html": "https://wpnews.pro/news/three-ways-to-gate-an-mcp-server-oauth-l402-and-proof-of-work", "markdown": "https://wpnews.pro/news/three-ways-to-gate-an-mcp-server-oauth-l402-and-proof-of-work.md", "text": "https://wpnews.pro/news/three-ways-to-gate-an-mcp-server-oauth-l402-and-proof-of-work.txt", "jsonld": "https://wpnews.pro/news/three-ways-to-gate-an-mcp-server-oauth-l402-and-proof-of-work.jsonld"}}