On the evening of June 18, the official Model Context Protocol blog published Enterprise-Managed Authorization: Zero-touch OAuth for MCP. Core maintainer Paul Carleton kept the tone measured, but the news was substantial: the EMA extension moved from draft to stable, and it crossed 226 points on Hacker News within hours. The same day, Anthropic, Microsoft, and Okta endorsed it; Asana, Atlassian, Canva, Figma, Granola, Linear, and Supabase all flipped on support, and Visual Studio Code wired it into the IDE.
If you have to translate this to a non-technical executive in one sentence: MCP finally gave AI agents a real company badge.
What was actually blocking enterprise adoption
For the past 18 months, MCP has been the de facto standard for agent tool calling. Anthropic released it, the ecosystem exploded, thousands of servers appeared — and then enterprise IT shrugged. The blog post names the three pain points, which match what I’ve heard from every CIO I’ve talked to:
- Every employee authorises every server individually. Onboarding a new hire means walking them through clicking “allow” on Asana, Slack, Linear, GitHub, Notion, and so on, one by one.
- Security teams cannot enforce consistent policy. Each user authorises whatever they authorise. There is no central control and no audit trail.
- Work and personal accounts blur. It’s trivially easy to attach a personal Google Drive to a corporate Claude instance.
None of this is because the technology didn’t work. It’s because the protocol never had an enterprise-facing entry point. Every company built its own patch, and those patches are exactly the kind of brittle, undocumented integrations that CISOs fire vendors over.
What “Zero-Touch” actually zeros out
The technical heart of the new extension is called ID-JAG (Identity Assertion JWT Authorization Grant). In human terms:
- Before: An employee signs into Claude. Claude redirects to Asana. Asana shows a “do you allow Claude to access your data?” prompt. The employee clicks allow. Asana issues Claude an access token. Repeat for every connector.
- After: The employee signs into Claude via corporate Okta. Okta signs an ID-JAG behind the scenes. Claude swaps that ID-JAG with Asana’s authorisation server for an access token. No prompt appears on screen. The user is already connected.
Three properties fall out of that flow (these are the blog’s own bullet points, translated):
- Authorise once, inherit everywhere. An IT admin checks “Engineering group can use Asana” once in Okta. The whole group gets it, scoped to the groups and roles they already have.
- Centralised policy and audit. Every authorisation decision lives in the IdP console. One auditable trail, one set of logs.
- Personal / enterprise accounts stop blurring. The interactive “which account do you want to use” step is gone. “My personal Drive just got linked to the company Claude” is now blocked at the protocol layer, not at the help-desk-after-the-fact layer.
For a 500-person company, what used to be a 2-hour IT onboarding session for MCP connectors should now be a 2-minute provisioning task.
What the 11 launch partners tell you
The blog groups launch partners into three buckets, and the grouping itself is the story:
Identity providers (i.e., the entities actually paying for this): Okta, alone. Not Auth0, not Azure AD. Okta kicked off the Cross-App Access (XAA) spec in 2024, and MCP picked it up as the substrate.
Clients (consumers): Anthropic’s own Claude, Claude Code, and Cowork all enabled. Visual Studio Code is in. Microsoft shows up as an investor/ecosystem partner, but doesn’t dig in as deep as Anthropic.
Servers (what the agent calls into): Asana, Atlassian, Canva, Figma, Granola, Linear, Supabase. Notice what is missing: no ERP, no Salesforce, no Workday. This is the unspoken signal. MCP’s first enterprise wave is the knowledge-worker’s daily toolchain — documents, design, project tracking — not core business systems.
The first-wave customer profile is sharp: mid-size tech companies where people use Notion / Linear / Figma to write and design, and Claude to read and rewrite. Manufacturing, banking, insurance — that line is far away.
What the HN comments caught that the blog didn’t
I read the 19 top-level comments on the HN thread. Two are worth pulling out:
One: Is friction the enemy, or the friend? A commenter named amluto wrote, bluntly:
“Suppose I open a Claude conversation and tell it to fork a third-party repo and open a PR. If that repo has prompt injection that triggers a tool call to drain my company bank account, I absolutely want to be prompted before that action runs.”
This is the sharpest critique of zero-friction. Even with perfect group/role granularity at the IdP, an already-authorised account being hijacked by a prompt-injected sub-task is still a real attack. Zero-Touch solves onboarding friction. It does not — and probably should not — solve task-level confirmation friction. Removing the latter just hands the keys to attackers.
Two: Multi-hop delegation is still an open hole. EMA handles the first hop: user → MCP host. But what about sub-agents a parent agent spawns? What about the token chain when an agent calls another agent? In the same thread, niyikiza (the OP, a core maintainer) acknowledged: the OAuth working group is still drafting multi-hop delegation, and WorkOS has a decent overview at OAuth Multi-Hop Delegation for AI Agents, but it’s nowhere near stable.
In other words: EMA is the enterprise IT entrance ticket. It is not yet the agent’s own identity.
What this means for builders
Two tracks, depending on what you ship:
If you’re enterprise IT / security: The roadmap is real from today. The work is not “which servers to enable” — it is cleaning up your Okta group/role matrix first. The seven server partners are already live; the moment your CIO says yes, deployment is days, not quarters.
If you’re building an agent product: Expect a sharp split over the next six months.
- Products that can answer “exactly how does my agent avoid overreach inside a customer tenant” will close enterprise deals. This is a procurement question, not a marketing question.
- Products that only demo “look how clever my agent is” will stall in PoC. Not because they’re bad, but because IT will not approve them.
My personal bet: the multi-hop delegation implementation layer. This is the unfilled hole in the protocol today. Whoever ships a solid implementation first becomes the “session token provider” of the agent era. WorkOS is already positioning for it, but the product is early.
Closing thought
The reason this stable release is worth its own post is that it is not a model-layer story, not a funding story, and not a product-launch story. It is a protocol-layer gate. A year ago, when Anthropic open-sourced MCP, the loudest question in the community was “can it work inside an enterprise?” Today the answer is yes — but only on the enterprise’s terms.
The second half of 2026 for agents is not “whose model is smarter.” It is “whose agent is allowed in the meeting room.”