When building AI agents using the Model Context Protocol (MCP), one of the biggest challenges is handling authentication flows — especially when the agent needs to access third-party systems on behalf of a user. Unlike traditional web apps, MCP agents often operate through Large Language Models (LLMs). That introduces a unique problem:
LLMs cannot log into websites, click buttons, or complete OAuth flows.
This is where URL elicitation becomes extremely important.
In this article, we'll explain:
- What MCP URL elicitation is
- Why it exists
- How it works internally
- A real working example using OAuth
- Security considerations
- When you should and should not use it
The Problem MCP URL Elicitation Solves
Imagine you are building an AI assistant that can:
- Create tasks in a project management tool
- Fetch user data from a SaaS platform
- Send emails on behalf of a user
All of these require authentication.
Normally, authentication requires a human to:
- Open a login page
- Enter credentials
- Grant permission
But MCP tools are triggered by LLMs. The LLM cannot open browsers or complete login flows.
So MCP needs a safe way to:
- Ask the user to authenticate manually
- Continue the agent workflow afterward
This process is called URL elicitation.
What is URL Elicitation?
URL elicitation is a mechanism where:
- The MCP server generates an authentication URL.
- The MCP client asks the user to open that URL.
- The user completes authentication in the browser.
- The third-party service redirects back to the MCP server.
- The MCP workflow resumes.
Think of it as:
"Agent asks user to click a login link and waits for confirmation."
Where URL Elicitation Fits in MCP Architecture
Typical MCP setup:
User ↔ MCP Client ↔ MCP Server ↔ Third-Party APIsDuring authentication:
User ↔ Browser ↔ Third-Party OAuth
↓
MCP Server CallbackStep-by-Step Flow
Let's walk through the complete lifecycle.
Step 1 — User Requests an Action
Example user prompt:
"Connect my WhatsApp account."
The MCP client sends this request to the MCP server.
Step 2 — MCP Server Generates Auth URL
The MCP server:
- Creates an application session
- Generates a correlation identifier (
state) - Builds an OAuth authorization URL
Example:
auth_url = (
"http://whatsapp.local/oauth/authorize"
"?client_id=abc123"
"&redirect_uri=http://localhost:8000/oauth/callback"
"&state=ELICIT_ID"
)Step 3 — MCP Client Performs URL Elicitation
The MCP client shows something like:
"Please open this link to connect your account."
The user opens the URL in a browser.
Step 4 — User Completes Authentication
Inside the third-party UI, the user:
- Logs in
- Grants permission
Step 5 — Third-Party Redirects to MCP Server
Example redirect:
http://localhost:8000/oauth/callback?code=AUTH_CODE&state=ELICIT_IDThe MCP server:
- Exchanges
AUTH_CODEfor access token - Stores token securely
- Links token to application session
Step 6 — MCP Workflow Continues
Now the agent can safely call APIs using stored credentials.
Real Working Example (FastAPI)
Let's simulate this using a dummy third-party OAuth provider.
MCP Server — Start Connection
@mcp.tool()
def connect_whatsapp(session_id: str):
state = str(uuid.uuid4())
auth_url = (
"http://thirdparty.local/authorize"
f"?state={state}"
f"&session_id={session_id}"
)
return {
"action": "open_url",
"url": auth_url
}Third-Party Authorization Page
@app.get("/authorize")
def authorize(state: str, session_id: str):
redirect_url = (
"http://localhost:8000/oauth/callback"
f"?code=DUMMY_CODE"
f"&state={state}"
f"&session_id={session_id}"
)
return HTMLResponse(f"""
<h2>Authorize Application</h2>
<form action="{redirect_url}">
<button type="submit">Approve</button>
</form>
""")MCP Callback Endpoint
@app.get("/oauth/callback")
def callback(code: str, state: str, session_id: str):
access_token = exchange_code_for_token(code)
session_store.update(session_id, {
"access_token": access_token
})
return "Authentication successful"Understanding the Role of state
The state parameter is critical.
It helps:
- Prevent CSRF attacks
- Correlate login responses with agent sessions
- Validate authentication flow integrity
It is typically:
Random UUIDOr:
Encrypted session metadataSecurity Best Practices
URL elicitation can introduce risks if implemented incorrectly.
1 — Never Expose Access Tokens to the LLM
Tokens must be stored server-side.
Bad:
LLM sees tokenGood:
Session ID → Token stored securely2 — Always Validate state
If state mismatches:
Reject callback3 — Use Short-Lived Authentication Codes
Never place tokens directly in redirect URLs.
4 — Encrypt Sensitive Session Data
Use:
- Redis with encryption
- Vault-based storage
- Signed state parameters
Common Mistakes
Passing Tokens Through Tool Arguments
This exposes credentials to the LLM.
Storing Sessions in Memory
MCP clients reconnect frequently. Memory sessions are unreliable.
Not Handling Session Expiry
Tokens must have TTL and refresh flows.
When Should You Use URL Elicitation?
Use it when:
- MCP agent integrates with external SaaS
- User authentication is mandatory
- Agent is used outside authenticated UI environments
- Desktop or chat-only agent flows
When You Might NOT Need It
If the AI agent lives inside an already authenticated product UI, authentication can be delegated via backend services.
Many enterprise copilots follow this approach.
Why URL Elicitation Matters
URL elicitation bridges the gap between:
- Human authentication workflows
- Autonomous AI agents
Without it, agents would be unable to securely access user-specific resources.
Final Thoughts
MCP URL elicitation is a powerful but often misunderstood mechanism. It enables agents to interact with secure third-party systems while preserving user control and credential safety.
As MCP ecosystems grow, understanding authentication patterns like URL elicitation will become essential for building production-ready AI agents.
Bonus: Mental Model
Think of URL elicitation as:
The AI politely asking the user to step in, authenticate, and then stepping back out while remembering the result.
Thank you for reading!