The New MCP Authorization Spec is Here! Today marks the one-year anniversary of the Model Context Protocol, and with it, the launch of the new 2025-11-25 specification.

In October, I launched an instance of Meetable for the MCP Community. They've been using it to post working group meetings as well as in-person community events. In just 2 months it already has 41 events listed!

Today I just launched support for BlueSky as a new authentication option in IndieLogin.com!

The IETF OAuth Working Group has adopted the Client ID Metadata Document specification!

I just released some updates for Meetable, my open source event listing website.

Every time I take a Lyft from the San Francisco airport to downtown going up 101, I notice the billboards. The billboards on 101 are always such a good snapshot in time of the current peak of the Silicon Valley hype cycle. I've decided to capture photos of the billboards every time I am there, to see how this changes over time. 

I've seen a lot of complaints about how MCP isn't ready for the enterprise.

Let's not overthink auth in MCP.

Let's not overthink auth in MCP.

Here's where you can find me at IETF 120 in Vancouver!

I just did a massive spring cleaning of one of my servers, trying to clean up what has become quite the mess of clutter. For every website on the server, I either:

The first law of OAuth states that

The sessions I will be attending and presenting at during IETF 120 in Vancouver

IndieWebCamp Düsseldorf took place this weekend, and I was inspired to work on a quick hack for demo day to show off a new feature I've been working on for IndieAuth.

The draft specification OAuth for Browser-Based Applications has just entered Working Group Last Call!

Is it called an OAuth "grant" or a "flow"? What about "grant type"?

It was 11am at the Fort Lauderdale airport, an hour after my non-stop flight to Portland was supposed to have boarded. As I had been watching our estimated departure get pushed back in 15 minute increments, I finally received the dreaded news over the loudspeaker - the flight was cancelled entirely. As hordes of people started lining up to rebook their flights with the gate agent, I found a quiet spot in the corner and opened up my laptop to look at my options.

After a lot of discussion on the mailing list over the last few months, and after some excellent discussions at the OAuth Security Workshop, we've been working on revising the draft to provide clearer guidance and clearer discussion of the threats and consequences of the various architectural patterns in the draft.

Bluesky, a new social media platform and AT Protocol, is unsurprisingly running up against the same challenges and limitations that Flickr, Twitter and many other social media platforms faced in the 2000s: passwords!

I recently got access to the BlueSky beta, and decided to poke around to see what it's all about. I will save the details of what it is and how I feel about it for a different post. However, one of the first things you do when you sign up is choose a username that exists under the bsky.app domain. I have zero interest in another name rush where everyone tries to claim the shortest username possible, so I went with aaronpk.bsky.app rather than trying to get a or apk.

Lately I've been using Apple Keynote to create graphics for using in videos and blog posts. It's a quick way to arrange things on a page, copying and pasting most things just works, and there are enough built in shapes and tools to get the point across. However, after spending a full day creating graphics for a video, I found myself frustrated by the number of clicks required to export a single slide at a time.

I just published a revised version of OAuth for Browser-Based Apps based on the feedback and discussion at IETF 115 London!