You tell your AI agent: “Send that report to my manager.”
It drafts the perfect message — and then stops.
The problem isn’t intelligence; it’s identity.
It can’t press “send,” because your email — like every good enterprise system — lives behind an auth wall.
That’s the invisible barrier keeping AI from doing real work: agents can’t safely act on behalf of their users.
That small roadblock points to a much bigger one. AI agents can reason, plan, and communicate — but they’ve been locked out of the real world. Every time an agent tries to connect to a real system like Gmail, Slack, or Salesforce, it hits that wall.
The invisible blocker behind every stalled agent project
Developers already know the culprit. Model Context Protocol (MCP) — the open standard for connecting AI tools — was designed beautifully for context sharing and tool discovery. But it's missing a crucial piece: secure external authorization.
Agents need OAuth tokens to act on behalf of users, but MCP didn’t define a safe way to get them. The result was predictable: hardcoded service accounts, unscalable hacks, and security reviews that killed projects before they reached production.
MCP worked great for single-user demos — but not for the multi-user, compliance-heavy environments where real work happens.
Why this matters for the enterprise
For enterprises, this wasn’t a minor technical issue, it was a stop sign. Without a secure, standards-based way to handle external authorization, enterprise AI teams couldn’t let agents touch real data or integrate with core systems. No matter how powerful the models or how elegant the workflows, they couldn’t go live — not without duplicating access policies, writing orchestration code, and building custom audit systems just to stay compliant. And no enterprise has time for that on their roadmap.
That’s the bottleneck URL Elicitation removes.
It’s not just about convenience — it’s about compliance, control, and scale.
With URL Elicitation, enterprises can finally deploy internal workforce agents that connect safely to external SaaS tools — using the same OAuth flows their security teams already trust. It’s the bridge between proof-of-concept and production rollout.
And when enterprises can deploy securely, innovation downstream accelerates. Startups, developers, and open-source communities all benefit from a shared, trustworthy standard. MCP becomes not just usable, but deployable.
The breakthrough: URL Elicitation
Arcade authored the new Specification Enhancement Proposal (SEP) for MCP — URL Elicitation — developed alongside Anthropic and the broader MCP community. It introduces a simple but powerful solution: instead of passing credentials through an untrusted client, the agent triggers a secure browser flow where the user authenticates directly. Tokens never touch the model or client, and security boundaries stay intact.
While existing form-based elicitation methods work fine for non-sensitive information, there wasn’t a mechanism to handle sensitive data. URL Elicitation now fills that gap for any action that requires authentication — unblocking MCP for production use.
From demos to deployment
This change unlocks the next phase of the MCP ecosystem.Enterprises can now connect AI agents to real systems securely. Developers can focus on deploying agents, not managing tokens. Security teams can greenlight pilots instead of blocking them.
It’s the difference between seeing AI agents in demos and seeing them in production.
Building the enterprise runtime for MCP
As the authors of this spec, Arcade is already shipping it.Arcade’s MCP Runtime fully supports URL Elicitation today — enabling enterprises to deploy multi-user agents with user-level permissions, standards-based security, and centralized governance out of the box.
Because building AI agents that can drive real impact requires trust, control, and action.
With URL Elicitation, MCP can finally deliver all three.
Learn more: the engineering deep dive
If you want to go deeper into how URL Elicitation works under the hood — from the OAuth token flow to the spec evolution itself — we’ve documented the full technical journey in our original post,“Building MCP Together: Arcade’s Contribution to Secure Agent Auth”
It walks through the security model, design decisions, and code-level examples that show why this spec finally makes MCP production-ready.
Read the full spec → Check out the complete URL Elicitation specification here.
Build the future with Arcade
Arcade is the only runtime built for secure, multi-user MCP deployments.If you’re building agents for real enterprise environments, this is the moment to start.
👉 Sign up for free and see how quickly you can deploy agents that your security team will actually approve.
