Compare By Founder

MCP Factory vs hand-rolled OAuth for MCP servers

When does it make sense to centralize OAuth across your MCP servers, and when is a hand-rolled token-refresh function fine? An honest comparison.

MCP Factory vs hand-rolled OAuth for MCP servers

You’re shipping an MCP server. It needs OAuth — maybe Google, maybe Microsoft, maybe GHL. You have two paths.

Path 1: Hand-rolled OAuth in your MCP server

Read the refresh token from an env var. Call the provider’s token endpoint when the access token expires. Cache the result. Maybe write the rotated refresh token back to disk.

This is fine if:

  • You’re shipping exactly one MCP server.
  • The OAuth provider doesn’t rotate refresh tokens.
  • Only one process ever uses that refresh token at a time.
  • You’re comfortable owning the refresh logic, retry policy, and 401-then-retry pattern.

It breaks when:

  • You add a second MCP server using the same integration. Now both have copies of the refresh token. Rotating one breaks the other.
  • The provider rotates refresh tokens (Microsoft Graph, GoHighLevel). Two processes refresh concurrently, one wins, the other is locked out.
  • You need to revoke a user’s access. Now you have to remember every server that cached their token.
  • A team member needs to add a new MCP server. They need the client secret, redirect URI, scopes, and to run a fresh OAuth flow.

Path 2: MCP Factory

The factory holds the refresh token. Your MCP server hits one endpoint:

GET /api/credentials/google/{service}/token
Authorization: Bearer mcp_xxx

The factory returns a fresh access token, scoped to the user the mcp_xxx key belongs to.

This is worth it when:

  • You’re running 2+ MCP servers that share any integration.
  • You’re using providers that rotate refresh tokens.
  • You have multiple users, each with their own OAuth grants.
  • You want one place to revoke access, rotate client secrets, monitor health.

It’s not worth it when:

  • You have exactly one MCP server, used by one user, against one provider that doesn’t rotate refresh tokens. The factory is overkill.

The decision rule

If you’ll ship a second MCP server within 6 months, build for the factory now. Migrating later means rewriting credential handling in every existing server. Building it in from day one costs you an HTTP call and saves you an architectural refactor.

Try it

Start a free trial or self-host from source.

Tags:

#mcp #oauth #architecture

Found this helpful?

Share it with someone who needs to read this.

Share on Facebook Share on X

Ready to Get Started?

Contact us today — we're here to help.

Start Free Trial

More from Our Blog

Ready to get started?

Start your free trial today. No credit card required.

Start Free Trial Book a Demo
Try MCP Factory free — self-host or hosted
Start Free Trial →