Auth & Security Profile

6.1 Authentication

Conformant servers MUST authenticate agents using OAuth 2.1 with short-lived access tokens. Implicit grant MUST NOT be used. Servers SHOULD support the authorization code flow with PKCE for interactive agents and the client credentials flow for backend/service agents.

Tokens MUST be presented per the MCP authorization model. Servers MUST reject expired or malformed tokens with a structured auth.unauthorized error.

6.2 Scopes

Access MUST be scoped per domain and per action class, using the pattern amcp:<domain>:<access>:

amcp:inventory:read
amcp:leads:write
amcp:service:write
amcp:fni:read

• A token MUST be granted the narrowest set of scopes required.
• Read and write are distinct scopes; a :read scope MUST NOT permit tool calls that mutate state.
• Servers MUST enforce scopes on every call and MUST NOT rely on the agent to self-limit.

6.3 PII and sensitive data

Customer and deal data is PII and, in F&I, may include regulated financial information.

• Servers MUST minimize PII in responses to what the requested capability requires, and SHOULD support field-level redaction for agents operating under limited scopes.
• PII MUST NOT appear in error messages, logs returned to the agent, or cursors.
• F&I artifacts (credit, lender decisioning) MUST require an explicit, separate scope and SHOULD be gated behind step-up authorization.
• Servers SHOULD record an audit trail of agent reads and tool calls touching PII, retained per the operator's compliance policy.

6.4 Rate limiting and abuse

Servers SHOULD apply per-token rate limits and MUST signal limiting with a retryable rate_limited error including a retry_after. Agents MUST honor it with backoff.

6.5 Transport

All traffic MUST be over TLS. Servers MUST NOT accept credentials or tokens over an unencrypted channel under any circumstances.

Security is the area where the council most wants partner scrutiny. The profile above is a starting point intended to be hardened — not a finished compliance position.