Jared Hanson

An LLM predicts likely next tokens and assigns probabilities. Top-k limits candidates; temperature controls deviation from the top. Models are trained to emit special tokens marking role changes and other client-space cues. The rest is user-space cleverness.

Really needing tab complete for my daily life so I can tab complete more in my IDE.

Unix philosophy + LLM CLI is like bending spoons with your mind.

So annoying that the new jwt.io is borked when pasting tokens containing new lines (common in documentation and specs). Surely I know someone at @auth0 @okta that can push a fix! 🙏

Is it just me, or is it unclear how “act” and “client_id” claims interact when doing OAuth delegation and token exchange?

OAuth 2.0 Token Exchange is a *very* abstract framework. I’m compiling info on how it is actually used in practice. Please send me links to any documentation or projects with implementation details. Thanks! 🙏

Blogs without RSS feeds annoy me. If someone is interested in following what you write, don’t make it hard for them.

Eventually we will create humanoid AI, indistinguishable from real humans. That’s really gonna mess with OAuth flows.

Any of my followers know Python and want review SDKs for high-security MCP servers and clients? Looking for feedback on if they are idiomatic to the ecosystem.

And here I thought module resolution was complicated when we had CJS and AMD…

What’s your go-to framework for building multi-user, web-based agents? Most of what I’ve encountered falls short of this feature set.

AI and LLMs are driving open standards (MCP, A2A) in a way we haven’t seen in over two decades. Given the chat-based UI, there seems to be an opportunity to bring back open IM protocols like XMPP. This would be a great way to interact with multiple agents. Why hasn’t there been…

🔥 up to announce @boldstartvc Fund VII $250M to back bold technical founders building the autonomous enterprise. From Inception. Before the world believes. It always starts with an idea that feels insane… until it isn’t. 🎥👇🧵

MCP used OAuth for client->server authorization. But there’s also a set of server->client requests: sampling, roots, etc. Is anyone applying authorization to this side of MCP?

Validating OAuth issuer and resource identifiers is critical to securing dynamic access in MCP. Unfortunately the specifications are unclear, which is resulting in insecure implementations. Let's discuss and fix it! mailarchive.ietf.org/arch/msg/oauth…

MCP is pretty great. But oh my are there going to be tons of compatibility issues as the OAuth security concerns are addressed. I worry that security will be traded off for compatibility. Doing my best to make sure that doesn’t happen.

AI is going to give us browser use where, in user-agent framing, the user is an agent and the agent is a client.

For anyone at @confcompsummit in SF today, I'm discussing with a panel at 2:05 PM the security infrastructure needed to take AI agents to production. Say hello and I'll chat about how @KeycardLabs can help!

Turns out, fixing APIs to specific OAuth servers let all sorts of security concerns be ignored. MCP is the canary in the coal mine for these problems.