Live session with Stephen Sims on Off By One Security. MCP servers are starting to ship without serious thought about auth, and the threat model is not always obvious. We walk the attack surface of a typical MCP deployment, including bearer-token leakage via prompt injection, scope creep, confused-deputy abuse of resource servers, and replay against weakly-authenticated clients. Next we wire in the defenses one layer at a time using a working open-source reference (mcp-authflow), watching each attack class fail as the right primitive lands: PKCE + private_key_jwt with jti anti-replay, audience-bound tokens, and resource-server-side capability checks.