Zomato MCP: OAuth Scope Parameter Silently Rewritten, Not Enforced
The OAuth server fronting Zomato's MCP endpoint rewrites the scope request and issues tokens labeled 'offline openid' that nonetheless call every MCP tool, including checkout_cart. The advertised mcp:tools / mcp:resources / mcp:prompts scopes are never enforced at the application layer.