Skip to content
Scalekit Docs
Talk to an Engineer Dashboard

Human interacting with MCP Server

Learn how a human authenticates with an MCP Server via OAuth 2.1 when using MCP-compliant hosts such as ChatGPT, Claude, VSCode, or Windsurf.

When a human uses a compliant MCP host, that host acts as the OAuth client. It initiates authorization with the Scalekit Authorization Server, obtains a scoped access token, and interacts securely with the MCP Server on behalf of the user.

This topology represents the most common interaction model for real-world MCP usecases - humans interacting with an MCP, while Scalekit ensures tokens are valid, scoped, and auditable.

Authorization Sequence

Section titled “Authorization Sequence”

Human ? MCP Server (OAuth 2.1 Authorization Code Flow)MCP ClientMCP ServerScalekit Authorization Server initiate 401 + WWW-Authenticate header Exchange code for access token Handles Authentication and user consent Issue token with required scopes Call tool with Bearer token Authorized response

How It Works

Section titled “How It Works”

  1. Initiation ? The human configures an MCP server in their MCP client.

  2. Challenge ? The MCP Server responds with an HTTP 401 containing a WWW-Authenticate header that points to the Scalekit Authorization Server.

  3. Authorization Flow ? The MCP Client opens the user’s browser to initiate the OAuth 2.1 authorization flow. During this step, the Scalekit Authorization Server handles user authentication through Passwordless, Passkeys, Social login providers (like Google, GitHub, or LinkedIn), or Enterprise SSO integrations (such as Okta, Microsoft Entra ID, or ADFS). The user is then prompted to grant consent for the requested scopes. Once approved, Scalekit returns an authorization code, which the MCP Client exchanges for an access token.

  4. Token Issuance ? Scalekit issues an OAuth 2.1 access token containing claims and scopes (for example, todo:read, calendar:write) that represent the user’s permissions.

  5. Authorized Request ? The client calls the MCP Server again, now attaching the Bearer token in the Authorization header.

  6. Validation and Execution ? The MCP Server validates the token issued by scalekit and executes the requested tool.

Try It Yourself

Section titled “Try It Yourself”

Head to the FastMCP Examples section to experience this topology in action. There you’ll register a FastMCP server, configure Scalekit Auth, and observe token issuance and validation end-to-end.