OAuth authorization server for MCP servers

Secure your Model Context Protocol (MCP) servers with Scalekit’s drop-in OAuth 2.1 authorization solution

Scalekit provides a production-ready OAuth 2.1 authorization server that implements the MCP authorization specification. This guide shows you how to integrate OAuth-based authentication and authorization into your MCP server with minimal code changes.

Why use Scalekit OAuth for MCP servers?

Identity-scoped access: Restrict each token to a specific user or agent.
Granular permissions: Control exactly which tools and data each client can access using fine-grained scopes.
OAuth 2.1 compliance: Rely on a modern, secure, and widely adopted authorization standard.
Comprehensive audit trails: Track who accessed what, when, and with which permissions.

For a deeper explanation of why an OAuth layer is essential for remote MCP servers, read the MCP authorization overview.

How it works

The Scalekit OAuth authorization server and your MCP server work together to secure access and enforce permissions.

Scalekit OAuth authorization server

Acts as the identity provider for your MCP server. It:

Authenticates users and agents
Issues access tokens with fine-grained scopes
Manages OAuth 2.1 flows (authorization code, client credentials)
Supports dynamic client registration for easy onboarding

Your MCP server

Validates incoming access tokens and enforces the permissions encoded in each token. Only requests with valid, authorized tokens are allowed.

This separation of responsibilities ensures a clear boundary: Scalekit handles identity and token issuance, while your MCP server focuses on business logic of executing the actual tool calls.

Getting started

Prerequisites

Before you begin, ensure you have:

Access to your Scalekit account and the API credentials. If you don’t have a Scalekit account yet, you can signup here.

Installed Scalekit SDK into your project

npm install @scalekit/sdk

import { Scalekit } from '@scalekit-sdk/node';

const scalekit = new Scalekit(
  '<SCALEKIT_ENVIRONMENT_URL>',
  '<SCALEKIT_CLIENT_ID>',
  '<SCALEKIT_CLIENT_SECRET>',
);

Step 1: Register your MCP server

In the Scalekit dashboard, navigate to MCP servers and click Add MCP server. Configure your server with the following settings:

MCP server registration

Basic configuration:

Server name: A display name that users will see during authorization (e.g., “My AI Assistant”)
Resource identifier: Your MCP server’s unique identifier, typically your server’s URL (e.g., https://mcp.mycompany.com). Access tokens minted by Scalekit will have the resource identifier as aud claim.

Access control settings:

Allow dynamic client registration — Enables MCP clients to register automatically without manual approval. For security reasons, Scalekit ensures that any client that registers via DCR has to implement PKCE-based OAuth 2.1 flow to prevent authorization code interception attacks.

Token configuration:

Access token lifetime: Recommended 300-3600 seconds (5 minutes to 1 hour)

Authentication Provider:

Use Scalekit: If you are already using Scalekit to power authentication for your other resources like web application, mobile application, API etc, you can continue to use Scalekit as the authentication provider for your MCP server too.
Use your own authentication provider: If you are using any other authentication provider like Microsoft Entra, Google Workspace, AWS Cognito, Auth0, Keycloak etc, you can configure Scalekit to integrate with your existing auth system to validate user identity.

Step 2: Implement resource metadata discovery

Once you have added your MCP server in the Scalekit dashboard, you will be presented with the protected resource metadata information that you can copy directly from the Scalekit Dashboard and implement in your MCP Server.

MCP clients discover your authorization server through the OAuth 2.0 protected resource metadata endpoint.

Resource Metadata Information

Below is the code sample to implement resource metadata discovery in your MCP Server:

1
// Required: OAuth Protected Resource Metadata endpoint
2
// Copy the actual well-known endpoint and the corresponding metadata from the Scalekit dashboard. What is shown here is just a sample
3
app.get('/.well-known/oauth-protected-resource', (req, res) => {
4
  res.json({
5
    "authorization_servers": [
6
      "https://your-company.scalekit.com/resources/res_82829009141891595"
7
    ],
8
    "bearer_methods_supported": [
9
      "header"
10
    ],
11
    "resource": "https://mcp.mycompany.com",
12
    "resource_documentation": "https://mcp.mycompany.com/docs",
13
    "scopes_supported": ["weather:read", "weather:write"]
14
  });
15
});

Description of the OAuth Protected Resource Metadata:

Field	Description
`resource`	The identifier of the resource server. This is the unique identifier of your MCP Server. Every token that Scalekit issues will have this value as `aud` claim.
`authorization_servers`	A list of authorization servers that are trusted by the resource server. MCP Clients use this information to discover more about the authorization server capability by fetching the authorization server.
`bearer_methods_supported`	A list of methods that are supported for bearer tokens. MCP Clients send the OAuth token as `Authorization: Bearer <token>` header.
`resource_documentation`	A URL to the documentation of the resource server.
`scopes_supported`	A list of scopes that are supported by the resource server. MCP Clients use this information to determine which scopes that they would like the token for as part of the OAuth authorize request.

Step 3: Validate Bearer Token in your MCP Server

Your MCP server needs to validate whether all the incoming requests have a valid access token. Below is a sample middleware implementation if you are using expressjs for implementing your MCP Server.

You can use Scalekit SDKs (across Node.js, Java, GoLang, Python) to determine whether the token is valid or not and whether the token has appropriate claim values like aud, iss, exp, iat, scope etc.

Node.js
Python

1
import { Scalekit, TokenValidationOptions } from '@scalekit-sdk/node';
2
import { NextFunction, Request, Response } from 'express';
3

4
const scalekit = new Scalekit('<SCALEKIT_ENVIRONMENT_URL>', '<SCALEKIT_CLIENT_ID>', '<SCALEKIT_CLIENT_SECRET>');
5
// your resource id that you configure in the scalekit dashboard
6
const RESOURCE_ID = `https://your-mcp-server.com`;
7
// your resource metadata endpoint that you can copy from the scalekit dashboard
8
const resource_metadata_endpoint = `https://your-mcp-server.com/.well-known/oauth-protected-resource`;
9
export const WWWHeader = {HeaderKey: 'WWW-Authenticate',HeaderValue: `Bearer realm="OAuth", resource_metadata="${resource_metadata_endpoint}"`}
10

11
export async function authMiddleware(req: Request, res: Response, next: NextFunction) {
12
    try {
13
        // Allow public access to well-known endpoints
14
        if (req.path.includes('.well-known')) {
15
            return next();
16
        }
17

18
        // Apply authentication to all MCP requests
19
        const authHeader = req.headers['authorization'];
20
        const token = authHeader?.startsWith('Bearer ')? authHeader.split('Bearer ')[1]?.trim(): null;
21

22
        if (!token) {
23
            throw new Error('Missing or invalid Bearer token');
24
        }
25

26
        await scalekit.validateToken(token, { audience: [RESOURCE_ID] });
27
        next();
28
    } catch (err) {
29
        return res.status(401).set(WWWHeader.HeaderKey, WWWHeader.HeaderValue).end();
30
    }
31
}
32

33
// Apply to all MCP endpoints
34
app.use('/', authMiddleware);

1
from scalekit import ScalekitClient
2
from scalekit.common.scalekit import TokenValidationOptions
3

4
# Initialize the Scalekit client
5
scalekit_client = ScalekitClient(
6
  '<SCALEKIT_ENVIRONMENT_URL>',
7
  '<SCALEKIT_CLIENT_ID>',
8
  '<SCALEKIT_CLIENT_SECRET>'
9
)
10

11
def validate_token_with_issuer_audience(token: str) -> bool:
12
    """
13

14
    :param token: The token to validate
15
    :return: True if token is valid, False otherwise
16
    """
17
    options = TokenValidationOptions(
18
        issuer="https://your-domain.scalekit.com",
19
        audience=["your-api-audience"]
20
    )
21

22
    try:
23
        is_valid = scalekit_client.validate_access_token(token, options=options)
24
        return is_valid
25
    except Exception as ex:
26
        print(f"Token validation failed: {ex}")
27
        return False

Step 4: (Optional) Implement Scope-based authorization at the tool execution level

Implement scope validation at the MCP tool execution level to ensure that the tool is only executed if the user has authorized the MCP client for the required scope.

Node.js
Python

1
    try{
2
        await scalekit.validateToken(token, { audience: [RESOURCE_ID], requiredScopes: [scope] });
3
    } catch(error){
4
        return res.status(403).json({
5
            error: 'insufficient_scope',
6
            error_description: `Required scope: ${scope}`,
7
            scope: scope
8
      });
9
    }

1
try:
2
    scalekit_client.validate_access_token(
3
        token,
4
        options=TokenValidationOptions(
5
            audience=[RESOURCE_ID],
6
            required_scopes=[scope]
7
        )
8
    )
9
except ScalekitValidateTokenFailureException as ex:
10
    return {
11
        "error": "insufficient_scope",
12
        "error_description": f"Required scope: {scope}",
13
        "scope": scope
14
    }

Next Steps

Download our sample MCP Server: We have put together a simple MCP server that you can check out and run it locally to test the end to end functionality of a working MCP server complete with authentication and authorization. You can download and execute a sample MCP server implementation from GitHub.