Human interacting with MCP Server
Overview
Section titled “Overview”When a human uses a compliant MCP host, that host acts as the OAuth client. It initiates authorization with the Scalekit Authorization Server, obtains a scoped access token, and interacts securely with the MCP Server on behalf of the user.
This topology represents the most common interaction model for real-world MCP usecases - humans interacting with an MCP, while Scalekit ensures tokens are valid, scoped, and auditable.
Authorization Sequence
Section titled “Authorization Sequence”
How It Works
Section titled “How It Works”-
Initiation – The human configures an MCP server in their MCP client.
-
Challenge – The MCP Server responds with an HTTP
401containing aWWW-Authenticateheader that points to the Scalekit Authorization Server. -
Authorization Flow – The MCP Client opens the user’s browser to initiate the OAuth 2.1 authorization flow. During this step, the Scalekit Authorization Server handles user authentication through Passwordless, Passkeys, Social login providers (like Google, GitHub, or LinkedIn), or Enterprise SSO integrations (such as Okta, Microsoft Entra ID, or ADFS). The user is then prompted to grant consent for the requested scopes. Once approved, Scalekit returns an authorization code, which the MCP Client exchanges for an access token.
-
Token Issuance – Scalekit issues an OAuth 2.1 access token containing claims and scopes (for example,
todo:read,calendar:write) that represent the user’s permissions. -
Authorized Request – The client calls the MCP Server again, now attaching the Bearer token in the
Authorizationheader. -
Validation and Execution – The MCP Server validates the token issued by scalekit and executes the requested tool.
Try It Yourself
Section titled “Try It Yourself”Head to the FastMCP Examples section to experience this topology in action. There you’ll register a FastMCP server, configure Scalekit Auth, and observe token issuance and validation end-to-end.