Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

scalekit-inc/mcp-auth-fastapi-fastmcp-scalekit

Name: mcp-auth-fastapi-fastmcp-scalekit
Author: scalekit-inc

skills/mcp-auth-fastapi-fastmcp-scalekit/SKILL.md

npx skillsauth add scalekit-inc/skills mcp-auth-fastapi-fastmcp-scalekit

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Add OAuth auth to FastAPI + FastMCP (Scalekit)

When to use this skill vs the FastMCP skill

Use THIS skill when:

You need custom FastAPI middleware, routes, or dependency injection alongside MCP tools
You're adding MCP to an existing FastAPI application
You need more control over request handling than FastMCP's built-in ScalekitProvider offers

Use the mcp-auth-fastmcp-scalekit skill instead when:

You're building a standalone MCP server and don't need FastAPI-specific features
You want the simplest possible setup (5-line auth config)

Critical wiring: how FastMCP mounts into FastAPI

FastMCP is NOT run standalone. It is mounted inside FastAPI:

mcp_app = mcp.http_app(path="/")
app = FastAPI(lifespan=mcp_app.lifespan)  # lifespan MUST come from mcp_app
# ... add middleware and routes BEFORE mounting ...
app.mount("/", mcp_app)  # MUST be last

Order matters:

Create mcp_app from FastMCP
Create FastAPI with lifespan=mcp_app.lifespan
Add CORSMiddleware
Add @app.middleware("http") auth middleware
Add GET /.well-known/oauth-protected-resource (public)
Add GET /health (public)
app.mount("/", mcp_app) — ALWAYS last

Inputs to collect (ask if missing)

PORT (default 3002)
SK_ENV_URL, SK_CLIENT_ID, SK_CLIENT_SECRET
EXPECTED_AUDIENCE — must match the Server URL registered in Scalekit (with trailing slash, e.g. http://localhost:3002/)
PROTECTED_RESOURCE_METADATA JSON — copied from Scalekit dashboard MCP server page

Required outcomes

GET /.well-known/oauth-protected-resource → returns PROTECTED_RESOURCE_METADATA JSON (no auth required)
GET /health → {"status": "healthy"} (no auth required)
@app.middleware("http") auth_middleware:
- Exempts /.well-known/oauth-protected-resource and /health
- Extracts Authorization: Bearer <token>
- On missing token → 401 + WWW-Authenticate header
- Validates via scalekit_client.validate_access_token(token, options=TokenValidationOptions(issuer=SK_ENV_URL, audience=[EXPECTED_AUDIENCE]))
- On invalid → 401 + WWW-Authenticate
FastMCP mounted at / with lifespan=mcp_app.lifespan
At least one @mcp.tool registered

Mode A — New project scaffold

Steps

Create directory and virtual environment:

mkdir -p <project-name>
cd <project-name>
python3 -m venv .venv
source .venv/bin/activate

Install dependencies:
```
pip install -r assets/requirements.txt
```
Create .env from assets/env.example (fill real values from Scalekit dashboard).
Use assets/main-minimal.py as starting point. Add your tools using assets/tool-template.py.
Run:
```
python main.py
```
Test with MCP Inspector (point to http://localhost:3002/ — NOT /mcp):
```
npx @modelcontextprotocol/inspector@latest
```

Mode B — Retrofit an existing FastAPI app

Identify insertion points

Ask for the existing server entrypoint. Look for:

Where app = FastAPI(...) is instantiated
Whether app.mount(...) is already used
Existing middleware definitions and their order
Whether POST / is already taken (if so, mount MCP at /mcp instead and update RESOURCE_METADATA_URL)

Patch plan (minimal diffs)

1. Add env vars

SK_ENV_URL=...
SK_CLIENT_ID=...
SK_CLIENT_SECRET=...
EXPECTED_AUDIENCE=http://localhost:3002/
PROTECTED_RESOURCE_METADATA='...'

2. Add imports

from fastmcp import FastMCP, Context
from scalekit import ScalekitClient
from scalekit.common.scalekit import TokenValidationOptions
from starlette.middleware.cors import CORSMiddleware
from fastapi import Request, Response

3. Add Scalekit client + constants

RESOURCE_METADATA_URL = f"http://localhost:{PORT}/.well-known/oauth-protected-resource"
WWW_HEADER = {
    "WWW-Authenticate": f'Bearer realm="OAuth", resource_metadata="{RESOURCE_METADATA_URL}"'
}
scalekit_client = ScalekitClient(
    env_url=SK_ENV_URL,
    client_id=SK_CLIENT_ID,
    client_secret=SK_CLIENT_SECRET,
)

4. Create FastMCP instance + tools BEFORE patching FastAPI

mcp = FastMCP("Your Server Name", stateless_http=True)

@mcp.tool(name="your_tool", description="...")
async def your_tool(...) -> dict:
    ...

5. Patch FastAPI instantiation

Before:

app = FastAPI()

After:

mcp_app = mcp.http_app(path="/")
app = FastAPI(lifespan=mcp_app.lifespan)

WARNING: If the existing app already sets lifespan, merge the lifespans using an async context manager.

6. Add CORSMiddleware (before auth middleware)

app.add_middleware(
    CORSMiddleware,
    allow_origins=["*"],
    allow_credentials=True,
    allow_methods=["GET", "POST", "OPTIONS"],
    allow_headers=["*"]
)

7. Add auth middleware

@app.middleware("http")
async def auth_middleware(request: Request, call_next):
    PUBLIC_PATHS = {"/health", "/.well-known/oauth-protected-resource"}
    if request.url.path in PUBLIC_PATHS:
        return await call_next(request)

    auth_header = request.headers.get("authorization")
    if not auth_header or not auth_header.startswith("Bearer "):
        return Response(
            '{"error": "Missing Bearer token"}',
            status_code=401,
            headers=WWW_HEADER,
            media_type="application/json"
        )

    token = auth_header.split("Bearer ", 1)[0].strip()
    options = TokenValidationOptions(issuer=SK_ENV_URL, audience=[EXPECTED_AUDIENCE])

    try:
        is_valid = scalekit_client.validate_access_token(token, options=options)
        if not is_valid:
            raise ValueError("Invalid token")
    except Exception:
        return Response(
            '{"error": "Token validation failed"}',
            status_code=401,
            headers=WWW_HEADER,
            media_type="application/json"
        )

    return await call_next(request)

8. Add public routes

@app.get("/.well-known/oauth-protected-resource")
async def oauth_metadata():
    if not PROTECTED_RESOURCE_METADATA:
        return Response('{"error": "config missing"}', status_code=500, media_type="application/json")
    return Response(json.dumps(json.loads(PROTECTED_RESOURCE_METADATA), indent=2), media_type="application/json")

@app.get("/health")
async def health_check():
    return {"status": "healthy"}

9. Mount FastMCP LAST

app.mount("/", mcp_app)

Verification checklist

GET /.well-known/oauth-protected-resource returns JSON without auth
GET /health returns {"status": "healthy"}
POST to MCP endpoint without token → 401 + WWW-Authenticate
POST to MCP endpoint with valid token → tool response
Wrong-audience token → 401
Tool call works end-to-end in MCP Inspector (connect to http://localhost:PORT/)

See references/TROUBLESHOOTING.md for common issues.

scalekit-inc/mcp-auth-fastapi-fastmcp-scalekit

skills/mcp-auth-fastapi-fastmcp-scalekit/SKILL.md

Add Scalekit OAuth authentication to a FastAPI + FastMCP server (Python). Use when you need FastAPI-level middleware control over token validation alongside FastMCP tools. Implements /.well-known/oauth-protected-resource, a Starlette middleware that validates Authorization Bearer tokens via Scalekit SDK (issuer + audience), and mounts FastMCP via app.mount.

2 stars

tools

Updated May 22, 2026

$ install --global

skillsauth

npx skillsauth add scalekit-inc/skills mcp-auth-fastapi-fastmcp-scalekit

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 22, 2026, 5:01 AM353.5s7 files scanned

SKILL.md

name:: mcp-auth-fastapi-fastmcp-scalekit
description:: Add Scalekit OAuth authentication to a FastAPI + FastMCP server (Python). Use when you need FastAPI-level middleware control over token validation alongside FastMCP tools. Implements /.well-known/oauth-protected-resource, a Starlette middleware that validates Authorization Bearer tokens via Scalekit SDK (issuer + audience), and mounts FastMCP via app.mount.
compatibility:: Python 3.11+. FastAPI, FastMCP, Uvicorn, scalekit-sdk-python. Requires SK_ENV_URL, SK_CLIENT_ID, SK_CLIENT_SECRET, EXPECTED_AUDIENCE, and PROTECTED_RESOURCE_METADATA JSON.
owner:: scalekit
topic:: mcp-auth
framework:: fastapi-fastmcp
language:: python

Add OAuth auth to FastAPI + FastMCP (Scalekit)

When to use this skill vs the FastMCP skill

Use THIS skill when:

You need custom FastAPI middleware, routes, or dependency injection alongside MCP tools
You're adding MCP to an existing FastAPI application
You need more control over request handling than FastMCP's built-in ScalekitProvider offers

Use the mcp-auth-fastmcp-scalekit skill instead when:

You're building a standalone MCP server and don't need FastAPI-specific features
You want the simplest possible setup (5-line auth config)

Critical wiring: how FastMCP mounts into FastAPI

FastMCP is NOT run standalone. It is mounted inside FastAPI:

mcp_app = mcp.http_app(path="/")
app = FastAPI(lifespan=mcp_app.lifespan)  # lifespan MUST come from mcp_app
# ... add middleware and routes BEFORE mounting ...
app.mount("/", mcp_app)  # MUST be last

Order matters:

Create mcp_app from FastMCP
Create FastAPI with lifespan=mcp_app.lifespan
Add CORSMiddleware
Add @app.middleware("http") auth middleware
Add GET /.well-known/oauth-protected-resource (public)
Add GET /health (public)
app.mount("/", mcp_app) — ALWAYS last

Inputs to collect (ask if missing)

PORT (default 3002)
SK_ENV_URL, SK_CLIENT_ID, SK_CLIENT_SECRET
EXPECTED_AUDIENCE — must match the Server URL registered in Scalekit (with trailing slash, e.g. http://localhost:3002/)
PROTECTED_RESOURCE_METADATA JSON — copied from Scalekit dashboard MCP server page

Required outcomes

GET /.well-known/oauth-protected-resource → returns PROTECTED_RESOURCE_METADATA JSON (no auth required)
GET /health → {"status": "healthy"} (no auth required)
@app.middleware("http") auth_middleware:
- Exempts /.well-known/oauth-protected-resource and /health
- Extracts Authorization: Bearer <token>
- On missing token → 401 + WWW-Authenticate header
- Validates via scalekit_client.validate_access_token(token, options=TokenValidationOptions(issuer=SK_ENV_URL, audience=[EXPECTED_AUDIENCE]))
- On invalid → 401 + WWW-Authenticate
FastMCP mounted at / with lifespan=mcp_app.lifespan
At least one @mcp.tool registered

Mode A — New project scaffold

Steps

Create directory and virtual environment:

mkdir -p <project-name>
cd <project-name>
python3 -m venv .venv
source .venv/bin/activate

Install dependencies:
```
pip install -r assets/requirements.txt
```
Create .env from assets/env.example (fill real values from Scalekit dashboard).
Use assets/main-minimal.py as starting point. Add your tools using assets/tool-template.py.
Run:
```
python main.py
```
Test with MCP Inspector (point to http://localhost:3002/ — NOT /mcp):
```
npx @modelcontextprotocol/inspector@latest
```

Mode B — Retrofit an existing FastAPI app

Identify insertion points

Ask for the existing server entrypoint. Look for:

Where app = FastAPI(...) is instantiated
Whether app.mount(...) is already used
Existing middleware definitions and their order
Whether POST / is already taken (if so, mount MCP at /mcp instead and update RESOURCE_METADATA_URL)

Patch plan (minimal diffs)

1. Add env vars

SK_ENV_URL=...
SK_CLIENT_ID=...
SK_CLIENT_SECRET=...
EXPECTED_AUDIENCE=http://localhost:3002/
PROTECTED_RESOURCE_METADATA='...'

2. Add imports

from fastmcp import FastMCP, Context
from scalekit import ScalekitClient
from scalekit.common.scalekit import TokenValidationOptions
from starlette.middleware.cors import CORSMiddleware
from fastapi import Request, Response

3. Add Scalekit client + constants

RESOURCE_METADATA_URL = f"http://localhost:{PORT}/.well-known/oauth-protected-resource"
WWW_HEADER = {
    "WWW-Authenticate": f'Bearer realm="OAuth", resource_metadata="{RESOURCE_METADATA_URL}"'
}
scalekit_client = ScalekitClient(
    env_url=SK_ENV_URL,
    client_id=SK_CLIENT_ID,
    client_secret=SK_CLIENT_SECRET,
)

4. Create FastMCP instance + tools BEFORE patching FastAPI

mcp = FastMCP("Your Server Name", stateless_http=True)

@mcp.tool(name="your_tool", description="...")
async def your_tool(...) -> dict:
    ...

5. Patch FastAPI instantiation

Before:

app = FastAPI()

After:

mcp_app = mcp.http_app(path="/")
app = FastAPI(lifespan=mcp_app.lifespan)

WARNING: If the existing app already sets lifespan, merge the lifespans using an async context manager.

6. Add CORSMiddleware (before auth middleware)

app.add_middleware(
    CORSMiddleware,
    allow_origins=["*"],
    allow_credentials=True,
    allow_methods=["GET", "POST", "OPTIONS"],
    allow_headers=["*"]
)

7. Add auth middleware

@app.middleware("http")
async def auth_middleware(request: Request, call_next):
    PUBLIC_PATHS = {"/health", "/.well-known/oauth-protected-resource"}
    if request.url.path in PUBLIC_PATHS:
        return await call_next(request)

    auth_header = request.headers.get("authorization")
    if not auth_header or not auth_header.startswith("Bearer "):
        return Response(
            '{"error": "Missing Bearer token"}',
            status_code=401,
            headers=WWW_HEADER,
            media_type="application/json"
        )

    token = auth_header.split("Bearer ", 1)[0].strip()
    options = TokenValidationOptions(issuer=SK_ENV_URL, audience=[EXPECTED_AUDIENCE])

    try:
        is_valid = scalekit_client.validate_access_token(token, options=options)
        if not is_valid:
            raise ValueError("Invalid token")
    except Exception:
        return Response(
            '{"error": "Token validation failed"}',
            status_code=401,
            headers=WWW_HEADER,
            media_type="application/json"
        )

    return await call_next(request)

8. Add public routes

@app.get("/.well-known/oauth-protected-resource")
async def oauth_metadata():
    if not PROTECTED_RESOURCE_METADATA:
        return Response('{"error": "config missing"}', status_code=500, media_type="application/json")
    return Response(json.dumps(json.loads(PROTECTED_RESOURCE_METADATA), indent=2), media_type="application/json")

@app.get("/health")
async def health_check():
    return {"status": "healthy"}

9. Mount FastMCP LAST

app.mount("/", mcp_app)

Verification checklist

GET /.well-known/oauth-protected-resource returns JSON without auth
GET /health returns {"status": "healthy"}
POST to MCP endpoint without token → 401 + WWW-Authenticate
POST to MCP endpoint with valid token → tool response
Wrong-audience token → 401
Tool call works end-to-end in MCP Inspector (connect to http://localhost:PORT/)

See references/TROUBLESHOOTING.md for common issues.

Related Skills

scalekit-inc/sk-actions-custom-provider

tools

VerifiedTrustedCommunity

Create or review Scalekit custom providers/connectors for proxy-only usage, including MCP providers. Use this skill when the task is to gather API docs, infer whether a connector is OAuth, Basic, Bearer, or API Key, determine if it is an MCP provider, determine required tracked fields like domain or version, generate provider JSON, check for existing custom providers, show update diffs, run approved create or update curls, and print resolved delete curls.

2SKILL.mdUpdated May 22, 2026

scalekit-inc/sk-actions-custom-provider

scalekit-inc/setup-scalekit

tools

VerifiedTrustedCommunity

Use when a developer is new to Scalekit and needs guidance on where to start, doesn't know which auth plugin or skill to choose, wants to connect an AI agent or agentic workflow to third-party services (Gmail, Slack, Notion, Google Calendar), needs OAuth or tool-calling auth for agents, wants to add authentication to a project but hasn't chosen an approach yet, or needs to install the Scalekit plugin for their AI coding tool (Claude Code, Codex, Copilot CLI, Cursor, or other agents).

2SKILL.mdUpdated May 22, 2026

scalekit-inc/setup-scalekit

scalekit-inc/scalekit-code-doctor

tools

VerifiedTrustedCommunity

Use when a user asks to generate, review, validate, or fix any code snippet that uses Scalekit APIs or SDKs. This skill is the single source of truth for Scalekit code correctness — it can generate illustration-quality snippets from scratch (for docs, websites, or integration guides) and review existing code to catch wrong method names, missing parameters, security anti-patterns, and broken auth flows. Covers all four SDKs (Node, Python, Go, Java), raw REST API calls, and both Scalekit product suites — SaaSKit (SSO, login, sessions, RBAC, SCIM) and AgentKit (connections, tool calling, MCP auth). Use when the user says review my Scalekit code, generate a Scalekit example, validate this auth flow, check my SDK usage, fix my Scalekit integration, write a code sample for docs, or anything involving Scalekit code quality.

2SKILL.mdUpdated May 22, 2026

scalekit-inc/scalekit-code-doctor

scalekit-inc/production-readiness-sso

development

VerifiedTrustedCommunity

Walks through a structured production readiness checklist for Scalekit SSO implementations. Use when the user says they are going live, launching to production, doing a pre-launch review, hardening their SSO setup, or wants to verify their Scalekit implementation is production-ready.

2SKILL.mdUpdated May 22, 2026

scalekit-inc/production-readiness-sso

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/scalekit-inc/skills.git

# Copy into Claude Code skills folder (global)
cp -r skills/skills/mcp-auth-fastapi-fastmcp-scalekit ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

scalekit-inc/skills

2 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT