scalekit-inc/mcp-auth-fastmcp-scalekit
skills/mcp-auth-fastmcp-scalekit/SKILL.md
Add Scalekit OAuth authentication to a FastMCP server (Python). Use when you need to protect FastMCP tools with OAuth 2.1 Bearer tokens and enforce per-tool scope checks (e.g. todo:read, todo:write). Authentication is added in 5 lines via ScalekitProvider; scope checks use get_access_token() inside each tool.
$ install --global
skillsauthnpx skillsauth add scalekit-inc/skills mcp-auth-fastmcp-scalekitInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 22, 2026, 4:58 AM164.1s7 files scanned
SKILL.md
- name:
- mcp-auth-fastmcp-scalekit
- description:
- Add Scalekit OAuth authentication to a FastMCP server (Python). Use when you need to protect FastMCP tools with OAuth 2.1 Bearer tokens and enforce per-tool scope checks (e.g. todo:read, todo:write). Authentication is added in 5 lines via ScalekitProvider; scope checks use get_access_token() inside each tool.
- compatibility:
- Python 3.11+. Requires fastmcp>=2.13.0.2 and python-dotenv. Does NOT need custom middleware or a manual .well-known endpoint — FastMCP and ScalekitProvider handle those automatically.
- owner:
- scalekit
- topic:
- mcp-auth
- framework:
- fastmcp
- language:
- python
Add OAuth auth to a FastMCP server (Scalekit)
What this skill builds
- A FastMCP server with
stateless_http=Truethat boots an HTTP transport on a configured port. - OAuth protection via
ScalekitProvider— handles token validation, .well-known discovery, and WWW-Authenticate on 401 automatically. - Per-tool scope enforcement using
get_access_token()fromfastmcp.server.dependencies. - Scopes are pre-configured in the Scalekit dashboard; tools check them at runtime.
Key difference from Express skill
- No manual middleware, no manual .well-known route.
- Auth is injected at the
FastMCP(auth=...)constructor. ScalekitProviderusesresource_id(starts withres_) andmcp_url(base URL + trailing slash).- FastMCP appends
/mcpto the base URL automatically — always register the BASE URL with trailing slash in Scalekit, not the /mcp path.
Inputs to collect (ask if missing)
- SCALEKIT_ENVIRONMENT_URL (your Scalekit env URL, e.g. https://your-env.scalekit.com)
- SCALEKIT_CLIENT_ID
- SCALEKIT_RESOURCE_ID (starts with res_, from Dashboard > MCP Servers)
- MCP_URL: base URL with trailing slash (e.g. http://localhost:3002/)
- PORT (default 3002)
- Scopes to configure (e.g. todo:read, todo:write); these must also be created in the Scalekit dashboard
Mode detection
Ask: "Are we scaffolding a new FastMCP server, or adding auth to an existing FastMCP server?"
- Mode A: New server → use assets/server.py or assets/server-minimal.py as the base
- Mode B: Existing server → apply the patch plan below
Mode A — New server scaffold
Steps
-
Create a directory and virtual environment:
mkdir -p <project-name> cd <project-name> python3 -m venv venv source venv/bin/activate -
Install dependencies using assets/requirements.txt:
pip install -r requirements.txt -
Create .env using assets/env.example (fill real values from Scalekit dashboard).
-
Copy assets/server-minimal.py to server.py and add your tools.
-
Run:
python server.py -
Test with MCP Inspector (point to http://localhost:3002/mcp — note: /mcp, not /):
npx @modelcontextprotocol/inspector@latestLeave Authentication fields empty; DCR handles client registration automatically.
Mode B — Retrofit an existing FastMCP server
Identify insertion points
Ask for the existing server file. Look for:
- How
FastMCP(...)is instantiated - Whether
mcp.run(...)is already present
Patch plan (minimal diffs)
1. Add env vars
Add to .env:
SCALEKIT_ENVIRONMENT_URL=...
SCALEKIT_CLIENT_ID=...
SCALEKIT_RESOURCE_ID=...
MCP_URL=http://localhost:3002/
PORT=3002
2. Add imports
from fastmcp.server.auth.providers.scalekit import ScalekitProvider
from fastmcp.server.dependencies import AccessToken, get_access_token
3. Patch FastMCP constructor
Before (typical):
mcp = FastMCP("My Server")
After:
mcp = FastMCP(
"My Server",
stateless_http=True,
auth=ScalekitProvider(
environment_url=os.getenv("SCALEKIT_ENVIRONMENT_URL"),
client_id=os.getenv("SCALEKIT_CLIENT_ID"),
resource_id=os.getenv("SCALEKIT_RESOURCE_ID"),
mcp_url=os.getenv("MCP_URL"),
),
)
4. Add scope helper
Add once near the top of the file:
def _require_scope(scope: str):
token: AccessToken = get_access_token()
if scope not in token.scopes:
return f"Insufficient permissions: `{scope}` scope required."
return None
5. Add scope checks to each tool
At the top of each @mcp.tool function body, add:
error = _require_scope("your:scope")
if error:
return {"error": error}
See assets/tool-template.py for the full pattern.
6. Patch run call
if __name__ == "__main__":
mcp.run(transport="http", port=int(os.getenv("PORT", "3002")))
Scope design guide
- Register scopes in Scalekit dashboard BEFORE running the server.
- Group by read vs write per resource: e.g. todo:read, todo:write.
- Tools that only read → require read scope.
- Tools that mutate (create/update/delete) → require write scope.
- A token with no matching scope will get {"error": "Insufficient permissions: <scope> required."}.
Verification checklist
- Server boots and logs HTTP transport on http://localhost:PORT/
- MCP Inspector connects to http://localhost:PORT/mcp
- Tool with correct scope → success
- Tool with wrong scope → {"error": "Insufficient permissions..."}
- No token → 401 + WWW-Authenticate (handled by ScalekitProvider automatically)
See references/TROUBLESHOOTING.md for common issues.
Related Skills
scalekit-inc/sk-actions-custom-provider
tools
VerifiedTrustedCommunity
Create or review Scalekit custom providers/connectors for proxy-only usage, including MCP providers. Use this skill when the task is to gather API docs, infer whether a connector is OAuth, Basic, Bearer, or API Key, determine if it is an MCP provider, determine required tracked fields like domain or version, generate provider JSON, check for existing custom providers, show update diffs, run approved create or update curls, and print resolved delete curls.
2SKILL.mdUpdated May 22, 2026
scalekit-inc/setup-scalekit
tools
VerifiedTrustedCommunity
Use when a developer is new to Scalekit and needs guidance on where to start, doesn't know which auth plugin or skill to choose, wants to connect an AI agent or agentic workflow to third-party services (Gmail, Slack, Notion, Google Calendar), needs OAuth or tool-calling auth for agents, wants to add authentication to a project but hasn't chosen an approach yet, or needs to install the Scalekit plugin for their AI coding tool (Claude Code, Codex, Copilot CLI, Cursor, or other agents).
2SKILL.mdUpdated May 22, 2026
scalekit-inc/scalekit-code-doctor
tools
VerifiedTrustedCommunity
Use when a user asks to generate, review, validate, or fix any code snippet that uses Scalekit APIs or SDKs. This skill is the single source of truth for Scalekit code correctness — it can generate illustration-quality snippets from scratch (for docs, websites, or integration guides) and review existing code to catch wrong method names, missing parameters, security anti-patterns, and broken auth flows. Covers all four SDKs (Node, Python, Go, Java), raw REST API calls, and both Scalekit product suites — SaaSKit (SSO, login, sessions, RBAC, SCIM) and AgentKit (connections, tool calling, MCP auth). Use when the user says review my Scalekit code, generate a Scalekit example, validate this auth flow, check my SDK usage, fix my Scalekit integration, write a code sample for docs, or anything involving Scalekit code quality.
2SKILL.mdUpdated May 22, 2026
scalekit-inc/production-readiness-sso
development
VerifiedTrustedCommunity
Walks through a structured production readiness checklist for Scalekit SSO implementations. Use when the user says they are going live, launching to production, doing a pre-launch review, hardening their SSO setup, or wants to verify their Scalekit implementation is production-ready.
2SKILL.mdUpdated May 22, 2026