scalekit-inc/mcp-oauth21-scalekit
skills/mcp-oauth21-scalekit/SKILL.md
Add production-ready OAuth 2.1 authorization to an MCP server using Scalekit. Use this when you need MCP clients (Claude Desktop, Cursor, VS Code, or any MCP client) to discover your authorization server via .well-known/oauth-protected-resource, and when you need to validate Bearer access tokens (aud/iss/exp/scope) before executing MCP tools.
$ install --global
skillsauthnpx skillsauth add scalekit-inc/skills mcp-oauth21-scalekitInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 22, 2026, 5:00 AM287.5s1 file scanned
SKILL.md
- name:
- mcp-oauth21-scalekit
- description:
- Add production-ready OAuth 2.1 authorization to an MCP server using Scalekit. Use this when you need MCP clients (Claude Desktop, Cursor, VS Code, or any MCP client) to discover your authorization server via .well-known/oauth-protected-resource, and when you need to validate Bearer access tokens (aud/iss/exp/scope) before executing MCP tools.
- compatibility:
- MCP servers in Node.js (Express/FastMCP-style) or Python (FastAPI-style). Requires network access to Scalekit and HTTPS in production. Needs environment variables for SCALEKIT_ENVIRONMENT_URL, SCALEKIT_CLIENT_ID, SCALEKIT_CLIENT_SECRET.
- author:
- scalekit
- version:
- 1.0
- category:
- auth
Add OAuth 2.1 authorization to MCP servers (Scalekit)
Goal
Secure an MCP server so only authenticated + authorized users (and approved MCP clients) can call your tools, using Scalekit as the OAuth 2.1 authorization server and your MCP server as the resource server.
When to activate this skill
Activate when the user asks to:
- "Add OAuth/OAuth 2.1/auth to my MCP server"
- "Implement .well-known/oauth-protected-resource"
- "Validate Bearer tokens / add middleware"
- "Enforce scopes per tool" / "least privilege for MCP tools"
- "Make my MCP server work with Claude Desktop / Cursor / VS Code auth"
Inputs you must collect (ask if missing)
- MCP server base URL (public): e.g. https://mcp.example.com
- Scalekit environment URL: https://<env>.scalekit.com (or provided)
- Resource identifier to validate as
aud:- Prefer the "Server URL" registered in Scalekit, OR
- The Scalekit-generated resource id if no Server URL was configured
- Scopes to support (and which tool requires which scope)
- Framework/runtime: Node.js (Express/FastMCP) or Python (FastAPI)
- Whether this is "public clients" usage (Claude/Cursor/VS Code) → recommend enabling DCR + CIMD in dashboard
Outputs you should produce
- A public discovery endpoint:
/.well-known/oauth-protected-resource - A token-validation middleware applied to MCP endpoints (excluding
/.well-known/*) - Optional: per-tool scope authorization checks
- A small production checklist (CORS, HTTPS, logging, secrets)
Procedure
1) Scalekit dashboard setup (resource server registration)
- Create/register an MCP server in the Scalekit dashboard.
- If this MCP server is meant to be used by public MCP clients, enable:
- Dynamic Client Registration (DCR)
- Client ID Metadata Document (CIMD)
- Configure:
- Server URL (recommended): set it to your MCP server URL if you want tokens to use it as audience.
- Access token lifetime (typical: 5–60 minutes depending on risk).
- Scopes: define permissions like
todo:read,todo:write, etc.
Note: If you toggle DCR/CIMD, restart the MCP server (some frameworks cache auth server details).
2) Implement MCP discovery endpoint
Implement GET /.well-known/oauth-protected-resource and return the resource metadata JSON from Scalekit dashboard ("Metadata JSON" for your MCP server).
Minimum fields to include:
authorization_servers: array containing your Scalekit resource authorization server URL (from dashboard)bearer_methods_supported: includeheaderresource: your MCP server identifier (usually your base URL)resource_documentation: docs URL (optional but recommended)scopes_supported: list of scopes you configured
If the user wants a template, point them to:
assets/oauth-protected-resource.jsonassets/express/well-known-route.tsorassets/fastapi/well_known_route.py
3) Add Bearer token validation middleware (resource server enforcement)
Apply middleware to all MCP endpoints. Rules:
- Allow unauthenticated access to
/.well-known/*so clients can discover metadata. - For all other routes:
- Extract access token from
Authorization: Bearer <token> - If missing → respond
401and includeWWW-Authenticate: Bearer ... resource_metadata="<your .well-known url>" - Validate token using Scalekit SDK:
- Validate
audincludes your configured resource identifier - Validate issuer if your SDK requires/permits it
- Validate expiry and issued-at (SDK typically handles this)
- Validate
- On validation failure → respond
401withWWW-Authenticate
- Extract access token from
Templates:
- Node/Express:
assets/express/auth-middleware.ts - Python/FastAPI:
assets/fastapi/auth_middleware.py
Security notes:
- Do not log raw tokens.
- Prefer constant-time comparisons where relevant (SDK should handle signatures).
- Keep the middleware small; push details to reference docs.
4) Optional: scope-based authorization at tool execution time
For each MCP tool, define required scope(s) and enforce them when executing the tool. Suggested approach:
- Maintain a map:
tool_name -> required_scopes(seeassets/tool-scope-map.example.yaml) - At execution:
- Validate token again with
requiredScopes(or validate once and check claims, depending on SDK support) - If insufficient scope → return an OAuth-style error response (403,
insufficient_scope) with a helpful message
- Validate token again with
5) Testing checklist
- Discovery works: call
/.well-known/oauth-protected-resourcewithout auth and confirm JSON is correct. - Middleware rejects missing token (401 + WWW-Authenticate).
- Valid token passes (200).
- Token with wrong
audfails. - Scope enforcement denies (403) and allows with correct scope.
- Test with at least one MCP host (Claude Desktop / Cursor / VS Code) if that's your target.
6) Production checklist
See references/SECURITY.md. Minimum:
- HTTPS everywhere
- Correct CORS for MCP endpoints
- Secure secret storage (env/secret manager)
- Monitoring + audit logs for auth failures and tool execution
- Reasonable token lifetimes
- Validate resource audience (
aud) strictly - Consider rate limiting on auth-related endpoints
References
- Deep technical notes:
references/REFERENCE.md - Scope design patterns:
references/SCOPES.md - Production hardening:
references/SECURITY.md
Related Skills
scalekit-inc/sk-actions-custom-provider
tools
VerifiedTrustedCommunity
Create or review Scalekit custom providers/connectors for proxy-only usage, including MCP providers. Use this skill when the task is to gather API docs, infer whether a connector is OAuth, Basic, Bearer, or API Key, determine if it is an MCP provider, determine required tracked fields like domain or version, generate provider JSON, check for existing custom providers, show update diffs, run approved create or update curls, and print resolved delete curls.
2SKILL.mdUpdated May 22, 2026
scalekit-inc/setup-scalekit
tools
VerifiedTrustedCommunity
Use when a developer is new to Scalekit and needs guidance on where to start, doesn't know which auth plugin or skill to choose, wants to connect an AI agent or agentic workflow to third-party services (Gmail, Slack, Notion, Google Calendar), needs OAuth or tool-calling auth for agents, wants to add authentication to a project but hasn't chosen an approach yet, or needs to install the Scalekit plugin for their AI coding tool (Claude Code, Codex, Copilot CLI, Cursor, or other agents).
2SKILL.mdUpdated May 22, 2026
scalekit-inc/scalekit-code-doctor
tools
VerifiedTrustedCommunity
Use when a user asks to generate, review, validate, or fix any code snippet that uses Scalekit APIs or SDKs. This skill is the single source of truth for Scalekit code correctness — it can generate illustration-quality snippets from scratch (for docs, websites, or integration guides) and review existing code to catch wrong method names, missing parameters, security anti-patterns, and broken auth flows. Covers all four SDKs (Node, Python, Go, Java), raw REST API calls, and both Scalekit product suites — SaaSKit (SSO, login, sessions, RBAC, SCIM) and AgentKit (connections, tool calling, MCP auth). Use when the user says review my Scalekit code, generate a Scalekit example, validate this auth flow, check my SDK usage, fix my Scalekit integration, write a code sample for docs, or anything involving Scalekit code quality.
2SKILL.mdUpdated May 22, 2026
scalekit-inc/production-readiness-sso
development
VerifiedTrustedCommunity
Walks through a structured production readiness checklist for Scalekit SSO implementations. Use when the user says they are going live, launching to production, doing a pre-launch review, hardening their SSO setup, or wants to verify their Scalekit implementation is production-ready.
2SKILL.mdUpdated May 22, 2026