New in version: 2.13.0
Install auth stack to your FastMCP server with Scalekit using the Remote OAuth pattern: Scalekit handles user authentication, and the MCP server validates issued tokens.
Prerequisites
Before you begin
- Get a Scalekit account and grab your Environment URL from Dashboard > Settings .
- Have your FastMCP server’s base URL ready (can be localhost for development, e.g.,
http://localhost:8000/)
Register MCP server and set environment
In your Scalekit dashboard:
- Open the MCP Servers section, then select Create new server
- Enter server details: a name, a resource identifier, and the desired MCP client authentication settings
- Save, then copy the Resource ID (for example, res_92015146095)
In your FastMCP project’s .env:SCALEKIT_ENVIRONMENT_URL=<YOUR_APP_ENVIRONMENT_URL>
SCALEKIT_RESOURCE_ID=<YOUR_APP_RESOURCE_ID> # res_926EXAMPLE5878
BASE_URL=http://localhost:8000/
# Optional: additional scopes tokens must have
# SCALEKIT_REQUIRED_SCOPES=read,write
Step 2: Add auth to FastMCP server
Create your FastMCP server file and use the ScalekitProvider to handle all the OAuth integration automatically:
Warning: The legacy mcp_url and client_id parameters are deprecated and will be removed in a future release. Use base_url instead of mcp_url and remove client_id from your configuration.
from fastmcp import FastMCP
from fastmcp.server.auth.providers.scalekit import ScalekitProvider
# Discovers Scalekit endpoints and set up JWT token validation
auth_provider = ScalekitProvider(
environment_url=SCALEKIT_ENVIRONMENT_URL, # Scalekit environment URL
resource_id=SCALEKIT_RESOURCE_ID, # Resource server ID
base_url=SERVER_URL, # Public MCP endpoint
required_scopes=["read"], # Optional scope enforcement
)
# Create FastMCP server with auth
mcp = FastMCP(name="My Scalekit Protected Server", auth=auth_provider)
@mcp.tool
def auth_status() -> dict:
"""Show Scalekit authentication status."""
# Extract user claims from the JWT
return {
"message": "This tool requires authentication via Scalekit",
"authenticated": True,
"provider": "Scalekit"
}
Set required_scopes when you need tokens to carry specific permissions. Leave it unset to allow any token issued for the resource.
Testing
Start the MCP server
Use any MCP client (for example, mcp-inspector, Claude, VS Code, or Windsurf) to connect to the running serve. Verify that authentication succeeds and requests are authorized as expected.
Provider selection
Setting this environment variable allows the Scalekit provider to be used automatically without explicitly instantiating it in code.
Set to fastmcp.server.auth.providers.scalekit.ScalekitProvider to use Scalekit authentication.
Scalekit-specific configuration
These environment variables provide default values for the Scalekit provider, whether it’s instantiated manually or configured via FASTMCP_SERVER_AUTH.
FASTMCP_SERVER_AUTH_SCALEKITPROVIDER_ENVIRONMENT_URL
Your Scalekit environment URL from the Admin Portal (e.g., https://your-env.scalekit.com)
FASTMCP_SERVER_AUTH_SCALEKITPROVIDER_RESOURCE_ID
Your Scalekit resource server ID from the MCP Servers section
FASTMCP_SERVER_AUTH_SCALEKITPROVIDER_BASE_URL
Public URL of your FastMCP server (e.g., https://your-server.com or http://localhost:8000/ for development)
FASTMCP_SERVER_AUTH_SCALEKITPROVIDER_MCP_URL is still recognized for backward compatibility but will be removed soon-rename it to ...BASE_URL.FASTMCP_SERVER_AUTH_SCALEKITPROVIDER_REQUIRED_SCOPES
Comma-, space-, or JSON-separated list of scopes that tokens must include to access your server
.env:
# Use the Scalekit provider
FASTMCP_SERVER_AUTH=fastmcp.server.auth.providers.scalekit.ScalekitProvider
# Scalekit configuration
FASTMCP_SERVER_AUTH_SCALEKITPROVIDER_ENVIRONMENT_URL=https://your-env.scalekit.com
FASTMCP_SERVER_AUTH_SCALEKITPROVIDER_RESOURCE_ID=res_456
FASTMCP_SERVER_AUTH_SCALEKITPROVIDER_BASE_URL=https://your-server.com/
# FASTMCP_SERVER_AUTH_SCALEKITPROVIDER_REQUIRED_SCOPES=read,write
# FASTMCP_SERVER_AUTH_SCALEKITPROVIDER_MCP_URL=https://your-server.com/ # Deprecated
from fastmcp import FastMCP
# Authentication is automatically configured from environment
mcp = FastMCP(name="My Scalekit Protected Server")
@mcp.tool
def protected_action() -> str:
"""A tool that requires authentication."""
return "Access granted via Scalekit!"
Capabilities
Scalekit supports OAuth 2.1 with Dynamic Client Registration for MCP clients and enterprise SSO, and provides built‑in JWT validation and security controls.
OAuth 2.1/DCR: clients self‑register, use PKCE, and work with the Remote OAuth pattern without pre‑provisioned credentials.
Validation and SSO: tokens are verified (keys, RS256, issuer, audience, expiry), and SAML, OIDC, OAuth 2.0, ADFS, Azure AD, and Google Workspace are supported; use HTTPS in production and review auth logs as needed.
Debugging
Enable detailed logging to troubleshoot authentication issues:
import logging
logging.basicConfig(level=logging.DEBUG)
Token inspection
You can inspect JWT tokens in your tools to understand the user context:
from fastmcp.server.context import request_ctx
import jwt
@mcp.tool
def inspect_token() -> dict:
"""Inspect the current JWT token claims."""
context = request_ctx.get()
# Extract token from Authorization header
if hasattr(context, 'request') and hasattr(context.request, 'headers'):
auth_header = context.request.headers.get('authorization', '')
if auth_header.startswith('Bearer '):
token = auth_header[7:]
# Decode without verification (already verified by provider)
claims = jwt.decode(token, options={"verify_signature": False})
return claims
return {"error": "No token found"}
