VS Code
VS Code authenticates to your Descope project once, then connects to your enterprise-managed MCP servers silently. There are two pieces of configuration: the identity provider, set once in settings.json, and each MCP server, listed in mcp.json.
Note
The identity provider VS Code signs in to is your Descope project. Use your Descope issuer URL wherever a provider URL is required.
Your issuer URL is https://api.descope.com/<Your Project ID>, or a different host if you use a custom domain, a different regional base URL, or a Descope Private Cloud deployment.
In a managed organization for VS Code, your admin usually delivers the identity-provider settings for you through an enterprise policy (such as: Windows Group Policy, macOS managed preferences, or /etc/vscode/policy.json on Linux).
If you are setting things up individually, then put the configurations below in your local settings.json file.
Steps
Configure the identity provider
In settings.json, set mcp.enterpriseManagedAuth.idp with the issuer URL and OIDC client credentials your Descope admin gives you.
"mcp.enterpriseManagedAuth.idp": {
"issuer": "<your Descope issuer URL>",
"clientId": "<the OIDC client ID your Descope admin gives you>",
"clientSecret": "<the client secret>"
}If your admin delivers this through enterprise policy, it is already set and you can skip this step.
Add each MCP server
In mcp.json, list each server with its URL and an oauth block that turns on enterprise-managed authentication.
{
"servers": {
"<name>": {
"type": "http",
"url": "<the MCP server URL>",
"oauth": {
"clientId": "<the client ID at the server's authorization server>",
"enterpriseManaged": true
}
}
}
}Note
The oauth.clientId here is the client ID at the MCP server's authorization server: the credential the server owner gives you, not the Descope identity-provider client ID from the previous step.
Set the server's client secret
Do not put the secret in mcp.json. Use the Set Client Secret code lens that appears above the oauth block to store it. VS Code keeps it in your operating system's secret store, not in the file.
Sign in once
The first time you connect to an enterprise-managed server, VS Code opens a browser to sign you in to Descope. After that, every enterprise-managed server connects silently, with no per-server prompt.
When something doesn't work
| What you see | What it means and who to ask |
|---|---|
| Sign-in never starts, or VS Code reports no identity provider | The Descope identity provider is not configured. Set mcp.enterpriseManagedAuth.idp in settings.json, or ask your admin whether it should arrive through enterprise policy. |
| The server connects without enterprise-managed auth, or VS Code cannot discover its authorization server | The MCP server did not advertise protected-resource metadata or list its authorization_servers. Ask the server owner to finish setup. See Validate ID-JAGs for your MCP server. |
| The connection is denied because you do not have the scope | Your access has not been granted. Ask your Descope admin to grant you the scope or access profile. |
| The server rejects the token even though sign-in worked | The token's signature may use an algorithm the server does not verify. Ask your Descope admin to check the signing algorithm set for that server. |