Connecting to Multiple MCP Servers
Descope Outbound Apps make it easy to manage OAuth access to remote services—including other Model Context Protocol (MCP) servers—without storing access tokens in your own client or server infrastructure.
This guide walks through how to configure each MCP server you want to connect to as a custom Outbound App in Descope, and how to interact with these connections from your MCP client.
Overview
MCP clients often need to connect to multiple remote MCP servers on behalf of users or tenants. Each of these servers may expose their own OAuth authorization endpoints and scopes, and managing access tokens for each one individually can quickly become complex.
Descope Outbound Apps allow you to centralize token management, consent flows, and secure storage—while giving your client the ability to interface with any number of MCP servers programmatically and securely.
To implement this use case for your MCP clients, follow the steps below:
Step 1: Configure a Custom Outbound App for Each MCP Server
For each MCP server you want your client to connect to:
- Go to the Outbound Apps section in the Descope Console.
- Create a Custom app.
- Enter the
/authorizeand/tokenendpoints of the MCP server you want to connect to (this should be the.well-known/openid-configurationendpoint). - Define the default scopes you want your users or tenants to consent to (e.g.,
message.send,run-query,get-status). This can override in our SDKs or in a flow.
Now your users will be able to connect to this MCP server by initiating the Descope outbound app connect flow.
→ Learn more about creating an Outbound App
Step 2: Connect to the Outbound App from Your MCP Client
On the client side (e.g., browser, agent interface, or orchestrator UI), prompt the user to connect to the MCP server by initiating the Descope consent flow.
You can use:
- Descope Flows (UI-based)
- Descope SDK (JavaScript, React, etc.)
- REST API
Once the user completes the consent process, Descope stores the resulting access and refresh tokens securely.
→ See how to connect to Outbound Apps
Step 3: Retrieve the Token from Your MCP Client Backend
After the token is issued and stored, your server can securely retrieve it using a Descope Management Key and the Management SDK.
This allows your MCP client to:
- Fetch access tokens for the currently signed-in user
- Optionally fetch tenant-level tokens for shared access
- Handle multiple tokens for the same provider with different scopes
- Automatically refresh and rotate expired tokens
Tokens can be queried using provider ID, user ID, tenant ID, and scope as filters.
→ See token usage patterns and SDK examples
Multi-Tenant Token Storage
Descope allows you to store access tokens at either the user level or the tenant level:
- User-level tokens: Each user must complete the connection and consent flow individually.
- Tenant-level tokens: A single admin or integration connects once, and all users in the tenant can access the MCP server using the same credentials.
This gives you maximum flexibility depending on your security model and user experience needs.
Example Use Case: Multi-Server Tooling for AI Agents
Imagine your MCP client interfaces with three remote MCP servers:
- A calendar scheduling service
- A CRM system
- A document generator
With Descope Outbound Apps:
- Each service is registered once with its own discovery endpoint
- Each user connects to services they want to use (progressively)
- Tokens are securely stored and retrieved when needed
- You can scope access to different tools for different tenants or users
This allows you to focus on building agent workflows, not token management.
More Resources
If you need help setting up your first connection or integrating with a specific MCP server, join our AuthTown Community or contact us directly.
Descope makes it easy to build secure, scalable, and interoperable MCP clients—so you can focus on building tools and workflows, not managing tokens.