Guides and TutorialsModel Context Protocol (MCP)

MCP SDKs

Descope ships server-side SDKs that protect your MCP server: they validate Descope-issued tokens (signature, aud, scope), expose the required OAuth metadata endpoints, and let you require scopes per tool.

Both SDKs implement the resource-server side of the MCP authorization model: Descope stays the authorization server, and your MCP server validates what it issues. For configuring the server object itself, see MCP Servers.

Framework Integrations

If you build on a framework with a built-in Descope integration, you can wire up basic auth with scopes without our SDKs:

  • FastMCP (Python): DescopeProvider discovers your MCP server's OpenID configuration from its Well-Known URL, validates Descope-issued tokens, and supports DCR.
  • xmcp (TypeScript): the @xmcp-dev/descope plugin adds OAuth 2.1 auth middleware, with session data via getSession() and Connection token fetching.

These integrations cover basic authentication and don't include everything the Descope MCP SDKs provide. Use them on their own if token validation and scopes are all you need, or in conjunction with the SDKs. For example, use FastMCP for the transport and auth wiring with the Python SDK for Connection token retrieval and scope enforcement.

Was this helpful?

On this page