MCP SDKs
Descope ships server-side SDKs that protect your MCP server: they validate Descope-issued tokens (signature, aud, scope), expose the required OAuth metadata endpoints, and let you require scopes per tool.
Express SDK
Drop-in Express middleware and helpers. Ship an authenticated /mcp endpoint and register tools with per-tool scopes.
Python SDK
Token validation with scope and audience enforcement, Connection token retrieval, and FastMCP integration.
Both SDKs implement the resource-server side of the MCP authorization model: Descope stays the authorization server, and your MCP server validates what it issues. For configuring the server object itself, see MCP Servers.
Framework Integrations
If you build on a framework with a built-in Descope integration, you can wire up basic auth with scopes without our SDKs:
- FastMCP (Python):
DescopeProviderdiscovers your MCP server's OpenID configuration from its Well-Known URL, validates Descope-issued tokens, and supports DCR. - xmcp (TypeScript): the
@xmcp-dev/descopeplugin adds OAuth 2.1 auth middleware, with session data viagetSession()and Connection token fetching.
These integrations cover basic authentication and don't include everything the Descope MCP SDKs provide. Use them on their own if token validation and scopes are all you need, or in conjunction with the SDKs. For example, use FastMCP for the transport and auth wiring with the Python SDK for Connection token retrieval and scope enforcement.
Multi-Tenant MCP Server
Build one tenant-agnostic MCP server whose per-tenant toolset is driven by the token's scopes, so adding a tenant needs no redeploy.
Express MCP SDK
Add Descope authentication to your Express MCP server with drop-in middleware, per-tool scopes, and the required OAuth metadata endpoints.