> **Building with AI coding agents?** Install the authstack plugin with one command. This equips your agent with accurate Scalekit implementation patterns. > > **Recommended**: > ```bash > npx @scalekit-inc/cli setup > ``` > > Global: > ```bash > npm install -g @scalekit-inc/cli > scalekit setup > ``` > > Supports Claude Code, Cursor, GitHub Copilot, Codex + skills for 40+ agents. > Features: full-stack-auth, agent-auth, mcp-auth, modular-sso, modular-scim. > [Full setup guide](https://docs.scalekit.com/dev-kit/build-with-ai/) --- # MCP quickstart with AI coding agents Use AI coding agents to add OAuth 2.1 authentication to your MCP servers in minutes MCPAuthClaudeCodeSection, MCPAuthCodexSection, MCPAuthGitHubCopilotCLISection, CursorCodingAgentSection, SkillsCLICodingAgentSection } from '@/components/templates' Use AI coding agents like Claude Code, GitHub Copilot CLI, Cursor, and OpenCode to add Scalekit's OAuth 2.1 authentication to your MCP servers. Configure the agents to analyze your codebase, apply consistent authentication patterns, and generate production-ready code that integrates OAuth 2.1 end-to-end. This reduces implementation time from hours to minutes and follows security best practices. **Prerequisites** - A [Scalekit account](https://app.scalekit.com) with MCP server management access - Basic familiarity with OAuth 2.1 and MCP server architecture - Terminal access for installing coding agent tools ### Claude Code 1. ## Install the authstack plugin Not yet on Claude Code? Follow the [official quickstart guide](https://code.claude.com/docs/en/quickstart) to install it. ```bash title="Terminal" frame="terminal" showLineNumbers=false npx @scalekit-inc/cli setup ``` For repeated use: ```bash title="Terminal" frame="terminal" showLineNumbers=false npm install -g @scalekit-inc/cli scalekit setup ``` The CLI installs the authstack plugin for you. The plugins guide the coding agent to generate implementation code that matches your project structure. ## Alternative: Enable authentication plugins via plugin wizard Run the plugin wizard to browse and enable available plugins: ```bash title="Claude REPL" showLineNumbers=false /plugins ``` Navigate through the visual interface to enable the MCP authentication plugin: > tip: Auto-update recommendations > > Enable auto-updates for authentication plugins to receive security patches and improvements. Scalekit regularly updates plugins based on community feedback and security best practices. 2. ## Generate authentication implementation Use a structured prompt to direct the coding agent. A well-formed prompt ensures the agent generates complete, production-ready authentication code that includes all required security components. Copy the following prompt into your coding agent: ```md wrap showLineNumbers=false title="Authentication implementation prompt" Add OAuth 2.1 authentication to my MCP server using Scalekit. Initialize ScalekitClient with environment credentials, implement /.well-known/ metadata endpoint for discovery, and add authentication middleware that validates JWT bearer tokens on all MCP requests. Code only. ``` When you submit this prompt, Claude Code loads the MCP authentication skill from the marketplace -> analyzes your existing MCP server structure -> generates authentication middleware with token validation -> creates the OAuth discovery endpoint -> configures environment variable handling. > caution: Review generated code > > Always review AI-generated authentication code before deployment. Verify that environment variables, token validation logic, and error handling match your security requirements. The coding agent provides a foundation, but you must ensure it aligns with your application's specific needs. 3. ## Verify and test the implementation After the coding agent completes, verify that all authentication components are properly configured: Check generated files: - Authentication middleware with JWT validation - Environment variable configuration (`.env.example`) - OAuth discovery endpoint (`/.well-known/oauth-authorization-server`) - Error handling for invalid or expired tokens **Test the authentication flow:** ### Claude Code ```md wrap title="Claude REPL" showLineNumbers=false Now that your MCP server has authentication integrated, let's verify it's working correctly by testing the flow step by step. First, start your MCP server using npm start (Node.js) or python server.py (Python) and confirm it's running without errors. Next, test the OAuth discovery endpoint by running curl http://localhost:3000/.well-known/oauth-authorization-server to verify your server exposes the correct authorization configuration. Then, verify authentication is enforced by calling curl http://localhost:3000/mcp without credentials—this should return a 401 Unauthorized response, confirming protected endpoints are secured. Finally, test with a valid token by running curl -H "Authorization: Bearer YOUR_TOKEN" http://localhost:3000/mcp (replace YOUR_TOKEN with an actual access token from your auth provider) to confirm authenticated requests succeed and return the expected response—if all these steps work as described, your authentication implementation is functioning correctly. ``` ### Node.js ```bash title="Terminal" frame="terminal" # Start your MCP server npm start # Test discovery endpoint curl http://localhost:3000/.well-known/oauth-authorization-server # Test protected endpoint (should return 401) curl http://localhost:3000/mcp # Test with valid token curl -H "Authorization: Bearer YOUR_TOKEN" http://localhost:3000/mcp ``` ### Python ```bash title="Terminal" frame="terminal" # Start your MCP server python server.py # Test discovery endpoint curl http://localhost:3000/.well-known/oauth-authorization-server # Test protected endpoint (should return 401) curl http://localhost:3000/mcp # Test with valid token curl -H "Authorization: Bearer YOUR_TOKEN" http://localhost:3000/mcp ``` The discovery endpoint should return OAuth configuration metadata. Protected endpoints should reject requests without valid tokens and accept requests with properly scoped access tokens. ### Codex 1. ## Install the authstack plugin (recommended) ```bash title="Terminal" frame="terminal" showLineNumbers=false npx @scalekit-inc/cli setup ``` For repeated use, install globally: ```bash title="Terminal" frame="terminal" showLineNumbers=false npm install -g @scalekit-inc/cli scalekit setup ``` Choose Codex when prompted. The CLI installs the authstack plugin. 2. ## Enable the MCP Auth plugin Restart Codex, then open the Plugin Directory and enable the authstack plugin. Install the `mcp-auth` plugin. This plugin includes the workflows, framework-specific guidance, and references Codex uses to generate OAuth 2.1 protection for remote MCP servers. 3. ## Generate the authentication implementation Use a structured prompt to direct Codex. A well-formed prompt helps Codex generate complete, production-ready authentication code that includes all required security components. Copy the following prompt into Codex: ```md wrap showLineNumbers=false title="Authentication implementation prompt" Add OAuth 2.1 authentication to my MCP server using Scalekit. Initialize ScalekitClient with environment credentials, implement /.well-known/ metadata endpoint for discovery, and add authentication middleware that validates JWT bearer tokens on all MCP requests. Code only. ``` When you submit this prompt, Codex loads the MCP Auth plugin from the authstack plugin, analyzes your existing MCP server structure, generates authentication middleware with token validation, creates the OAuth discovery endpoint, and configures environment variable handling. > caution: Review generated code > > Always review AI-generated authentication code before deployment. Verify that environment variables, token validation logic, and error handling match your security requirements. The coding agent provides a foundation, but you must ensure it aligns with your application's specific needs. 4. ## Verify and test the implementation After Codex completes, verify that all authentication components are properly configured: Check generated files: - Authentication middleware with JWT validation - Environment variable configuration (`.env.example`) - OAuth discovery endpoint (`/.well-known/oauth-authorization-server`) - Error handling for invalid or expired tokens Test the authentication flow: ```bash title="Terminal" frame="terminal" # Start your MCP server npm start # Test discovery endpoint curl http://localhost:3000/.well-known/oauth-authorization-server # Test protected endpoint (should return 401) curl http://localhost:3000/mcp # Test with valid token curl -H "Authorization: Bearer YOUR_TOKEN" http://localhost:3000/mcp ``` The discovery endpoint should return OAuth configuration metadata. Protected endpoints should reject requests without valid tokens and accept requests with properly scoped access tokens. ### GitHub Copilot CLI 1. ## Install the authstack plugin (recommended) Need to install GitHub Copilot CLI? See the [getting started guide](https://docs.github.com/en/copilot/how-tos/copilot-cli/cli-getting-started) — an active GitHub Copilot subscription is required. ```bash title="Terminal" frame="terminal" showLineNumbers=false npx @scalekit-inc/cli setup ``` For repeated use, install globally: ```bash title="Terminal" frame="terminal" showLineNumbers=false npm install -g @scalekit-inc/cli scalekit setup ``` The CLI installs the authstack plugin for GitHub Copilot. ## Tool-native alternative ```bash copilot plugin marketplace add scalekit-inc/authstack copilot plugin install agentkit@authstack copilot plugin install saaskit@authstack ``` ## Verify the plugin is installed Confirm the plugin installed successfully: ```bash title="Terminal" frame="terminal" showLineNumbers=false copilot plugin list ``` 3. ## Generate authentication implementation Use a structured prompt to direct GitHub Copilot. A well-formed prompt ensures the agent generates complete, production-ready authentication code that includes all required security components. Copy the following command into your terminal: ```bash wrap title="Terminal" frame="terminal" showLineNumbers=false copilot "Add OAuth 2.1 authentication to my MCP server using Scalekit. Initialize ScalekitClient with environment credentials, implement /.well-known/ metadata endpoint for discovery, and add authentication middleware that validates JWT bearer tokens on all MCP requests. Code only." ``` GitHub Copilot uses the MCP Auth plugin to analyze your existing MCP server structure, generate authentication middleware with token validation, create the OAuth discovery endpoint, and configure environment variable handling. > caution: Review generated code > > Always review AI-generated authentication code before deployment. Verify that environment variables, token validation logic, and error handling match your security requirements. The coding agent provides a foundation, but you must ensure it aligns with your application's specific needs. 4. ## Verify the implementation After GitHub Copilot completes, verify that all authentication components are properly configured: Check generated files: - Authentication middleware with JWT validation - Environment variable configuration (`.env.example`) - OAuth discovery endpoint (`/.well-known/oauth-authorization-server`) - Error handling for invalid or expired tokens Test the authentication flow: ```bash title="Terminal" frame="terminal" # Start your MCP server npm start # Test discovery endpoint curl http://localhost:3000/.well-known/oauth-authorization-server # Test protected endpoint (should return 401) curl http://localhost:3000/mcp # Test with valid token curl -H "Authorization: Bearer YOUR_TOKEN" http://localhost:3000/mcp ``` The discovery endpoint should return OAuth configuration metadata. Protected endpoints should reject requests without valid tokens and accept requests with properly scoped access tokens. ### Cursor 1. ## Install the authstack plugin (recommended) ```bash title="Terminal" frame="terminal" showLineNumbers=false npx @scalekit-inc/cli setup ``` For repeated use, install globally: ```bash title="Terminal" frame="terminal" showLineNumbers=false npm install -g @scalekit-inc/cli scalekit setup ``` The CLI detects Cursor and installs the authstack plugin directly. 2. ## Reload and select plugins Restart Cursor (or run **Developer: Reload Window**), then open **Settings > Cursor Settings > Plugins**. Enable the Scalekit plugins you need (AgentKit, SaaSKit, etc.). > note: Alternative for other agents > > For 40+ agents (Windsurf, Cline, etc.) or to install skills manually, the CLI also offers the skills option, or run: > > ```bash > npx skills add scalekit-inc/authstack > ``` 3. ## Generate the implementation Open Cursor's chat panel with **Cmd+L** (macOS) or **Ctrl+L** (Windows/Linux) and paste in an implementation prompt from the feature page (or describe what you need in natural language). The installed Scalekit plugins provide the agent with accurate patterns. > caution: Review generated code > > Always review AI-generated authentication code before deployment. Verify that environment variables, token validation logic, and error handling match your application's security requirements. 4. ## Verify the implementation After Cursor finishes generating code, confirm all authentication components are in place: - The Scalekit plugin appears in **Settings > Cursor Settings > Plugins** - Scalekit client initialized with your API credentials (set up a `.env` file with your Scalekit environment variables) - Authorization URL generation and callback handler - Session or token integration matching your application's existing patterns ### 40+ agents The authstack plugin works with 40+ AI agents. Skills are installed via the Scalekit CLI or the Vercel Skills CLI. The easiest way for most developers is: ```bash title="Terminal" frame="terminal" showLineNumbers=false npx @scalekit-inc/cli setup ``` For repeated use, install globally: ```bash title="Terminal" frame="terminal" showLineNumbers=false npm install -g @scalekit-inc/cli scalekit setup ``` Then choose the "Other agents" / skills option when prompted. You can also install the skills directly: 1. ## Install interactively Run the command with no flags to be guided through the available skills: ```bash title="Terminal" frame="terminal" showLineNumbers=false npx skills add scalekit-inc/authstack ``` 2. ## Browse and install a specific skill Install the skill for your auth type (for example, MCP OAuth): ```bash title="Terminal" frame="terminal" showLineNumbers=false # List all available skills npx skills add scalekit-inc/authstack --list # Install a specific skill npx skills add scalekit-inc/authstack --skill adding-mcp-oauth ``` 3. ## Invoke the skill Each coding agent has its own behavior for invoking skills. In OpenCode, skills are invoked **automatically by the agent based on natural language** — no slash commands required. The agent has a list of available skills and their `description` fields in context. It reads your intent, matches it against those descriptions, and autonomously calls the skill tool to load the relevant `SKILL.md`. A clear, specific `description` in skill frontmatter is what the agent uses to decide which skill to invoke. **Flow in practice:** - You write a natural language message to the agent - The agent checks its context — it already sees `` with names and descriptions - If your request matches a skill's purpose, the agent calls `skill("")` internally - The full `SKILL.md` content loads into context and the agent follows those instructions {/* TODO: Add screenshot of OpenCode invoking Scalekit skill - use @/assets/docs/dev-kit/opencode-invoke-skill.png */} If your agent does not automatically pick up skills, you can run a command to load a skill and manually select Scalekit's skills to load into context. Refer to your favorite coding agent's documentation for how to invoke skills once they are installed. 4. ## Install all skills globally To add all Scalekit authentication skills to your agents: ```bash title="Terminal" frame="terminal" showLineNumbers=false npx skills add scalekit-inc/authstack --all --global ``` This installs all AgentKit and SaaSKit skills. ## Next steps Your MCP server now has OAuth 2.1 authentication integrated. Test the implementation with your MCP host to verify the authentication flow works correctly. ### Test with MCP hosts Connect your authenticated MCP server to any MCP-compatible host: - **Claude Desktop or Claude Code**: Configure the MCP server connection in settings - **Cursor**: Add the MCP server to your workspace configuration - **Windsurf**: Register the server in your MCP settings - **Other MCP hosts**: Follow your host's documentation for connecting authenticated MCP servers When you connect, the host authenticates using the OAuth 2.1 flow you configured. Verify that protected MCP resources require valid access tokens and that the discovery endpoint provides correct OAuth metadata. --- ## More Scalekit documentation | Resource | What it contains | When to use it | |----------|-----------------|----------------| | [/llms.txt](/llms.txt) | Structured index with routing hints per product area | Start here — find which documentation set covers your topic before loading full content | | [/llms-full.txt](/llms-full.txt) | Complete documentation for all Scalekit products in one file | Use when you need exhaustive context across multiple products or when the topic spans several areas | | [sitemap-0.xml](https://docs.scalekit.com/sitemap-0.xml) | Full URL list of every documentation page | Use to discover specific page URLs you can fetch for targeted, page-level answers |