Editor’s note
We're happy to feature a guest contributor on the Render blog. This post reflects their own experiences and perspectives; it's not built or endorsed by the Render team.
While early adopters embraced running MCP servers locally via npx and uvx, enterprises quickly pushed back. Instead, they demanded remotely hosted servers that comply with the protocol's specification for security, scalability, and the credibility of MCP as a production-ready standard.
Unfortunately, many developers have run into two key challenges as a part of this shift: remotely hosting their MCP servers and implementing fully spec-compliant authorization. This template does the heavy lifting for you, allowing you to focus on the tools your server exposes instead of babysitting infrastructure.
How it works
We’ve released a secure FastMCP server that uses Render Blueprints for simple deployment. This MCP server enforces scope-based access control on every tool call. Agents perform the full MCP authentication process through a standard OAuth flow, receive a JWT scoped only to the permissions they need, and include that token on every request. If your agent doesn’t have the right permissions to execute a tool, it’s immediately rejected at runtime.
Here's what the core of a protected tool looks like:
First, your MCP server’s tools declare the scopes required in order to use them. Descope manages the identity layer, handling token issuance, validation, and client registration. The descope-mcp SDK handles the primitive functions of scope validation. Finally, Render packages the full server logic into a hosted URL that’s compatible with MCP clients like Cursor, Claude, and ChatGPT.
Ten minutes to a live server
The steps are simple. First, set up a Descope project and build locally. Using the instructions in the repo, configure your MCP server in Descope's Agentic Identity Hub, define your scopes, and grab the config URL.
Then, hit the Deploy to Render button. The included render.yaml handles the infrastructure: web service type, Python runtime, build commands, and more. Next, set your DESCOPE_CONFIG_URL environment variable. This is the Descope well-known URL obtained in the steps above. Deploy and watch Render build and start your MCP server on a live public URL.
The final step is to add your <project-name>.onrender.com URL to your MCP server configuration in Descope to ensure issued tokens only work for your server.
That’s it! Descope handles all of the MCP auth complexity while Render takes care of everything else required for deployment.
One-stop-shop for MCP
I chose Render because infrastructure-as-code via render.yaml means the deployment is fully reproducible. Render Blueprints make it easy for anyone on your team to spin up an MCP server with the same configurations in no time.
Descope handles the specialized protocols required by MCP auth without extensive setup: OAuth 2.1, Protected Resource Metadata, Dynamic Client Registration, Client ID Metadata Documents, and much more. You can add fully spec-compliant MCP auth in less than 5 lines of Python.
Deploying on Render means there’s a natural growth path from experimentation to production. Render handles scaling, custom domains, and infrastructure-as-code, while Descope manages scope issuance, enforcement, and access policies applicable to any attribute of the user or MCP client. It’s everything you need to go from your first MCP server to the #1 app on the ChatGPT App Store.
Try it yourself
This template is your foundation for a production-ready, securely hosted MCP server.
Fork the repo, set up MCP auth in Descope, connect it to Render, and your secured MCP server will be live in minutes.