MCP server template with Descope auth

Why deploy MCP server with Descope auth on Render?

A FastMCP server template that deploys to Render with built-in Descope authentication for MCP (Model Context Protocol) servers. It solves the problem of securing MCP tool access by providing OAuth-based authorization with scope enforcement out of the box.

This template ships a fully configured FastMCP server with Descope authentication already wired up—including the OAuth provider integration, tool-level scope enforcement, and Streamable HTTP transport—so you skip the boilerplate of setting up MCP auth flows yourself. The included render.yaml Blueprint means one click deploys everything with your Descope config URL as the only required input. You get instant HTTPS endpoints and can upgrade to always-on instances directly in the Render Dashboard when you're ready to eliminate cold starts.

Architecture

What you can build

After deploying, you'll have a live MCP server with OAuth authentication handled by Descope, ready to accept connections from MCP clients like Claude Desktop or Cursor. Users authenticate through Descope's login flow, and the server validates their tokens and scopes before executing tools. You can replace the included example tool with your own logic and define custom scopes to control access.

Key features

• Descope OAuth integration: Pre-configured MCP authentication using FastMCP's DescopeProvider with support for CIMD and Dynamic Client Registration out of the box.
• Tool-level scope enforcement: Built-in require_scopes() function allows granular access control on individual tools using JWT claims validation.
• Streamable HTTP transport: Uses FastMCP's HTTP transport mode enabling stateless request handling suitable for serverless and containerized deployments.
• Render Blueprint deployment: Includes render.yaml infrastructure-as-code file for one-click deployment to Render with pre-configured environment variables.
• RFC 8707 Resource Indicators: Token issuance follows the MCP spec's required Resource Indicators standard for proper audience-scoped access tokens.

Use cases

• Solo developer deploys authenticated MCP server to Render in minutes
• Platform team adds scope-based access control to AI agent tools
• Startup protects internal MCP endpoints with Descope OAuth flow
• Backend engineer extends template with custom scoped tools for production

What's included

Prerequisites

• Descope Configuration URL: The Well-Known OpenID Configuration URL from your Descope MCP Server setup, used to enable OAuth authentication for your MCP server.

Next steps

1. Open your Render service URL with /mcp appended (e.g., https://your-project.onrender.com/mcp) and add it to MCP Server URLs in the Descope Console under Agentic Identity Hub → MCP Servers — You should see the URL saved successfully with no validation errors
2. Connect an MCP client like Claude Desktop to your server URL and trigger the hello tool — You should be redirected to Descope's login flow, and after authenticating, see "Hello, world!" returned
3. Test scope enforcement by requesting the hello tool without the mcp:greet scope in your token — You should receive an authorization error indicating insufficient permissions

Resources

• FastMCP official site
• Descope docs