production-readiness-mcp-auth
Scalekit MCP Auth Production Readiness
Work through each section in order — earlier sections are blockers for later ones.
Quick checks (run first)
- Production environment URL, client ID, and client secret are set (not dev/staging values)
- HTTPS enforced on all auth endpoints
- CORS restricted to your domains only
- API credentials stored in environment variables — never committed to code
Core auth flows
- Test login initiation with authorization URL
- Validate redirect URLs match dashboard configuration exactly
- Test authentication completion and code exchange
- Validate
stateparameter in callbacks (CSRF protection) - Verify session token storage uses
httpOnly,secure, andsameSiteflags - Configure token lifetimes for your security requirements
- Test session timeout and automatic token refresh
- Verify logout clears sessions completely
- Expired tokens handled gracefully
- Network failures show user-friendly messages
MCP authentication
- Test MCP server authentication flow end-to-end
- Verify OAuth consent screen displays correctly for MCP clients
- Test token exchange for MCP connections
- Verify resource metadata published at
/.well-known/oauth-protected-resource - Test MCP session management (session creation, expiry, refresh)
- Verify custom auth handlers behave correctly (if using)
- Test MCP client reconnection after token expiry
- Verify scopes are correctly enforced per MCP tool/resource
Monitoring and incident readiness
- Auth logs monitoring configured in Dashboard > Auth Logs
- Alerts set for suspicious activity (repeated auth failures, unusual access patterns)
- Error tracking configured for authentication failures
- Log retention policies configured
- Incident response runbook written (who to contact, how to roll back)
- Rollback plan ready (disable MCP auth without breaking existing sessions)
Key metrics:
- MCP auth success/failure rates
- Token exchange latency
- Session creation and duration
- Token refresh frequency
More from scalekit-inc/skills
implementing-scalekit-fsa
Implements Scalekit full-stack authentication (FSA) including sign-up, login, logout, and secure session management using JWT tokens. Use when building or integrating user authentication with the Scalekit SDK across Node.js, Python, Go, or Java — or when the user asks about auth flows, OAuth callbacks, token refresh, or session handling with Scalekit.
4integrating-agent-auth
Integrates Scalekit Agent Auth into a project to handle OAuth flows, token storage, and automatic refresh for third-party services (Gmail, Slack, Notion, Calendar). Use when a user needs to connect to an external service, authorize OAuth access, fetch access or refresh tokens, or execute API calls on behalf of a user.
4adding-mcp-oauth
Guides users through adding OAuth 2.1 authorization to Model Context Protocol (MCP) servers using Scalekit. Use when setting up MCP servers, implementing authentication for AI hosts like Claude Desktop, Cursor, or VS Code, or when users mention MCP security, OAuth, or Scalekit integration.
3modular-sso
Implements complete SSO and authentication flows using Scalekit. Handles modular SSO, IdP-initiated login, user session management, and enterprise customer onboarding. Use when adding authentication, SSO, SAML, OIDC, or user login to applications.
3sk-actions-custom-provider
Create or review Scalekit custom providers/connectors for proxy-only usage. Use this skill when the task is to gather API docs, infer whether a connector is OAuth, Basic, Bearer, or API Key, determine required tracked fields like domain or version, generate provider JSON, check for existing custom providers, show update diffs, run approved create or update curls, and print resolved delete curls.
3implementing-fsa-logout
Implements a complete logout flow for Scalekit FSA integrations by clearing application session cookies and redirecting the browser to Scalekit’s /oidc/logout endpoint to invalidate the Scalekit session. Use when adding or fixing logout in Node.js, Python, Go, or Java web apps that use Scalekit OIDC.
2