# Bring your own auth into your MCP server If you already have an authentication system in place, you can use Scalekit as a drop-in OAuth 2.1 authorization layer for your MCP servers. This federated approach allows you to maintain your existing auth infrastructure while adding standards-compliant OAuth 2.1 authorization for MCP clients. **Why use federated authentication?** - **Preserve existing auth**: Keep your current authentication system and user management - **Standards compliance**: Add OAuth 2.1 authorization without rebuilding your auth layer - **Seamless integration**: Users authenticate with your familiar login experience - **Centralized control**: Maintain full control over user authentication and policies When an MCP client initiates authentication, Scalekit acts as a bridge between the MCP client and your existing authentication system. The flow involves redirecting users to your login endpoint, validating their identity, and passing user information back to Scalekit to complete the OAuth 2.1 flow. ```d2 pad=50 shape: sequence_diagram "MCP Client" "Scalekit" "Your App" "MCP Client" -> "Scalekit": GET /oauth/authorize "Scalekit" -> "Your App": 302 to /login\n?login_request_id=\n&state= "Your App" -> "Your App": Auth user with \n existing auth system "Your App" -> "Scalekit": POST /auth-requests//user "Scalekit" -> "Your App": 200 OK "Your App" -> "Scalekit": 302 to /partner:callback\n?state= "Scalekit" -> "MCP Client": Consent, code, token exchange, tokens ``` 1. ## Initiate authentication flow When the MCP client starts the authentication flow by calling `/oauth/authorize` on Scalekit, Scalekit redirects the user to your configured login endpoint with two critical parameters: - `login_request_id` : Unique identifier for this login request - `state` : OAuth state parameter to maintain security across requests **Example redirect URL:** ```sh showLineNumbers=false frame="none" https:///login?login_request_id=&state= ``` 2. ## Authenticate the user in your system When the user lands on your login page, process authentication using your existing logic?whether that's username/password, SSO, biometric authentication, or any other method your system supports. After successful authentication, make a secure backend-to-backend POST request to Scalekit with the authenticated user's information. ```bash showLineNumbers=false title="Send user details to Scalekit" curl --location '/api/v1/connections//auth-requests//user' \ --header 'Content-Type: application/json' \ --header 'Authorization: Bearer ' \ --data-raw '{ "sub": "1234567890", "email": "alice@example.com", "given_name": "Alice", "family_name": "Doe", "email_verified": true, "phone_number": "+1234567890", "phone_number_verified": false, "name": "Alice Doe", "preferred_username": "alice.d", "picture": "https://example.com/avatar.jpg", "gender": "female", "locale": "en-US" }' ```

User attribute descriptions

**Required attributes:** - `sub` ? Unique identifier for the user in your system (subject) - `email` ? User's email address **Optional attributes:** - `given_name` ? User's first name - `family_name` ? User's last name - `email_verified` ? Whether email has been verified - `phone_number` ? User's phone number in E.164 format - `phone_number_verified` ? Whether phone has been verified - `name` ? User's full name - `preferred_username` ? Preferred username - `picture` ? URL to user's profile picture - `gender` ? User's gender - `locale` ? User's locale preference (e.g., "en-US")

**Note:** Replace the placeholder values: - `` ? Your Scalekit environment URL - `` ? Unique connection ID provided by Scalekit for your auth integration - `` ? The login request ID from step 1 - `` ? Your Scalekit API access token 3. ## Redirect back to Scalekit After receiving a successful response from Scalekit confirming the user details were accepted, redirect the user back to Scalekit's callback endpoint with the `state` parameter. **Callback URL format:** ```sh showLineNumbers=false frame="none" /sso/v1/connections//partner:callback?state= ``` The `state_value` must match the `state` parameter you received in step 1. This ensures the authentication flow's integrity and prevents CSRF attacks. **State validation:** Always verify that the `state` value you send back matches exactly what you received initially. Mismatched state values should be rejected. 4. ## Complete the OAuth flow After processing the callback from your authentication system, Scalekit automatically handles the remaining OAuth 2.1 flow steps: - Displays the consent screen to the user (if required) - Generates the authorization code - Handles token exchange requests from the MCP client - Issues access tokens with appropriate scopes The MCP client receives valid OAuth 2.1 tokens and can now access your MCP server with the authenticated user's identity. **Security best practices:** - Store and transmit all sensitive data (tokens, user information) securely - Use HTTPS for all communications between your system and Scalekit - Implement proper logging for authentication events for audit trails - The `login_request_id` and `state` parameters are critical for security?never reuse them across requests Your MCP server now supports federated authentication with your existing auth system