Added Descope MCP Server auth by mrunankpawar · Pull Request #848 · alpic-ai/skybridge

mrunankpawar · 2026-06-04T00:43:20Z

Adds examples/auth-descope, a complete MCP server example that uses Descope as the auth provider, along with accompanying documentation.

Developers can configure an MCP Server in the Agentic Identity Hub and point it to their MCP server URL. The example implements the complete OAuth 2.1 flow, including server discovery, Dynamic Client Registration (DCR), token exchange, and JWT verification using Descope's JWKS endpoint.

gaokevin1 · 2026-06-04T17:12:45Z

+    mcpAuthMetadataRouter({
+      oauthMetadata: {
+        issuer: env.SERVER_URL,
+        authorization_endpoint: `${DESCOPE_MCP_BASE}/authorize`,


Add audience parameter to this after next week.

Audience should be the MCP server URL (aka the audience of the resource)

gaokevin1 · 2026-06-04T17:14:28Z

+          "client_secret_post",
+        ],
+        grant_types_supported: ["authorization_code", "refresh_token"],
+        scopes_supported: ["openid", "email"],


This I don't think should be statically defined. This will change depending on the MCP server configuration in Descope right?

@csonigo how would we fetch this from Descope dynamically, if you're serving the AS metadata on our behalf? Is there a way to do this within Skybridge or should the developer just manage this themselves?

thleonard · 2026-06-08T15:15:37Z

Hi @mrunankpawar @gaokevin1, thanks for the PR! Looking forward to merge it!
The PR is still in draft, is it ready for review on our end or do you need more time? Either way you'll need to rebase on main

fredericbarthelet · 2026-06-17T09:55:55Z

Hey @mrunankpawar @gaokevin1 , happy to help get this merge soon.
@harijoe is working on upcoming minor Skybridge release with the addition of OAuth helpers to empower user with drop-in solution to protect their MCP App.
We'd love to also have the exemple app as part of the release. Let us know how we can help :)

gaokevin1 · 2026-06-18T17:08:56Z

Hi @mrunankpawar @gaokevin1, thanks for the PR! Looking forward to merge it! The PR is still in draft, is it ready for review on our end or do you need more time? Either way you'll need to rebase on main

Our changes finally were deployed and we're doing a final review today. After that we can take it out of draft for you guys to review. Thanks!

harijoe · 2026-06-19T16:17:37Z

Hi @mrunankpawar, hi @gaokevin1, thanks a lot for this, and sorry for the slow turnaround. Your Descope example was genuinely useful and it directly informed where we landed.

We've folded Descope into a broader PR, #879. For consistency we're going to favor that implementation, so we'd like to close this PR in favor of #879, but your contribution is carried over and will still be credited there.

A few notes on how it compares, in the spirit of full transparency:

The demo app from your PR is carried over almost verbatim (the coffee-data, view, and helpers are byte-identical).
Your manual src/auth.ts (hardcoded JWKS + aud = ${SERVER_URL}/mcp) is replaced by the discovery-based descopeProvider.
One correction we made while testing live against Descope: the access token's aud is actually [DCR client id, project id] — not the MCP server URL — so the audience is the Project ID. We verified this end-to-end through the Alpic playground.
The one thing your PR has that feat(core): branded DCR OAuth providers (WorkOS, Auth0, Clerk, Stytch, Descope) #879 is currently missing is the docs-site integration. We'd love to bring those over in the follow-up PR that is already in the pipe.

Would you be up for reviewing #879 (especially the Descope bits). Really appreciate the contribution either way. 🙏

mrunankpawar added 2 commits June 3, 2026 17:36

descope as an auth provider

3e9ae63

updated README

f0b7302