Scalekit provider updates

[AkshayParihar33]

Description

To provide more capabilities and cleaner integration between FastMCP and Scalekit, we are making the following updates:

Additions & Improvements

• Added support for required_scopes (optional parameter) to enable fine-grained access control.
• Renamed mcp_url → base_url for better alignment with the meaning of the URI being passed in.
• Made client_id optional in the provider configuration. It continues to be handled internally but is planned for deprecation in a future release.

⚠️ Breaking Change

• Removed aud (audience) validation in the provider layer.
  The provider no longer enforces the aud claim during token verification.
  If your implementation depends on audience checks, you can manually validate the aud value from the token within your server logic.

Co-Authored with Codex

Contributors Checklist

• My change closes Scalekit Auth Provider Updates #2412
• I have followed the repository's development workflow
• I have tested my changes manually and by adding relevant tests
• I have performed all required documentation updates

Review Checklist

• I have self-reviewed my changes
• My Pull Request is ready for review

---

[coderabbitai]

Walkthrough

The pull request updates the Scalekit authentication provider across documentation, examples, and source code. Configuration parameters are renamed (mcp_url → base_url, client_id removed), an optional required_scopes parameter is introduced, and the ScalekitProvider constructor signature is updated accordingly. Documentation and examples reflect the new parameter names and environment variables. Metadata endpoint handling was changed to construct and fetch a metadata URL using environment_url and resource_id, with additional logging and explicit 500 error handling on fetch failure.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 60.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Title check	❓ Inconclusive	The title is vague and generic, using non-descriptive terms like 'updates' that don't convey meaningful information about the specific changes.	Use a more specific title that highlights the primary changes, such as 'Update Scalekit provider to use base_url and add required_scopes support'.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	All four objectives from issue #2412 are met: required_scopes added, mcp_url renamed to base_url, aud check removed from provider layer, and client_id removed from provider.
Out of Scope Changes check	✅ Passed	All changes are directly aligned with the four objectives in issue #2412; no out-of-scope changes detected in documentation and code updates.
Description check	✅ Passed	Pull request description is comprehensive, clearly outlines additions, breaking changes, includes issue reference, and confirms all checklist items completion.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

examples/auth/scalekit_oauth/server.py (1)

22-27: Consider using the existing parse_scopes utility function.

The manual scope parsing here duplicates the logic in fastmcp.utilities.auth.parse_scopes, which is already used by the provider internally. Using the utility function would:

• Ensure consistent parsing behavior
• Reduce code duplication
• Automatically benefit from any future parsing improvements

Apply this diff to use the utility function:

+from fastmcp.utilities.auth import parse_scopes
+
-required_scopes_env = os.getenv("SCALEKIT_REQUIRED_SCOPES")
-required_scopes = (
-    [scope.strip() for scope in required_scopes_env.split(",") if scope.strip()]
-    if required_scopes_env
-    else None
-)
+required_scopes = parse_scopes(os.getenv("SCALEKIT_REQUIRED_SCOPES"))

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 18d4a6a and 4c30022.

⛔ Files ignored due to path filters (1)

• tests/server/auth/providers/test_scalekit.py is excluded by none and included by none

📒 Files selected for processing (5)

• docs/integrations/scalekit.mdx (6 hunks)
• docs/python-sdk/fastmcp-server-auth-providers-scalekit.mdx (1 hunks)
• examples/auth/scalekit_oauth/README.md (2 hunks)
• examples/auth/scalekit_oauth/server.py (2 hunks)
• src/fastmcp/server/auth/providers/scalekit.py (6 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

docs/**/*.mdx

📄 CodeRabbit inference engine (docs/.cursor/rules/mintlify.mdc)

docs/**/*.mdx: Use clear, direct language appropriate for technical audiences
Write instructions and procedures in second person ("you")
Use active voice over passive voice
Use present tense for current states and future tense for outcomes
Maintain consistent terminology across the documentation
Keep sentences concise while preserving necessary context
Use parallel structure in lists, headings, and procedures
Lead with the most important information (inverted pyramid)
Use progressive disclosure: basic concepts before advanced ones
Break complex procedures into numbered steps
Include prerequisites and context before instructions
Provide expected outcomes for each major step
End sections with next steps or related information
Use descriptive, keyword-rich headings for navigation and SEO
Focus on user goals and outcomes rather than system features
Anticipate common questions and address them proactively
Include troubleshooting for likely failure points
Offer multiple pathways when appropriate (beginner vs advanced) and provide an opinionated recommended path
Use for supplementary information that supports the main content
Use for expert advice, shortcuts, or best practices
Use for critical cautions, breaking changes, or destructive actions
Use for neutral background or contextual information
Use to confirm success or completion
Provide single code examples using fenced code blocks with language (and filename when relevant)
Use to present the same concept in multiple languages
For API docs, use to show requests
For API docs, use to show responses
Use and to document procedures and sequential instructions
Use and for platform-specific or alternative approaches
Use / for supplementary content that might interrupt flow
In API docs, use for parameters (path, body, query, header) with type and required/default as appropria...

Files:

• docs/integrations/scalekit.mdx
• docs/python-sdk/fastmcp-server-auth-providers-scalekit.mdx

🧬 Code graph analysis (2)

examples/auth/scalekit_oauth/server.py (1)

src/fastmcp/server/auth/providers/scalekit.py (1)

• ScalekitProvider (44-210)

src/fastmcp/server/auth/providers/scalekit.py (3)

src/fastmcp/server/auth/auth.py (2)

• RemoteAuthProvider (196-266)
• TokenVerifier (170-193)

src/fastmcp/server/auth/providers/jwt.py (1)

• JWTVerifier (165-498)

src/fastmcp/utilities/auth.py (1)

• parse_scopes (9-34)

🪛 Ruff (0.14.4)

src/fastmcp/server/auth/providers/scalekit.py

175-175: Unused function argument: request

(ARG001)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Run tests: Python 3.10 on windows-latest
• GitHub Check: label-issue-or-pr

🔇 Additional comments (12)

src/fastmcp/server/auth/providers/scalekit.py (4)

28-41: Settings changes look correct and align with objectives.

The environment variable prefix change improves clarity, and the addition of base_url and required_scopes fields with the _parse_scopes validator correctly implements the PR objectives. The validator properly handles various scope formats (JSON array, comma-separated, space-separated).

---

117-117: Consider the default value for required_scopes.

Line 117 assigns self.required_scopes = settings.required_scopes or [], which defaults to an empty list. However, at line 140, the code uses required_scopes=self.required_scopes or None. This means an empty list will be converted to None when passed to JWTVerifier.

This behavior may be intentional (to distinguish "no scopes required" from "scopes required but list is empty"), but it would be clearer to be consistent throughout.

Consider one of these approaches:

1. Store None instead of [] when no scopes are configured (change line 117)
2. Remove the or None check at line 140 if empty list is acceptable

Which behavior do you prefer? Do you want JWTVerifier to receive None or [] when no scopes are configured?

---

120-143: Excellent logging additions for debugging authentication flows.

The debug logging at initialization and during JWT verifier creation will greatly help troubleshooting authentication issues. The conditional logging for custom verifiers is also a nice touch.

---

175-199: Robust metadata forwarding with proper error handling.

The metadata endpoint correctly:

• Constructs the Scalekit-specific metadata URL
• Logs the fetch operation
• Handles errors gracefully with appropriate HTTP 500 response
• Returns proper JSON responses

The static analysis warning about unused request parameter is a false positive—Starlette route handlers require this signature.

docs/python-sdk/fastmcp-server-auth-providers-scalekit.mdx (1)

41-42: Documentation accurately reflects the API changes.

The updated environment variable guidance correctly shows:

• BASE_URL replacing MCP_URL
• Addition of optional SCALEKIT_REQUIRED_SCOPES
• Removal of SCALEKIT_CLIENT_ID

This aligns perfectly with the code changes in the provider implementation.

examples/auth/scalekit_oauth/README.md (1)

27-29: Clear and accurate environment variable documentation.

The README correctly documents:

• BASE_URL with a concrete example
• Optional SCALEKIT_REQUIRED_SCOPES with helpful guidance on format

The documentation is clear and helpful for users setting up the example.

examples/auth/scalekit_oauth/server.py (1)

33-34: Correct usage of updated ScalekitProvider API.

The provider initialization correctly uses:

• base_url instead of the old mcp_url
• required_scopes parameter with the parsed scopes

This aligns with the PR objectives and updated provider signature.

docs/integrations/scalekit.mdx (5)

19-20: Prerequisites clearly updated to reflect API changes.

The updated prerequisites correctly describe:

• What credentials to obtain (Environment URL and Resource ID)
• What to prepare (base URL instead of endpoint)

The language is clear and actionable for developers.

---

37-39: Environment configuration examples are clear and complete.

The .env example correctly shows:

• Required variables with descriptive examples
• Optional SCALEKIT_REQUIRED_SCOPES with clear formatting guidance
• Use of BASE_URL instead of the old MCP_URL

---

57-58: Code example accurately demonstrates the updated API.

The ScalekitProvider instantiation correctly shows:

• base_url parameter with descriptive variable name
• required_scopes parameter with example value
• Removal of deprecated client_id parameter

This provides a clear, copy-paste-ready example for users.

---

76-78: Helpful guidance on required_scopes usage.

The tip provides practical advice on when to use required_scopes, helping users understand:

• When to set it (specific permissions needed)
• When to skip it (accept any token for the resource)

This aligns with best practices for OAuth scope enforcement.

---

105-119: Environment variable reference is comprehensive and accurate.

The updated parameter documentation:

• Uses consistent naming (FASTMCP_SERVER_AUTH_SCALEKIT_* prefix)
• Correctly marks required vs optional parameters
• Provides clear descriptions and examples
• Documents the new REQUIRED_SCOPES parameter with format options

All variable names align with the code implementation.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/fastmcp/server/auth/providers/scalekit.py (1)

203-227: Rename unused handler argument to satisfy lint

ruff is flagging request as unused (ARG001). Renaming it to _request keeps the signature Starlette expects while letting the lint pass.

-        async def oauth_authorization_server_metadata(request):
+        async def oauth_authorization_server_metadata(_request):

🧹 Nitpick comments (2)

docs/integrations/scalekit.mdx (2)

15-21: Fix heading hierarchy to start sections with H2

Guidelines call for main sections to begin at H2. Please bump these headings up one level so the structure starts at H2 and reserves H3 for subsections. As per coding guidelines.

-### Prerequisites
+## Prerequisites
@@
-### Step 1: Configure MCP server in Scalekit environment
+## Step 1: Configure MCP server in Scalekit environment

---

49-50: Use the <Warning> component for deprecation notice

Critical callouts should use the <Warning> component rather than a styled blockquote to stay consistent with the docs system. As per coding guidelines.

-> **Warning:** The legacy `mcp_url` and `client_id` parameters are deprecated and will be removed in a future release. Use `base_url` instead of `mcp_url` and remove `client_id` from your configuration.
+<Warning>
+The legacy `mcp_url` and `client_id` parameters are deprecated and will be removed in a future release. Use `base_url` instead of `mcp_url` and remove `client_id` from your configuration.
+</Warning>

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4c30022 and b6e7e04.

⛔ Files ignored due to path filters (1)

• tests/server/auth/providers/test_scalekit.py is excluded by none and included by none

📒 Files selected for processing (4)

• docs/integrations/scalekit.mdx (6 hunks)
• examples/auth/scalekit_oauth/README.md (2 hunks)
• examples/auth/scalekit_oauth/server.py (2 hunks)
• src/fastmcp/server/auth/providers/scalekit.py (6 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• examples/auth/scalekit_oauth/README.md

🧰 Additional context used

📓 Path-based instructions (1)

docs/**/*.mdx

📄 CodeRabbit inference engine (docs/.cursor/rules/mintlify.mdc)

docs/**/*.mdx: Use clear, direct language appropriate for technical audiences
Write instructions and procedures in second person ("you")
Use active voice over passive voice
Use present tense for current states and future tense for outcomes
Maintain consistent terminology across the documentation
Keep sentences concise while preserving necessary context
Use parallel structure in lists, headings, and procedures
Lead with the most important information (inverted pyramid)
Use progressive disclosure: basic concepts before advanced ones
Break complex procedures into numbered steps
Include prerequisites and context before instructions
Provide expected outcomes for each major step
End sections with next steps or related information
Use descriptive, keyword-rich headings for navigation and SEO
Focus on user goals and outcomes rather than system features
Anticipate common questions and address them proactively
Include troubleshooting for likely failure points
Offer multiple pathways when appropriate (beginner vs advanced) and provide an opinionated recommended path
Use for supplementary information that supports the main content
Use for expert advice, shortcuts, or best practices
Use for critical cautions, breaking changes, or destructive actions
Use for neutral background or contextual information
Use to confirm success or completion
Provide single code examples using fenced code blocks with language (and filename when relevant)
Use to present the same concept in multiple languages
For API docs, use to show requests
For API docs, use to show responses
Use and to document procedures and sequential instructions
Use and for platform-specific or alternative approaches
Use / for supplementary content that might interrupt flow
In API docs, use for parameters (path, body, query, header) with type and required/default as appropria...

Files:

• docs/integrations/scalekit.mdx

🧬 Code graph analysis (2)

examples/auth/scalekit_oauth/server.py (1)

src/fastmcp/server/auth/providers/scalekit.py (1)

• ScalekitProvider (55-238)

src/fastmcp/server/auth/providers/scalekit.py (3)

src/fastmcp/server/auth/auth.py (2)

• RemoteAuthProvider (196-266)
• TokenVerifier (170-193)

src/fastmcp/server/auth/providers/jwt.py (1)

• JWTVerifier (165-498)

src/fastmcp/utilities/auth.py (1)

• parse_scopes (9-34)

🪛 Ruff (0.14.4)

src/fastmcp/server/auth/providers/scalekit.py

203-203: Unused function argument: request

(ARG001)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Run tests: Python 3.10 on windows-latest

[jlowin]

Thanks @AkshayParihar33. Two thoughts:

1. While you are welcome to deprecate features for backwards compatibility (and generally it is appreciated!) for auth modules we are not currently requiring this; breaking changes are permitted in the interest of always ensuring auth is as secure as possible. Happy to merge this as-is but in case you decide you don't want to support the old pattenr, that's ok too.
2. on audience validation -- there are some open security concerns that the MCP Protocol requires servers to verify that tokens were issued to that server, and so we are actively discussing other DCR implementations that don't do this are potentially technically violating MCP spec... but also it's unclear whether it is actually feasible to satisfy this restriction while also permitting the type of open, pseudonymous authentication that DCR permits. Curious for any thoughts you have (can discuss offline if you prefer)

[AkshayParihar33]

hi @jlowin, thanks for reviewing the PR:

Regarding pt. 1 - As a good number of our customer's first choice is FastMCP, I wanted to keep the backward compatibility for a few versions and hence the deprecation log is in place to notify to stop using the old field and in subsequent release (maybe in a couple of months) will remove that field so that the transition is seamless for the devs.

Regarding pt. 2 - Is it okay if we can discuss this offline over slack (if you prefer that) or via email? Could you share your email-id that I can invite over slack?