Secure, scoped access to tools for AI agents

We’ve launched a production-ready MCP server for Scalekit, designed to expose our tools to both human users and AI agents through a standardized, secure interface. It’s built on the Model Context Protocol (MCP) with OAuth 2.1-based auth, scoped permissions, and real-time tool registration.

Why we built it

As AI agents like Claude and ChatGPT get better at interacting with APIs, exposing tools safely is becoming essential. We wanted a way to make Scalekit features accessible to agents—without opening up security risks or building custom integrations per client.

How it works

1. Auth-first from day one
Every request is authenticated using Scalekit’s MCP Auth (OAuth 2.1). Tokens are verified and scopes are enforced per tool.

2. Tools registered with scopes
Each tool is defined declaratively with its own scope requirements, input validation, and run logic.

3. Real agent testing via mcp-remote
We tested the setup with Claude Desktop, ChatGPT, and Windsurf using mcp-remote to simulate real usage and debug CORS, headers, and scope behavior.

4. MCP Inspector = essential
We relied on MCP Inspector to view registered tools, run test calls, inspect payloads, and validate edge cases—without needing a full agent session.

What’s live now

• Secure, scoped OAuth 2.1-based access
• Streamable HTTP support
• Tool registry with real-time metadata
• Works with Claude, ChatGPT, Windsurf
• Clean, modular tool definitions

Find the list of tools available here.

What’s coming next

• Richer metadata and more tools, prompts and resources
• More tools covering environments, orgs, templates
• Usage tracking and metrics for insights

Explore docs here or get started on github.

‍