Table of Contents
While early adopters embraced running Model Context Protocol (MCP) servers locally via npx and uvx, enterprises quickly pushed back. Instead, they demanded remotely hosted servers that comply with the protocol's specification for security, scalability, and the credibility of MCP as a production-ready standard.
Unfortunately, many developers have run into two key challenges as a part of this shift: remotely hosting their MCP servers and implementing fully spec-compliant authorization. Descope’s MCP template with Render does the heavy lifting for you, allowing you to focus on the tools your server exposes instead of babysitting infrastructure.
How it works
We’ve released a secure FastMCP server that uses Render Blueprints for simple deployment. This MCP server enforces scope-based access control on every tool call. Agents perform the full MCP authentication process through a standard OAuth 2.1 flow, receive a JWT scoped only to the permissions they need, and include that token on every request. If your agent doesn’t have the right permissions to execute a tool, it’s immediately rejected at runtime.
Here's what the core of a protected tool looks like:
import os
from fastmcp import FastMCP
from descope_mcp import validate_token, require_scopes
mcp = FastMCP("descope-render")
@mcp.tool()
def hello(mcp_access_token: str = None) -> str:
"""Say hello — requires the mcp:greet scope."""
claims = validate_token(mcp_access_token)
require_scopes(claims, ["mcp:greet"])
return "Hello, world!"First, your MCP server’s tools declare the scopes required in order to use them. Descope manages the identity layer, handling token issuance, validation, and client registration. The `descope-mcp` SDK handles the primitive functions of scope validation. Finally, Render packages the full server logic into a hosted URL that’s compatible with MCP clients like Cursor, Claude, and ChatGPT.
Ten minutes to a live server
The steps are simple. First, set up a Descope project and build locally. Using the instructions in the repo, configure your MCP server in Descope's Agentic Identity Hub, define your scopes, and grab the config URL.
Then, hit the "Deploy to Render" button. The included render.yaml handles the infrastructure: web service type, Python runtime, build commands, and more. Next, set your DESCOPE_CONFIG_URL environment variable. This is the Descope well-known URL obtained in the steps above. Deploy and watch Render build and start your MCP server on a live public URL.
The final step is to add your <project-name>.onrender.com URL to your MCP server configuration in Descope to ensure issued tokens only work for your server.
That’s it! Descope handles all of the MCP auth complexity while Render takes care of everything else required for deployment.
One-stop-shop for MCP
I chose Render because infrastructure-as-code via render.yaml means the deployment is fully reproducible. Render Blueprints make it easy for anyone on your team to spin up an MCP server with the same configurations in no time.
On the identity side, the MCP authorization specification defines a map for securing your server:
OAuth 2.1 with PKCE as the underlying framework
A dedicated authorization server with discovery endpoints and well-known URIs for each MCP server
Authorization Server Metadata for clients to locate token and authorization endpoints
Protected Resource Metadata hosted at the correct path
Support for Dynamic Client Registration (DCR), manual registration, and/or Client ID Metadata Documents (CIMD)
However, what the spec provides is a shape for securing MCP, not a production-ready implementation of it. Descope closes this gap, with every piece of the auth spec handled out of the box. But beyond ensuring protocol compliance, Descope enables consent flows, user and tenant-level scopes, and granular access control policies.
Descope Connections store and rotate the third-party OAuth tokens and API keys that your MCP tools need when they call external services, while detailed audit logs capture every authentication event, consent grant, and tool access.
Descope treats AI agents as first-class identities, which means the same project handles human auth, agent auth, and the delegation relationship between them through a single orchestration layer. With Descope, you can add fully spec-compliant MCP auth in less than 5 lines of Python, with a unified control plane to audit and manage agentic identities.
Deploying on Render means there’s a natural growth path from experimentation to production. Render handles scaling, custom domains, and infrastructure-as-code, while Descope manages scope issuance, enforcement, and access policies applicable to any attribute of the user or MCP client. It’s everything you need to go from your first MCP server to the #1 app on the ChatGPT App Store.
Try it yourself
This template is your foundation for a production-ready, securely hosted MCP server.
Fork the template, spin up a free project in Descope, connect it to Render, and your secured MCP server will be live in minutes.
Want to learn more about Descope? Talk with an auth expert to see how Descope can secure your next agentic project, join our AuthTown dev community to connect with like-minded builders, or explore the Agentic Identity Hub to see more AI use cases in action.
