Northwind Financial
Demo/Section 1
Section 1

MCP Auth

Lock down the MCP server you're standing up.

Northwind's platform team has built loan-ops-mcp, an MCP server exposing lookup_loan, approve_loan, and export_customer_data. Behind it sit two backends — the internal Loan System (API key) and HubSpot (OAuth). Five steps. Each one is what Descope adds.

How it fits together

The big picture. Each step below zooms into one part of this flow.

authenticatescoped JWTtokenMCP clientsClaude · ChatGPTCursor · custom agentsDescopeAgentic Identity HubOAuth 2.1 Authvalidates the JWTConnections VaultAPI keys · OAuth tokensloan-ops-mcpMCP serverlookup · approve · exportLoan SystemAPI keyHubSpotOAuth
Authenticate · scoped JWT
Downstream credential (Connections)
  1. 1
    The unprotected server
    A bare MCP call approves a loan. No auth.
    Open →
  2. 2
    SSO login & the consent
    Okta SSO. Roles arrive in the token.
    Open →
  3. 3
    Authorized clients
    Only registered AI tools can connect.
    Open →
  4. 4
    Tool-level scopes
    Roles in the JWT decide which tools each user can call.
    Open →
  5. 5
    Calling your backend APIs
    Loan System (API key) and HubSpot (OAuth), unified.
    Open →