A bare MCP server is running. The backend API key is already provisioned on the server. There's no user identity in front of it — anyone who reaches the URL can approve a $250k loan.
Section 1 · MCP server auth
Clients authenticate to Descope, then connect to loan-ops-mcp with a scoped JWT. The server validates every call; tools pull downstream credentials from the Connections Vault.
Step 1 — bare MCP: Claude Desktop connects straight to loan-ops-mcp with no auth. The call runs through to the Loan System with no token validation, no scope checks, and no Descope in the path.