Join Beta Sign in to Console

Authorize Access to MCP Server with DCR Proxy

Estimated time: 15–20 minutes

What You Will Build

In this guide, you will configure Mekarge A3 to authorize MCP Tools on an MCP Server using Streamable HTTP as the transport layer.

In this guide, the MCP Host application does not directly perform the OAuth token exchange. Mekarge A3 is designed around predefined OAuth Clients. However, MCP Hosts such as VSCode may dynamically register themselves using Dynamic Client Registration (DCR). To bridge this difference, a DCR-capable proxy acts as an intermediary backend. The proxy dynamically registers Clients and securely manages OAuth tokens on behalf of the MCP Host. This architecture is useful when third-party MCP applications cannot securely store Client credentials.

Such proxy functionality can run as a separate node or embeded into the MCP Server, which is the option followed through this document.

At the end of this tutorial:

  • VSCode will connect a MCP Server to use tools available only to the User

Quick Concepts

ClientRepresents the VSCode application
ResourceRepresents a protected MCP Server
ScopeRepresents a specific type of access on a MCP Server
RoleRole determines which Client Permissions are available to Users
User GroupGroups Users and assigns Roles
Data SourceStores User credentials and details
ContextRepresents a specific subset of MCP functionality or data
Context VisibilityControls which Contexts a Client can access after authentication.

Read more about Architecture and Concepts in Mekarge A3 documentation.

Prerequisites

Quick Start Steps

  • Set Up Environment
    • ⚠ Notes

    Ensure RSASSA-PKCS1-v1_5 using SHA-256 is set as the Access Token Signing Algorithm type

Tooling

  • git to clone the example repo
  • VSCode to connect and test MCP Server

Language Tooling

  • Python 3.x to run the web application
  • pip to install the dependencies

Setup Resources, Scopes & Contexts

  • Sign in to Mekarge A3 Console

1Create API Resource

  1. Navigate to AuthorizationResourcesCreate
  2. Click Create under the MCP Server tile
  3. Name the new Resource (i.e. My MCP)
  4. Set http://127.0.0.1:8000/mcp for Resource URI
  5. Select a lifetime for Access Tokens issued for this Resource (i.e. 3600)
  6. Click Create
    7. ⓘ Possible Issues
    • Creation will be rejected if you exceed your quota
    • Creation will be rejected if Resource URI is taken before

2Add Scopes

  1. Navigate to AuthorizationResources
  2. Click at the end of the newly created row and select View Details
  3. Navigate to Scopes tab
  4. Set mcp:call for Scope Name and click Create
    5. 💡 HintsFixed values are coming from the constants defined in MCP Server
    ⓘ Possible Issues
    • Creation will be rejected if you exceed your quota
    • Creation will be rejected if same Scope Name is used before

3Add Context

  1. Navigate to Contexts tab
  2. Set operation for Context Attribute Key
    3. 💡 HintsFixed values are coming from the constants defined in MCP Server
  3. Set addition for Context Attribute Value and click Create
    4. 💡 HintsFixed values are coming from the constants defined in MCP Server
    ⓘ Possible Issues
    • Creation will be rejected if you exceed your quota
    • Creation will be rejected if same Context Attribute Key & Value pair is used before

4Create Role

  1. Navigate to AuthorizationRolesCreate
  2. Name the new Role (i.e. basic)
  3. Click Create
    4. ⓘ Possible Issues
    • Creation will be rejected if you exceed your quota
    • Creation will be rejected if Role Name is taken before

Setup Data Sources & Users

5Create Data Source

  1. Navigate to AuthenticationData SourcesCreate
  2. Click Create under the Hosted Database Data Source
  3. Name the new Data Source (i.e. My DB) and an Alias (i.e. db)
  4. Pick lifetime for ID Tokens for the Users defined in this Data Source (i.e. 86400)
  5. Click Create
    6. ⓘ Possible Issues
    • Creation will be rejected if you exceed your quota
    • Creation will be rejected if Data Source Alias is taken before

6Create User Group

  1. Navigate to AuthenticationUser GroupsCreate
  2. Name the new User Group (i.e. users)
  3. Click Create
    4. ⓘ Possible Issues
    • Creation will be rejected if you exceed your quota
    • Creation will be rejected if User Group Name is taken before
  4. Navigate to AuthenticationUser Groups
  5. Click at the end of the newly created row and select View Details
  6. Navigate to Roles tab
  7. Select the Role basic created in the previous steps and click Add

7Create User

  1. Navigate to AuthenticationUsersCreate
  2. Select the User Group (i.e. users) created in the previous steps
  3. Select E-Mail as User Login Type
  4. Set an E-Mail address (i.e. johndoe@test.com) as User Login Identifier
  5. Set a Password (i.e. secret) as User Password
  6. Set en for Default Locale
  7. Click Create
    8. ⓘ Possible Issues
    • Creation will be rejected if you exceed your quota
    • Creation will be rejected if a User with the same User Login Identifier is defined before

Setup Login Page

8Create UI Collection

  1. Navigate to User InterfaceUI CollectionsCreate
  2. Name the new Collection (i.e. default)
  3. Click Create
    4. ⓘ Possible Issues
    • Creation will be rejected if you exceed your quota
    • Creation will be rejected if Collection Name is taken before

9Create Login Page

  1. Navigate to User InterfaceWeb ComponentsCreate
  2. Click Create under the Login Page Component
  3. Select the UI Collection (i.e. default) created in the previous steps
  4. Set en for Locale and click Create
    5. ⓘ Possible Issues
    • Creation will be rejected if you exceed your quota
    • Creation will be rejected if there is already a Login Page defined with en Locale defined before
  5. Navigate to User InterfaceWeb Components
  6. Click at the end of the newly created row and select View Details
  7. Click Heading Variables tab on the second section
  8. Change Heading (i.e. MCP Demo) and click Publish at the end of the page

Setup Client

10Create Client

This Client represents the DCR-capable MCP proxy rather than the dynamically registered MCP Host itself.
  1. Navigate to AuthorizationClientsCreate
  2. Click Create under the MCP Host Application Type
  3. Name the new Client (i.e. Proxy Client)
  4. Select Post (Http Body) as Client Authentication Type
  5. Click Create
    6. ⓘ Possible Issues
    • Creation will be rejected if you exceed your quota
  6. Navigate to AuthorizationClients
  7. Click at the end of the newly created row and select View Details
  8. Navigate to Features tab
  9. Activate Enable PKCE and click Update
    10. 💡 HintsActivate Enable PKCE to improve the security of Authorization Code flows involving User Agents. Read more about PKCE in RFC 7636
  10. Navigate to Redirections tab
  11. Navigate to Loopback Redirection URL tab on the first section
  12. Select 127.0.0.1 for Loopback IP Literal
    13. 💡 HintsSelect [::1] if your loopback IP interface is IPv6. You can also repeat this step and the next step for both Ipv4 and Ipv6 if you're not sure.
  13. Set auth/callback for Path Component and click Add
  14. Navigate to Permissions tab
  15. Select the Resource (i.e. My MCP) → Select the Scope mcp:call → Click Grant
  16. Click the edit icon at the end of the newly created row that will appear at the Permission List section
  17. Select the Role (i.e. basic) created in the previous steps and click Add
  18. Click Back To Client
  19. Navigate to Context Visibility tab
  20. Select the Resource (i.e. My MCP) → Select the Context operation addition → Click Grant
  21. Click the edit icon at the end of the newly created row that will appear at the Permission List section
  22. Select the Role (i.e. basic) created in the previous steps and click Add
  23. Click Back To Client
  24. Navigate to Data Sources tab
  25. Select the Data Source (i.e. My DB) created in the previous steps and click Select
  26. Navigate to UI Collections tab
  27. Select the UI Collection (i.e. default) created in the previous steps and click Select

Clone MCP Server Repository

11Clone Repository

  1. Run the following command to clone the Reference Implementation for the MCP Server

git clone https://github.com/mekargeoss/a3-ri-mcp-server-python.git

12Install Dependencies

  1. Run the following commands to install dependencies

python -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt

Configure MCP Server

13Populate the .env File

  1. Navigate to Environments
  2. Click at the end of the current Environment and select View Details
  3. Copy the Issuer Path from Environment Info section to set ISSUER_PATH
  4. Navigate to AuthorizationClients
  5. Click at the end of the previously created row and select View Details
  6. Copy the Client ID from Client Credentials section to set CLIENT_ID
  7. Copy the Client Secret from Client Credentials section to set CLIENT_SECRET

ISSUER_PATH=
CLIENT_ID=
CLIENT_SECRET=

Run MCP Server

14Start Server

  1. Run the following command to start the server

python -m app.main

Start VSCode Chat

15 VSCode Add MCP Server

  1. Start VSCode application
  2. Open the Command Palette and select MCP: Add Server
  3. Select Http (HTTP or Server-Sent Events) from the drop down menu
  4. Write http://127.0.0.1:8000/mcp in the input box and press Enter
  5. Name the MCP Server (i.e. My MCP) and press Enter
  6. Accept the dialog to start authorization flow
  7. Accept the consent screen
  8. Use the E-Mail address and Password used while creating the User to log in

16 VSCode Chat

  1. Try prompts such as What can you do using My MCP?
    2. 💡 HintsYou might need to complete your VSCode setup to use Copilot chat.

Summary

What Happened?

After adding the MCP Server to VSCode:

  1. The VSCode dynamically registers itself to DCR-enabling MCP Server.
  2. The DCR-enabling MCP Server started the authorization flow
  3. The browser was redirected to Mekarge A3
  4. The user authenticated using the Hosted Database
  5. Mekarge A3 issued an ID Token and an Access Token
  6. The Proxy MCP Server bound tokens to the session established with the dynamic client.

Key Takeaways

  • Context Visibility connects a Client to a Resource Context.
  • Roles determine which authenticated users are allowed to use Permissions and Context Visibility.
  • Scopes define high-level API capabilities, while Contexts define narrower subsets of functionality or data exposed within those capabilities.

Next Explorations

  • Try adding another Context with key operation and value multiplication. Grant new Context to the Client. Assign Context Visibility to existing Role. Observe the available MCP tools after forcing relogin.