Forem: Akshay Parihar The latest articles on Forem by Akshay Parihar (@akshay_parihar_155e8c3038). https://forem.com/akshay_parihar_155e8c3038 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3414131%2F4880cd63-47fb-4942-9d1c-50e15e9c68bb.jpg Forem: Akshay Parihar https://forem.com/akshay_parihar_155e8c3038 en How we built our own MCP server in 4 simple steps Akshay Parihar Tue, 05 Aug 2025 14:27:42 +0000 https://forem.com/akshay_parihar_155e8c3038/how-we-built-our-own-mcp-server-in-4-simple-steps-4edo https://forem.com/akshay_parihar_155e8c3038/how-we-built-our-own-mcp-server-in-4-simple-steps-4edo <h2> Building an MCP server: from concept to secure AI interactions </h2> <p>Six months ago, MCP (Model Context Protocol) wasn’t even in most developers’ vocabulary. There was no standard approach to exposing tools to AI agents. But as AI evolved from simple chatbots to powerful assistants capable of real-world tasks, secure and structured interactions quickly became essential.</p> <p>At Scalekit, we built our own MCP server, and this is how we went about it.</p> <h3> Why streaming mattered </h3> <p>Before writing any authentication logic, we had to decide how to stream responses to AI agents. This choice shaped how responses were structured and how agents parsed them.</p> <ul> <li> <strong>Server-Sent Events (SSE)</strong>: Reliable and simple, but limited.</li> <li> <strong>HTTP Streamable</strong>: Flexible, supports structured JSON, and better for complex interactions.</li> </ul> <p>We chose HTTP Streamable for its ability to handle richer, multi-step outputs.</p> <h3> Step 1: Build simple tools first </h3> <p>We started with a few straightforward tools, each with:</p> <ul> <li>A clear name and description</li> <li>Defined access scopes</li> <li>A simple <code>run()</code> function</li> </ul> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="nx">server</span><span class="p">.</span><span class="nf">tool</span><span class="p">(</span><span class="dl">"</span><span class="s2">list_environments</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">List all environments accessible by the current user</span><span class="dl">"</span><span class="p">,</span> <span class="na">run</span><span class="p">:</span> <span class="k">async </span><span class="p">({</span> <span class="nx">userId</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">envs</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getEnvsForUser</span><span class="p">(</span><span class="nx">userId</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">content</span><span class="p">:</span> <span class="nx">envs</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">env</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">text</span><span class="dl">"</span><span class="p">,</span> <span class="na">text</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">env</span><span class="p">.</span><span class="nx">id</span><span class="p">}</span><span class="s2"> (</span><span class="p">${</span><span class="nx">env</span><span class="p">.</span><span class="nx">name</span><span class="p">}</span><span class="s2">)`</span> <span class="p">}))</span> <span class="p">};</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>We validated inputs with Zod schemas:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="kd">const</span> <span class="nx">schema</span> <span class="o">=</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">org_id</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">'</span><span class="s1">org_</span><span class="dl">'</span><span class="p">),</span> <span class="p">});</span> </code></pre> </div> <p>Tools were registered centrally for clarity:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="k">export</span> <span class="kd">function</span> <span class="nf">registerTools</span><span class="p">(</span><span class="nx">server</span><span class="p">:</span> <span class="nx">McpServer</span><span class="p">){</span> <span class="nx">server</span><span class="p">.</span><span class="nf">tool</span><span class="p">(</span><span class="dl">"</span><span class="s2">create_organization</span><span class="dl">"</span><span class="p">,</span> <span class="nx">createOrgTool</span><span class="p">);</span> <span class="nx">server</span><span class="p">.</span><span class="nf">tool</span><span class="p">(</span><span class="dl">"</span><span class="s2">list_environments</span><span class="dl">"</span><span class="p">,</span> <span class="nx">listEnvsTool</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> Step 2: Security and access control from day one </h3> <p>Every tool had explicit scopes to define access clearly. Using OAuth 2.1 and protected resource metadata allowed agents to discover required scopes programmatically. Here’s what we ensured:</p> <ul> <li>Every tool should be explicitly scoped</li> <li>Every request should be traceable to who (or what) triggered it</li> <li>And no tool should be callable without being deliberately authorized</li> </ul> <h3> Step 3: Secure your server with OAuth in four steps </h3> <ol> <li> <strong>Issue OAuth tokens</strong>: Use client credentials for machine-to-machine access.</li> <li> <strong>Validate JWT tokens</strong> on every request: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nx">authorization</span><span class="p">?.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1"> </span><span class="dl">'</span><span class="p">)[</span><span class="mi">1</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">claims</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">verifyToken</span><span class="p">(</span><span class="nx">token</span><span class="p">);</span> </code></pre> </div> <ol> <li> <strong>Expose protected resource metadata</strong> so agents can discover available scopes: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight perl"><code><span class="nv">GET</span> <span class="sr">/.well-known/oau</span><span class="nv">th</span><span class="o">-</span><span class="nv">protected</span><span class="o">-</span><span class="nv">resource</span> </code></pre> </div> <p>This returns a JSON document that gives the client the required information:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="kd">const</span> <span class="nx">metadata</span> <span class="o">=</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">resource</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">https://mcp.scalekit.com</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">authorization_servers</span><span class="dl">"</span><span class="p">:</span> <span class="p">[</span> <span class="dl">"</span><span class="s2">https://mcp.scalekit.com/.well-known/oauth-authorization-server</span><span class="dl">"</span> <span class="p">],</span> <span class="dl">"</span><span class="s2">bearer_methods_supported</span><span class="dl">"</span><span class="p">:</span> <span class="p">[</span> <span class="dl">"</span><span class="s2">header</span><span class="dl">"</span> <span class="p">],</span> <span class="dl">"</span><span class="s2">resource_documentation</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">https://docs.scalekit.com</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">scopes_supported</span><span class="dl">"</span><span class="p">:</span> <span class="p">[</span> <span class="dl">"</span><span class="s2">wks:read</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">wks:write</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">env:read</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">env:write</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">org:read</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">org:write</span><span class="dl">"</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <ol> <li> <strong>Enforce scope-based access control</strong> for each tool: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">claims</span><span class="p">.</span><span class="nx">scope</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">"</span><span class="s2">org:write</span><span class="dl">"</span><span class="p">))</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Missing required scope: org:write</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> Step 4: Validate with real AI agents </h3> <p>We tested with agents like Claude Desktop, Windsurf, and ChatGPT via MCP SuperAssistant, using <code>mcp-remote</code> to bridge connections:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx mcp-remote https://mcp.example.com/sse </code></pre> </div> <p>This surfaced issues like scope mismatches and unclear parameters early.</p> <h3> Developer tip: use a debugging sidekick </h3> <p>Tools like MCP Inspector display registered tools, input schemas, and scopes, allowing quick manual tests without a full agent session.</p> <p>If you’d like a deep dive into the process, <a href="https://www.scalekit.com/blog/building-our-mcp-server-a-developers-journey" rel="noopener noreferrer">read the full guide on building MCP servers</a>.</p> <h3> Your turn </h3> <p>Have you built an MCP server? What are the challenges you faced? Let me know in the comments 👇</p> mcp oauth ai webdev