Skip to content

content: Add Descope under Integrations / Authentication & identity#619

Merged
artberger merged 9 commits into
agentgateway:mainfrom
joshwertheim:add-descope-to-auth-integrations
Jul 6, 2026
Merged

content: Add Descope under Integrations / Authentication & identity#619
artberger merged 9 commits into
agentgateway:mainfrom
joshwertheim:add-descope-to-auth-integrations

Conversation

@joshwertheim

Copy link
Copy Markdown
Contributor

Summary

Add Descope under Integrations -> Authentication & Identity for both latest and main.

Testing

Started up the local dev server as described under the README and confirmed the doc renders and Descope is now included in the index for that page as shown:

image

@joshwertheim joshwertheim force-pushed the add-descope-to-auth-integrations branch from 3174bb6 to 9685937 Compare June 16, 2026 22:07
policies:
mcpAuthentication:
mode: strict
issuer: https://api.descope.com/<YOUR_PROJECT_ID>

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The issuer would be the MCP server Issuer and not this format right?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, good catch!

exposeHeaders: ["Mcp-Session-Id"]
mcpAuthentication:
mode: strict
issuer: https://api.descope.com/<YOUR_PROJECT_ID>

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same question as below

mcpAuthentication:
mode: strict
issuer: https://api.descope.com/<YOUR_PROJECT_ID>
audiences: [<YOUR_AUDIENCE>]

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be the audience of the resource correct?


3. Create an application or flow that issues access tokens with the appropriate audience and scopes for your use case.

4. For machine-to-machine access, create an access key under **Access Keys** in the console.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should use Inbound Apps or Clients, as opposed to using Access Keys here.


```bash
curl -X POST \
https://<your-descope-base-url>/oauth2/v1/apps/token/oauth2/v1/apps/token \

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a duplicated URL, it should be https://<your-descope-base-url>/oauth2/v1/apps/token

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ack!

-d "grant_type=client_credentials" \
-d "client_id=YOUR_CLIENT_ID" \
-d "client_secret=YOUR_CLIENT_SECRET" \
-d "scope=..."

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can also include audience here as well (which should be the audience of the MCP resource you're connecting to)

exposeHeaders: ["Mcp-Session-Id"]
mcpAuthentication:
mode: strict
issuer: https://api.descope.com/<YOUR_PROJECT_ID>

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same point as below.

jwks:
url: https://api.descope.com/<YOUR_PROJECT_ID>/.well-known/jwks.json
resourceMetadata:
resource: http://localhost:3000/mcp

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this be the MCP server URL, not always localhost:3000/mcp?


3. Create an application or flow that issues access tokens with the appropriate audience and scopes for your use case.

4. For machine-to-machine access, create an access key under **Access Keys** in the console.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should link to docs on these various features as well.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should also mention the plugin as well.

@gaokevin1 gaokevin1 Jun 18, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Image

Add Descope as a reference here: https://agentgateway.dev/docs/standalone/latest/mcp/mcp-authn/#idp

Also add a guide under here, including references to Descope: https://agentgateway.dev/docs/kubernetes/latest/mcp/auth/about/#supported-idps

@joshwertheim joshwertheim force-pushed the add-descope-to-auth-integrations branch 2 times, most recently from ed00b75 to 9a1b3b3 Compare June 19, 2026 04:37
@joshwertheim joshwertheim marked this pull request as ready for review June 19, 2026 04:38
mcpAuthentication:
mode: strict
issuer: <YOUR_ISSUER_URL>
audiences: [https://<YOUR_MCP_SERVER_URL>/mcp]

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
audiences: [https://<YOUR_MCP_SERVER_URL>/mcp]
audiences: [<YOUR_MCP_SERVER_URL>]

### Using the token

```bash
curl https://<YOUR_MCP_SERVER_URL>/mcp \

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
curl https://<YOUR_MCP_SERVER_URL>/mcp \
curl https://mcp.example.com/mcp \


- `<YOUR_ISSUER_URL>`: Copy this from the Descope Console under your **Inbound Apps** → **App** → **Connection Information** → **Issuer**. The exact format is system-generated and varies by integration type.
- `<YOUR_PROJECT_ID>`: Found in the Descope Console under **Project Settings**. The JWKS URL always uses the project ID.
- `<YOUR_MCP_SERVER_URL>`: Your MCP server's public URL. The `audiences` value must match the `aud` claim in Descope-issued tokens, which equals your MCP server's resource URL.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- `<YOUR_MCP_SERVER_URL>`: Your MCP server's public URL. The `audiences` value must match the `aud` claim in Descope-issued tokens, which equals your MCP server's resource URL.
- `<YOUR_MCP_SERVER_URL>`: Your MCP server's public URL, that typically ends in `/mcp`. The `audiences` value must match the `aud` claim in Descope-issued tokens, which equals your MCP server's resource URL.

mcpAuthentication:
mode: strict
issuer: <YOUR_ISSUER_URL>
audiences: [https://<YOUR_MCP_SERVER_URL>/mcp]

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
audiences: [https://<YOUR_MCP_SERVER_URL>/mcp]
audiences: [<YOUR_MCP_SERVER_URL>]

- **Enterprise SSO** - [SAML and OIDC-based SSO](https://docs.descope.com/auth-methods/sso) for B2B use cases
- **No-code flows** - Build auth flows visually without writing backend code

## Descope MCP Server

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
## Descope MCP Server

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not relevant


## Descope MCP Server

Descope also offers a hosted [MCP Server](https://docs.descope.com/mcp/mcp-server) at `https://mcp.descope.com`. Connect it to your MCP client to manage your Descope project — users, tenants, flows, audit logs, and more — using natural language. No installation required.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Descope also offers a hosted [MCP Server](https://docs.descope.com/mcp/mcp-server) at `https://mcp.descope.com`. Connect it to your MCP client to manage your Descope project — users, tenants, flows, audit logs, and more — using natural language. No installation required.


## Learn more

- [Descope Inbound Apps](https://docs.descope.com/identity-federation/inbound-apps)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- [Descope Inbound Apps](https://docs.descope.com/identity-federation/inbound-apps)
- [Descope Clients](https://docs.descope.com/agentic-identity-hub/core-components/clients)

### Using the token

```bash
curl https://<YOUR_MCP_SERVER_URL>/mcp \

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
curl https://<YOUR_MCP_SERVER_URL>/mcp \
curl https://mcp.example.com/mcp \

- **Enterprise SSO** - [SAML and OIDC-based SSO](https://docs.descope.com/auth-methods/sso) for B2B use cases
- **No-code flows** - Build auth flows visually without writing backend code

## Descope MCP Server

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
## Descope MCP Server


## Descope MCP Server

Descope also offers a hosted [MCP Server](https://docs.descope.com/mcp/mcp-server) at `https://mcp.descope.com`. Connect it to your MCP client to manage your Descope project — users, tenants, flows, audit logs, and more — using natural language. No installation required.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Descope also offers a hosted [MCP Server](https://docs.descope.com/mcp/mcp-server) at `https://mcp.descope.com`. Connect it to your MCP client to manage your Descope project — users, tenants, flows, audit logs, and more — using natural language. No installation required.

### Supported IdPs for MCP Auth {#idp}

Agentgateway currently includes built-in support for Keycloak and Auth0 as identity providers. Other IdPs that fully comply with the OAuth 2.0 specs might also work but are not tested.{{< conditional-text include-if="kubernetes" >}} For more information, see [Supported identity providers]({{< link-hextra path="/mcp/about/#supported-idps" >}}).{{< /conditional-text >}}
Agentgateway currently includes built-in support for Keycloak and Auth0 as identity providers. Descope works via the standard resource server configuration using its JWKS endpoint as described in the [Descope integration guide]({{< link-hextra path="/integrations/auth/descope" >}}). Other IdPs that fully comply with the OAuth 2.0 specs might also work but are not tested.{{< conditional-text include-if="kubernetes" >}} For more information, see [Supported identity providers]({{< link-hextra path="/mcp/about/#supported-idps" >}}).{{< /conditional-text >}}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Agentgateway currently includes built-in support for Keycloak and Auth0 as identity providers. Descope works via the standard resource server configuration using its JWKS endpoint as described in the [Descope integration guide]({{< link-hextra path="/integrations/auth/descope" >}}). Other IdPs that fully comply with the OAuth 2.0 specs might also work but are not tested.{{< conditional-text include-if="kubernetes" >}} For more information, see [Supported identity providers]({{< link-hextra path="/mcp/about/#supported-idps" >}}).{{< /conditional-text >}}
Agentgateway currently includes built-in support for Keycloak and Auth0 as identity providers. Other IdPs that fully comply with the OAuth 2.0 specs might also work but are not tested.{{< conditional-text include-if="kubernetes" >}} For more information, see [Supported identity providers]({{< link-hextra path="/mcp/about/#supported-idps" >}}).{{< /conditional-text >}}

@gaokevin1

Copy link
Copy Markdown
Contributor

@artberger this is ready for review.

Could you please review this for us, we appreciate it!

cc @joshwertheim

@gaokevin1

Copy link
Copy Markdown
Contributor

@artberger are you the right person to tag on this? Would love to see this merged soon if possible.

@joshwertheim

Copy link
Copy Markdown
Contributor Author

Hey @artberger, sorry for the bother again but if you are a repo reviewer would you mind slotting our PR in to your schedule? Apologies, since it's not clear from the repo README who to contact for this. Thank you!

@howardjohn howardjohn left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

overall lgtm just one small note

cc @artberger

| Keycloak | Adapts non-standard endpoints such as JWKS certificate paths. |
| Auth0 | Uses standard well-known JWKS endpoint. |
| Auth0 | Uses standard well-known JWKS endpoint. |
| Descope | Uses standard well-known JWKS endpoint. |

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't quite accurate in the table - agentgateway can work with Descope, but agw has built in support for only auth0 and keycloak. I mean there is a literal enum auth0 in the codebase but not descope

@joshwertheim joshwertheim Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @howardjohn, thanks for taking a look! I've also been in the process of adding Descope as a provider in the main agentgateway repo. I believe with that change adding built in support, it should cover what you pointed out. Apologies for not mentioning that in the PR description! As soon as I get an internal review over here I will also mark that PR as ready for review.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you want to hold the docs until Descope is a provider in the code?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@artberger yes please. looks like John approved that earlier today and it's almost merged (needed to handle DCO). Once the workflow steps are done I'd like to merge that.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, looks like that merged, so I will approve and merge this docs one. Thanks for the contribution!

@howardjohn howardjohn requested a review from artberger June 29, 2026 21:13
Comment thread content/docs/standalone/latest/integrations/auth/descope.md
Comment thread content/docs/standalone/latest/integrations/auth/descope.md
Comment thread content/docs/standalone/latest/integrations/auth/descope.md Outdated
Comment thread content/docs/standalone/latest/integrations/auth/descope.md Outdated
5. For machine-to-machine access, [create a Client](https://docs.descope.com/agentic-identity-hub/core-components/clients#creating-a-client) manually and enable the [**Client Credentials** grant type](https://docs.descope.com/agentic-identity-hub/core-components/clients#client-credentials). Note the generated **Client ID** and **Client Secret**.

## Getting a token

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This "Getting a token" section has two H3s.

  • Are these alternate paths or are they really steps that you do in order?
  • Is there another flow instead of machine-to-machine to include?
  • Typically, we try to make commands copy-paste runnable, but the curls here for example require updating a lot. Possibly these could be set as env vars

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey Art. Originally I modeled that section like the docs for the other auth integrations (i.e. Auth0), but I just edited it to add clarity w.r.t. your questions. Let me know how you feel about those changes.


```bash
curl <YOUR_MCP_SERVER_URL> \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where does the access token come from? is this the output of the previous section? if so, it might be helpful to say that. It also doesn't match the <> formatting for input variables.

weight: 40
description: Integrate agentgateway with Descope for authentication and identity management
---

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

similar comments on this main file.


## Role-based authorization

Use Descope roles with agentgateway authorization:

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this a step 3 after getting and using the token? do they have to do this, or is this just an option in case they want to further scope the previous config at the beginning of this doc to their existing Descope roles?

Suggested change
Use Descope roles with agentgateway authorization:
You can authorization based on your existing Descope roles, such as `Tenant Admin` in the following example.

authorization:
rules:
# Check for a specific Descope role
# - '"Tenant Admin" in jwt.roles'

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I noticed in the descope docs that tenant roles are nested under jwt.tenants.<tenantId>.roles, whereas this just has jwt.roles.

Would it be something like this?

Suggested change
# - '"Tenant Admin" in jwt.roles'
# - '"Admin" in jwt.tenants["<YOUR TENANT ID>"].roles'

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a good catch. Personally I was referencing https://docs.descope.com/management/token/jwt-templates#authorization-claims-configuration which is specifically for "Current Tenant, No Tenant Reference"; so when the tenant is omitted, then roles becomes a top-level claim.

I'm going to update this section to explain both.

@artberger

Copy link
Copy Markdown
Collaborator

@joshwertheim thanks for providing these docs, and my apologies for the late review. I left some review comments and also resolved a merge conflict. If you could also do DCO, that would be great.

@joshwertheim joshwertheim force-pushed the add-descope-to-auth-integrations branch from c7a97c4 to 7046b5e Compare July 2, 2026 02:08
joshwertheim and others added 8 commits July 1, 2026 19:10
Signed-off-by: Joshua Wertheim <joshua.wertheim@descope.com>
Signed-off-by: Joshua Wertheim <joshua.wertheim@descope.com>
Signed-off-by: Joshua Wertheim <joshua.wertheim@descope.com>
Co-authored-by: Art <artberger@users.noreply.github.com>
Signed-off-by: Joshua Wertheim <joshua.wertheim@descope.com>
Co-authored-by: Art <artberger@users.noreply.github.com>
Signed-off-by: Joshua Wertheim <joshua.wertheim@descope.com>
Co-authored-by: Art <artberger@users.noreply.github.com>
Signed-off-by: Joshua Wertheim <joshua.wertheim@descope.com>
Co-authored-by: Art <artberger@users.noreply.github.com>
Signed-off-by: Joshua Wertheim <joshua.wertheim@descope.com>
Signed-off-by: Joshua Wertheim <joshua.wertheim@descope.com>
@joshwertheim joshwertheim force-pushed the add-descope-to-auth-integrations branch from 7046b5e to 733eab9 Compare July 2, 2026 02:10
@artberger artberger merged commit 795d642 into agentgateway:main Jul 6, 2026
2 of 3 checks passed
@joshwertheim

Copy link
Copy Markdown
Contributor Author

thanks so much for the help @artberger

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants