Add MCP OAuth auth to Express.js (Scalekit)

Choose a mode

Ask: "Are we scaffolding a brand-new MCP server repo, or adding MCP auth into an existing Express app?"

• Mode A: New project scaffold (recommended for demos/POCs)
• Mode B: Retrofit existing Express app (recommended for real products)

Inputs to collect (ask if missing)

• Server base URL and port; confirm whether trailing slash is required for the audience (example: http://localhost:3002/)
• SK_ENV_URL, SK_CLIENT_ID, SK_CLIENT_SECRET
• PROTECTED_RESOURCE_METADATA JSON (copied from Scalekit dashboard MCP server page)
• EXPECTED_AUDIENCE (must match the Server URL registered in Scalekit)

Required outcomes

1. Public discovery endpoint: GET /.well-known/oauth-protected-resource (returns PROTECTED_RESOURCE_METADATA as JSON)
2. Public health endpoint: GET /health
3. Auth middleware: validates Authorization: Bearer , returns 401 + WWW-Authenticate with resource_metadata URL on failure
4. MCP endpoint: POST / protected by middleware, handled via MCP SDK StreamableHTTPServerTransport
5. At least one tool registered with server.tool(...)