Authplane is a self-hosted OAuth 2.1 + MCP Authorization (spec 2025-11-25) server delivered as a single Go binary. For the product pitch, see the root README.
flowchart LR
R[Root README<br/>the curious]
S[Search<br/>'MCP auth threat model'<br/>'helm authplane']
L[Peer link]
R --> E[Evaluator]
R --> B[Builder]
R --> O[Operator]
R --> A[Architect]
S --> A
S --> O
L --> A
C[Contributor<br/>arrives via CONTRIBUTING] --> Cn[docs/contribute/]
If none of the lanes below fit, jump to Reference or the Glossary.
For someone shopping for an MCP authorization solution who wants enough context to decide whether to dig deeper — before getting into RFCs, topology trade-offs, or SDK code. Target time: 5–15 minutes.
| Question | Where to look |
|---|---|
| What problem does Authplane solve? | What is Authplane? — 60-second overview |
| What does the network look like? | Topology decision tree — picks a deployment shape from your constraints |
| When should I use Authplane (and when not)? | Threat model + Broker vs Mint — the two scope decisions |
| What SDKs exist today? | Root README → SDKs — Go, TypeScript, Python with package names and version |
| What's production-shaped vs roadmap? | Root README → Status & roadmap — what's stable, what's WIP |
| What can I run in 15 minutes? | Quickstart → tier-01 retrofit (Python · TypeScript · Go) |
Convinced? Pick a deeper lane below. Still evaluating? The Architect lane goes one click deeper without leaving theory.
For developers adding Authplane to an MCP server or agent.
| Get started fast | Go deeper |
|---|---|
| Quickstart — 5-min Docker setup | Tutorial: your first MCP server |
| Examples (3 languages x 4 tiers + retrofit) — Python · TypeScript · Go, runnable | Integrate guides |
| Retrofit existing MCP server — before/after diff, all 3 langs | Connect an MCP Server guide |
| Upstream providers (GitHub, Slack, ...) | |
| Federation (Okta, Entra ID, ...) |
Recommended reading order: Quickstart -> your-language tier-01 example (Python · TypeScript · Go) -> the integrate guide for your stack -> tier-02/03/04 if you need to call another resource, add DPoP + per-tool scopes, or front a Broker upstream.
For SREs deploying and running Authplane.
Concept-level grounding: Threat model, Token design internals.
For evaluators picking a topology + understanding the trust model.
| Mental model | Decisions |
|---|---|
| What is Authplane | Topology decision tree |
| Resources and scopes | Broker vs Mint |
| Tokens and claims | Identity and federation |
| Architecture | Threat model |
| Glossary | Reference: HTTP API |
For developers extending authserver.
- Repo tour — what lives where
- Hexagonal layers — where to put your code
- Add an upstream provider — brokerproto Registry recipe
- Add a grant type
- Coding conventions
- Running tests
- Release process
AGENTS.md— deterministic in-repo workflow (read this first when cloning).llms.txt— root-level link map following the llmstxt.org convention, for agents operating from web docs.
reference/cli.md— every CLI command + flag (generated)reference/http-api.md— every endpoint + DTO (generated)reference/env-vars.md— everyAUTHPLANE_*env var (generated)reference/configuration.md— every YAML key (generated)reference/audit-events.md— every audit action and its detail keysreference/metrics.md— every Prometheus / OTel instrumentreference/mcp-client-compatibility.md— tested MCP clientsreference/mcp-streamable-http.md— the wire-level MCP handshake (3 POSTs, headers, 4xx responses)reference/flows.md— pointer index for OAuth / MCP flowsreference/compliance.md— RFC compliance matrixreference/error-codes.md— error code catalog