# AuthPlane

> AuthPlane is the self-hosted authorization server for the Model Context Protocol (MCP).
> One Go binary implementing OAuth 2.1 and the MCP Authorization spec (2025-11-25) end to end:
> JWT access tokens (RFC 9068), PKCE S256, DPoP (RFC 9449), Token Exchange (RFC 8693),
> Token Vault for upstream provider credentials, XAA/ID-JAG enterprise federation,
> dynamic client registration (RFC 7591) and CIMD, audit logging, OpenTelemetry.
> Open source under AGPL-3.0. AuthPlane EE (self-hosted enterprise) and AuthPlane Cloud (managed SaaS, coming soon) round out the family.

## Getting started

- What is AuthPlane: https://authplane.ai/docs
- Quickstart (docker run, 5 min): https://authplane.ai/docs/quickstart
- How It Works (flows, CIMD, PKCE, JWT verification): https://authplane.ai/docs/how-it-works

## Concepts

- Resources & Scopes: https://authplane.ai/docs/concepts/resources-and-scopes
- Token Vault — Mint vs Broker: https://authplane.ai/docs/concepts/token-vault
- Agents & Delegation (act chains): https://authplane.ai/docs/concepts/agent-delegation
- Deployment Topologies: https://authplane.ai/docs/concepts/topologies

## SDK integrations

- Python (FastMCP): https://authplane.ai/docs/integrations/fastmcp
- TypeScript: https://authplane.ai/docs/integrations/typescript-sdk
- Go: https://authplane.ai/docs/integrations/go-sdk

## Upstream providers (Token Vault)

- Connect Providers (GitHub, Google, Slack, Notion, Linear, Atlassian, generic OAuth2): https://authplane.ai/docs/providers/overview
- GitHub end to end: https://authplane.ai/docs/providers/github

## Deployment

- Docker & docker-compose: https://authplane.ai/docs/deployment/docker
- Kubernetes & Helm: https://authplane.ai/docs/deployment/kubernetes
- Configuration (AUTHPLANE_* env vars): https://authplane.ai/docs/deployment/configuration
- Observability (Prometheus + OpenTelemetry): https://authplane.ai/docs/deployment/observability

## Reference

- API endpoints: https://authplane.ai/docs/reference/api
- Standards & RFC matrix: https://authplane.ai/docs/reference/rfcs
- Security posture & disclosure: https://authplane.ai/docs/reference/security

## Project

- Website: https://authplane.ai
- Product page: https://authplane.ai/mcp-auth
- Pricing: https://authplane.ai/pricing
- GitHub: https://github.com/authplane/authserver
- Server-side llms.txt (repo link map): https://github.com/authplane/authserver/blob/main/llms.txt
- Documentation: https://authplane.ai/docs
- Blog: https://authplane.ai/blog
- Discord: https://discord.gg/authplane

## Blog highlights

- Cross-App Access — why enterprise MCP needs IdP-mediated authorization: https://authplane.ai/blog/cross-app-access-enterprise-mcp-authorization
- OAuth 2.1 + PKCE is the only right way to secure MCP: https://authplane.ai/blog/why-mcp-needs-oauth-21-pkce
- What we saw when teams shipped MCP without auth: https://authplane.ai/blog/what-happens-without-mcp-auth
- Reading RFC 9728 so you don't have to: https://authplane.ai/blog/reading-rfc-9728-protected-resource-metadata