Skip to content

Restructure vMCP authentication docs around scenarios#1023

Merged
danbarr merged 4 commits into
mainfrom
restructure-vmcp-auth-docs
Jul 9, 2026
Merged

Restructure vMCP authentication docs around scenarios#1023
danbarr merged 4 commits into
mainfrom
restructure-vmcp-auth-docs

Conversation

@danbarr

@danbarr danbarr commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

Description

Continues the auth-docs restructure from #1014 (which did the Kubernetes side), now applied to the vMCP authentication docs. Same goal: lead with scenarios instead of an approach-by-approach enumeration, split the oversized page, and re-validate every field against the authoritative CRD schemas.

Highlights:

  • Splits the 1,009-line guides-vmcp/authentication.mdx into a scenario-first entry point plus a dedicated embedded-auth-server-vmcp.mdx deep-dive, mirroring the Kubernetes embedded-auth-server-k8s.mdx sibling. Both nest under a new "Authentication and authorization" sidebar category.
  • Adds a "Choose a backend authentication pattern" decision table that routes the reader to the right outgoing strategy, and separates the strategies that require the embedded auth server (upstream injection, token exchange with subjectProviderName, XAA) from the standalone ones.
  • Re-validates against the CRD schemas and documents surface that was previously missing: passthroughHeaders, outgoingAuth.default, oidcConfigRef resourceUrl/scopes, AWS STS backend auth, and vMCP Cedar authorization via authzConfig/authzConfigRef. Adds an enterprise admonition for the Entra obo type and a one-liner for unauthenticated.
  • Adds three mermaid diagrams showing how the resources reference each other: a two-boundary overview, an entry-page resource graph (including that each backend has its own auth surface, and that MCPServerEntry backends have no oidcConfigRef of their own), and an embedded-page diagram of the issuer / providerName string matches that trip people up.
  • Surfaces the least-privilege angle of backend auth (mint a scoped token rather than forwarding the user's full credential), and treats MCPServerEntry as a first-class remote-SaaS backend shape since vMCP is its only consumer.
  • Fixes inbound links in concept, Kubernetes, and integration docs that pointed at the moved or renamed anchors.

Verification: full editorial pass by an independent review agent (fresh context, no visibility into the rest of this work) checking IA, clarity, and style-guide compliance, with findings addressed. All YAML examples across both pages were dry-run validated against a live cluster's CRDs (the one exception is the XAA block, which is correct per the authoritative auto-generated schema but fails on the local demo cluster whose operator predates the xaa field). Site builds with no broken links or anchors.

Type of change

  • Documentation update
  • Navigation/structure change

Related issues/PRs

Continuation of #1014 (Kubernetes auth restructure). Same auth-docs audit effort.

Screenshots

N/A. No UI changes; the new sidebar category and mermaid diagrams are described above and visible in the Vercel preview.

Submitter checklist

Content and formatting

  • I have reviewed the content for technical accuracy
  • I have reviewed the content for spelling, grammar, and style

Navigation

  • New pages include a frontmatter section with title and description at a minimum
  • Sidebar navigation (sidebars.ts) updated for added, deleted, reordered, or renamed files
  • N/A - no page slugs changed; authentication.mdx keeps its URL and embedded-auth-server-vmcp.mdx is a new URL, so no vercel.json redirects are needed

Reviewer checklist

Content

  • I have reviewed the content for technical accuracy
  • I have reviewed the content for spelling, grammar, and style

danbarr and others added 3 commits July 9, 2026 09:14
Split the 1009-line authentication.mdx into a scenario-first entry
point plus a dedicated embedded-auth-server-vmcp.mdx deep-dive,
mirroring the Kubernetes auth restructure. Both nest under a new
"Authentication and authorization" sidebar category.

The entry point leads with a "Choose a backend authentication
pattern" decision table and covers incoming auth, authorization, and
the standalone backend strategies. The embedded auth server page holds
the strategies that depend on it (upstream injection, token exchange
with subjectProviderName, XAA) plus the complete example.

Re-validate against the CRD schemas and document previously missing
surface: passthroughHeaders, outgoingAuth.default, oidcConfigRef
resourceUrl/scopes, AWS STS backend auth, and vMCP Cedar authorization
via authzConfig/authzConfigRef. Cross-link the full AWS STS tutorial.

Fix inbound links in concept, K8s, and integration docs that pointed
at moved or renamed anchors. All YAML dry-run validated against a live
cluster; site builds with no broken links.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add two mermaid diagrams and tighten the existing one:

- "How the resources connect" on the entry page, showing the backend's
  own oidcConfigRef and the shared MCPExternalAuthConfig referenced
  inline or via discovery.
- "How the references link by name" on the embedded auth server page,
  showing the issuer and providerName/subjectProviderName string
  matches that trip people up.
- Simplify the two-boundary diagram (boundary labels become subgraph
  titles, collapse the backend API boxes into one).
- Convert the stacked "non-standard provider responses" tips into prose
  subsections, and note the backend-linkage rules apply to the embedded
  strategies too.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
From an independent editorial pass:

- Elevate MCPServerEntry as a first-class backend shape. "How the
  resources connect" now contrasts ToolHive-managed backends (own
  oidcConfigRef) with remote MCPServerEntry pointers (no oidcConfigRef;
  the remote validates), the diagram shows both, and the upstream
  injection section adds a remote-SaaS MCPServerEntry example since that
  is its typical use.
- Match cross-link text to the "Authentication and authorization" page
  title.
- Replace a spaced double-hyphen with a semicolon.
- Trim the duplicated passthroughHeaders precedence explanation to a
  pointer, keeping the full version in its own section.
- Reword the front-matter description ("backend auth" ->
  "backend authentication").

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings July 9, 2026 18:14
@vercel

vercel Bot commented Jul 9, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
docs-website Ready Ready Preview, Comment Jul 9, 2026 6:31pm

Request Review

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR continues the scenario-first authentication docs restructure for Virtual MCP Server (vMCP), splitting embedded-auth-server content into a dedicated deep-dive page, reorganizing navigation under a new “Authentication and authorization” category, and updating cross-doc links to the new locations.

Changes:

  • Reorganizes the vMCP auth docs into an entry-point page plus a new embedded-auth-server-vMCP deep-dive.
  • Updates the vMCP sidebar structure to group auth docs under a dedicated category.
  • Fixes inbound links/anchors across integrations and concepts to point at the new pages/sections.

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
sidebars.ts Adds an “Authentication and authorization” category under vMCP and nests the new embedded-auth page beneath it.
docs/toolhive/integrations/vmcp-okta.mdx Updates the embedded-auth-server link to the new vMCP embedded auth server page/anchor.
docs/toolhive/integrations/vmcp-entra-id.mdx Updates the embedded-auth-server link to the new vMCP embedded auth server page/anchor.
docs/toolhive/guides-vmcp/embedded-auth-server-vmcp.mdx Introduces a new dedicated deep-dive page for the vMCP embedded authorization server.
docs/toolhive/guides-vmcp/configuration.mdx Updates link text/anchor to the renamed “Backend authentication” section.
docs/toolhive/guides-vmcp/authentication.mdx Restructures the page around incoming auth, authorization, and backend auth, with updated diagrams and strategy guidance.
docs/toolhive/guides-k8s/remote-mcp-proxy.mdx Updates a link to the new “Backend authentication” anchor in the vMCP auth page.
docs/toolhive/guides-k8s/embedded-auth-server-k8s.mdx Updates the vMCP embedded-auth-server cross-link to point to the new dedicated page.
docs/toolhive/concepts/vmcp.mdx Updates the embedded-auth-server setup link to the new dedicated vMCP page.
docs/toolhive/concepts/embedded-auth-server.mdx Updates links/anchors for vMCP embedded-auth-server strategies to the new dedicated vMCP page.

Comment thread docs/toolhive/guides-vmcp/authentication.mdx
Comment thread docs/toolhive/guides-vmcp/authentication.mdx Outdated
Comment thread docs/toolhive/guides-vmcp/authentication.mdx
- Use a unique URL-like audience in the first OIDC example instead of
  the generic "vmcp", matching the uniqueness guidance below it.
- Standardize the passthrough header example on X-API-Key casing.
- Trim the Next steps list to three links (the IdP overview is already
  linked earlier on the page).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@danbarr danbarr merged commit 53c6357 into main Jul 9, 2026
10 checks passed
@danbarr danbarr deleted the restructure-vmcp-auth-docs branch July 9, 2026 19:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants