Skip to content

Restructure backend auth docs for balanced pattern coverage#554

Open
jhrozek wants to merge 2 commits intomainfrom
backend-auth-authserver
Open

Restructure backend auth docs for balanced pattern coverage#554
jhrozek wants to merge 2 commits intomainfrom
backend-auth-authserver

Conversation

@jhrozek
Copy link
Contributor

@jhrozek jhrozek commented Feb 16, 2026

Description

The backend-auth.mdx page was heavily weighted toward token exchange while the embedded authorization server and static credentials got minimal coverage. Restructure so all three backend auth patterns get equal treatment with their own sections, diagrams, and guidance.

The restructuring also helps maintain the page separation: auth-framework.mdx focuses on client-to-MCP-server authentication, backend-auth.mdx focuses on MCP-server-to-backend authentication. The embedded authorization server spans both concerns, so each page covers its respective perspective.

Type of change

  • Documentation update

Related issues/PRs

N/A this was just me reading the docs and getting confused

Screenshots

Submitter checklist

Content and formatting

  • I have reviewed the content for technical accuracy
  • I have reviewed the content for spelling, grammar, and style

Reviewer checklist

Content

  • I have reviewed the content for technical accuracy
  • I have reviewed the content for spelling, grammar, and style

Copilot AI review requested due to automatic review settings February 16, 2026 10:46
@vercel
Copy link

vercel bot commented Feb 16, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
docs-website Ready Ready Preview, Comment Feb 18, 2026 10:56am

Request Review

Copilot AI reviewed Feb 16, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Restructures ToolHive’s backend authentication documentation to give equal coverage to three MCP-server-to-backend auth patterns, while keeping client-to-MCP-server authentication focused in auth-framework.mdx.

Changes:

  • Reorganized backend-auth.mdx into three primary backend auth patterns (static credentials, token exchange, embedded authorization server) with expanded diagrams and guidance.
  • Moved/condensed embedded authorization server details in auth-framework.mdx, linking to backend-auth.mdx for backend-token storage/forwarding specifics.
  • Updated “choosing the right model” guidance into a scenario→pattern table and refreshed related links.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File Description
docs/toolhive/concepts/backend-auth.mdx Reframes page around three backend auth patterns and adds detailed embedded authorization server mechanics.
docs/toolhive/concepts/auth-framework.mdx Tightens embedded authorization server explanation from the client perspective and cross-links to backend-auth for backend-facing details.

docs/toolhive/concepts/backend-auth.mdx Outdated
Comment on lines 5 to 6
ToolHive's backend authentication patterns, including token exchange,
federated identity, and the embedded authorization server.
Copy link

Copilot AI Feb 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The frontmatter description lists “token exchange, federated identity, and the embedded authorization server” but omits the “static credentials” pattern that the page now presents as one of the three backend auth patterns. Consider updating the description to reflect the three patterns consistently (static credentials, token exchange, embedded authorization server) so the summary matches the page content.

Suggested change
ToolHive's backend authentication patterns, including token exchange,
federated identity, and the embedded authorization server.
ToolHive's backend authentication patterns, including static credentials,
token exchange, and the embedded authorization server.

Copilot uses AI. Check for mistakes.
@jhrozek
Restructure backend auth docs for balanced pattern coverage
9fbce99 
The backend-auth.mdx page was heavily weighted toward token exchange
while the embedded authorization server and static credentials got
minimal coverage. Restructure so all three backend auth patterns get
equal treatment with their own sections, diagrams, and guidance.

Maintain the page separation: auth-framework.mdx focuses on
client-to-MCP-server authentication, backend-auth.mdx focuses on
MCP-server-to-backend authentication. The embedded authorization server
spans both concerns, so each page covers its respective perspective.

Key changes to backend-auth.mdx:
- Add static credentials section with Vault cross-reference
- Add embedded authorization server section with OAuth flow diagram,
  key characteristics, and tsid-based token storage/forwarding detail
- Reorganize token exchange content under "Token exchange in depth"
- Replace verbose choosing-the-right-model bullets with decision table
- Broaden front matter, intro, and benefits to cover all patterns

Key changes to auth-framework.mdx:
- Trim embedded auth server section to focus on client-facing flow
- Add cross-reference to backend-auth.mdx for backend token details
- Fix "Why ToolHive centralizes" to attribute per-server cost to
  centralization and registration/federation gaps to the auth server
@jhrozek
Fix inaccurate wording in backend auth docs
43ef10d 
Address PR review feedback:
- Add static credentials to frontmatter description
- Clarify credential delivery covers headers and env vars
- Scope DCR descriptions to ToolHive registration
@jhrozek jhrozek force-pushed the backend-auth-authserver branch from e3f89ef to 43ef10d Compare February 18, 2026 10:54
@jhrozek
Copy link
Contributor Author

jhrozek commented Feb 18, 2026

To my suprise, I agree with Copilot's suggestions and ended up taking them all

@danbarr
Copy link
Collaborator

danbarr commented Feb 18, 2026

Editorial review

The restructuring achieves its goal: all three patterns now get equal coverage with their own sections, diagrams, and guidance. The decision table and the new "Token storage and forwarding" section are clear improvements. A few issues to address before merge.

Primary issues

1. "Security and operational benefits" is now inaccurate

The first bullet says: "MCP servers receive short-lived, properly scoped access tokens instead of embedding long-lived secrets." But the page now documents static credentials as a first-class pattern—those are long-lived secrets. This is only accurate for the token-based patterns.

Suggest scoping the bullet explicitly, or replacing it with something like: "Token-based patterns provide short-lived, properly scoped credentials—see Choosing the right backend authentication model to select the most appropriate level of security for your scenario."

2. Terminology inconsistency: "model" vs "pattern"

The document uses "pattern" consistently throughout (intro, ## Backend authentication patterns, inline prose), but the decision-table section heading says "Choosing the right backend authentication model." Change to "pattern."

3. "Token exchange in depth" sub-headings don't parallel the overview

The overview uses:

  • #### Same IdP with token exchange
  • #### Federated IdPs with identity mapping

The in-depth section uses different names for the same sub-patterns:

  • ### Token exchange implementation + ### Token transformation
  • ### Federation flow

A reader who wants to dig deeper into "Same IdP with token exchange" won't find a matching heading. Suggest renaming the in-depth sub-sections to match, e.g. ### Same IdP: implementation details and ### Federated IdPs: implementation details. Also consider consolidating "Token exchange implementation" and "Token transformation"—they describe consecutive steps of the same flow, not two distinct topics.

Secondary issues

Issue Location Fix
RFC 8693 is hyperlinked twice within a few lines "Token exchange" intro + "Same IdP with token exchange" subsection Remove the link from the intro; the subsection link is sufficient
"they're designed this way" — ambiguous antecedent auth-framework.mdx, first paragraph Change to "it's designed this way" (antecedent is "framework")
Embedded auth server flowchart LR shows Proxy → ExtProvider for code exchange but no return arrow for the token response backend-auth.mdx, flowchart under "### Embedded authorization server" Add a return arrow from ExtProvider back to Proxy to show the exchange is bidirectional

Inline suggestions

backend-auth.mdx, "Token exchange" intro paragraph: "Because the trust relationship between services is pre-configured at the IdP, no consent screen or user interaction is required—the exchange is transparent to the end user." Suggest trimming to: "Because the trust relationship is pre-configured at the IdP, the exchange is transparent to the end user—no consent screen required."

auth-framework.mdx, cross-reference after the 5-step list: "For the complete flow including how upstream tokens are stored and delivered to MCP servers, see Embedded authorization server in the backend authentication documentation." The trailing phrase is redundant given the link. Suggest: "For the complete flow, including token storage and forwarding, see Embedded authorization server."

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jhrozek @danbarr

Comments