Show HN: AuthPlane – OAuth 2.1 and PKCE authorization server for MCP AuthPlane, an open-source OAuth 2.1 and PKCE authorization server for the Model Context Protocol (MCP), launched as a single Go binary with built-in admin UI, DPoP support, and federation with existing identity providers. The project aims to simplify securing MCP servers by providing spec-compliant token issuance, agent-to-agent delegation, and zero-config development, addressing a critical gap in the MCP ecosystem. One Go binary. AGPL-3.0. MCP Authorization spec 2025-11-25 , end-to-end. AI coding agents:read AGENTS.md first — it has the deterministic workflow for adding Authplane to an existing MCP server, the SDK pins per stack, and the three byte-for-byte rules that cause 90% of invalid token failures. If you're an agent operating from web docs no clone , llms.txt is the same link map in the llmstxt.org convention. Building an MCP server is now a one-afternoon job. Securing it isn't. You need to issue tokens, validate them, federate to your existing IdP, and let agents act on each other's behalf without losing the user behind the chain. Authplane is the one piece of infrastructure that answers all of that. Spec-compliant access tokens for any MCP server in any language — discovery, scopes, audience binding, refresh rotation, in token formats your existing resource servers already understand. Federation to your existing IdP — Google, Okta, Azure AD, Auth0, anyone OIDC-compliant. Authplane handles the OAuth side; you keep the access policy. Agent-to-agent delegation — one agent calls another on a user's behalf, with every hop recorded as an act-claim chain in the issued token and the audit log. Upstream provider vaulting — store GitHub / Google / Slack / Linear refresh tokens encrypted at rest and vend fresh access tokens via RFC 8693, with per-user / per-agent / per-resource consent enforced at every hop. DPoP proof-of-possession — bind tokens to a client-held key so a leaked token can't be replayed from another machine. Built-in Admin UI — React dashboard embedded in the same binary. No separate frontend, no extra container. Production storage and observability — PostgreSQL with cross-instance LISTEN/NOTIFY, OpenTelemetry traces and metrics, Prometheus, Helm chart, Vault Transit for HSM-grade signing. Zero-config dev — default SQLite, auto-generated signing keys, sensible defaults. Full RFC inventory at the bottom — Standards & Specifications standards--specifications . One docker run. A working OAuth 2.1 + MCP authorization server in under a minute. export AUTHPLANE ADMIN API KEY="$ openssl rand -hex 32 " export AUTHPLANE SESSION SECRET="$ openssl rand -hex 32 " echo "Save this — it's your Admin UI login: $AUTHPLANE ADMIN API KEY" docker run -p 9000:9000 -p 9001:9001 \ -e AUTHPLANE ADMIN API KEY \ -e AUTHPLANE SESSION SECRET \ -e AUTHPLANE CLIENT CREDENTIALS ENABLED=true \ -e AUTHPLANE DPOP ENABLED=true \ -e AUTHPLANE TOKEN EXCHANGE ENABLED=true \ -v authserver-data:/data \ authplane/authserver:latest serve Open http://localhost:9001/admin/ui/ http://localhost:9001/admin/ui/ and paste the printed API key. The public OAuth endpoints are on http://localhost:9000 http://localhost:9000 . Writing an MCP server from scratch? Start at the runnable example for your language — Python /AuthPlane/authserver/blob/main/examples/python/01-mcp-server-basic · TypeScript /AuthPlane/authserver/blob/main/examples/typescript/01-mcp-server-basic · Go /AuthPlane/authserver/blob/main/examples/go/01-mcp-server-basic . Auth in 5 lines, end-to-end smoke in make verify . Adding auth to an MCP server you already have? The retrofit example is a runnable before/after pair — same three tools in two versions, side-by-side, with a smoke-test that proves before accepts anything and after enforces auth. Python /AuthPlane/authserver/blob/main/examples/python/retrofit-existing-mcp-server · TypeScript /AuthPlane/authserver/blob/main/examples/typescript/retrofit-existing-mcp-server · Go /AuthPlane/authserver/blob/main/examples/go/retrofit-existing-mcp-server . Or read thefor the prose version. Connect an MCP Server guide Already have an MCP server running elsewhere? To point this AS at your server and drive the whole OAuth flow by hand with curl — no SDK, no compose — see Run the AS standalone and point it at your own MCP server /AuthPlane/authserver/blob/main/docs/guides/integrate/standalone-as-by-hand.md . It also reconciles this Quick Start's config with the examples/ .env style. Operator quickstart upstream providers, PostgreSQL, OIDC federation, Helm, multi-instance :. docs/README.md Building from source : CONTRIBUTING.md /AuthPlane/authserver/blob/main/CONTRIBUTING.md . Manage everything from a browser. The Admin UI is embedded in the same binary; every operation is also exposed via the Admin REST API /AuthPlane/authserver/blob/main/docs/reference/http-api.md . Authserver is only half the story. The MCP server on the other side still has to validate the tokens, expose the discovery endpoint, enforce scopes per tool, handle DPoP, and decode consent errors. The Authplane SDKs do all of that in 5 lines of integration code — measured, CI-counted, in Python / TypeScript / Go alike. The full ladder basic MCP server → calling another resource → DPoP + per-tool scopes → fronting a Broker upstream sits between 5 and 30 lines of auth-specific code per tier; see examples/ /AuthPlane/authserver/blob/main/examples for the numbers under each tier's banner. Every Authplane SDK provides the same baseline: - JWT validation against the authserver JWKS, with caching - Scope enforcement, per route or per tool - The Protected Resource Metadata document at /.well-known/oauth-protected-resource/