Choose your topology
TL;DR — Every AuthPlane deployment reduces to one of ten canonical topologies. Pick the shape that matches yours by answering three questions: how many MCP servers, who authenticates the user, and does the MCP server need upstream tokens (GitHub, Slack, Google, …). Each topology has a dedicated page with a component diagram, wire-level flow, and end-to-end configuration.
The three questions
Answer these first — they narrow you to one row of the tables below.
- How many MCP servers is one agent talking to?
- One → single-resource.
- Many → multi-resource (fanout, gateway, folded).
- Who authenticates the user?
- AuthPlane’s local login → any single- or multi-resource topology works as-is.
- Your corporate IdP (Google, Okta, Entra, Auth0) → add OIDC-federated user login on top.
- Your corporate IdP asserts the agent’s identity (skipping per-user consent) → Enterprise-Asserted Agent Identity (XAA).
- Does the MCP server need to act on the user’s behalf against a third-party API (call the user’s GitHub, read their Google Calendar)?
- Yes → broker flavor of whichever shape you picked. AuthPlane vaults the refresh token and vends short-lived access tokens on demand.
- No → mint flavor (AuthPlane signs its own JWTs for the MCP server, no upstream involvement).
Single-resource topologies
Multi-resource topologies
Identity federation topologies
These stack on top of any of the above — they change how the user authenticates, not the token path.
Composing topologies
Real deployments stack shapes. Common combos:
- OIDC-federated login + direct fanout — users sign in via Okta once, then each agent fans out to MCPs A, B, C with per-MCP consent.
- MCP gateway → broker (Google Calendar) + MCP gateway → mint (internal scheduling API) — one gateway serves both fronted patterns to different downstream resources.
- Enterprise XAA + MCP gateway → hidden Mint — corporate-IdP-signed agent identity flows through the
act-claim chain into an internal API.
When in doubt, model each hop as its own topology and stack them.
What’s on the roadmap
Not yet shipped — co-authorization at first /authorize: a single consent screen for multiple resources via repeated resource= parameters (RFC 8707 multi-resource authorization). Until it lands, use direct fanout (sequential consent) or the gateway pattern (single consent).
Three ways to configure any topology
Every topology page shows the same setup in three parallel modes — pick one, stay in it:
Auth applies uniformly: the CLI and REST API use the AUTHPLANE_ADMIN_API_KEY env var (or YAML admin.api_key). The Admin UI uses session login.
Only the OIDC federation provider config and the global xaa.* toggles are YAML-only at v0.1.x. XAA trusted IdPs, policies, and subject mappings are managed through the admin REST API (/admin/idps, /admin/xaa/policies, /admin/xaa/subject-mappings) — each topology page calls that out where it applies.
Visual conventions
Every topology diagram in these docs uses the same node names:
Edge labels carry the wire payload: token bound to <slug>, grant=client_credentials, RFC 8693 exchange. Subgraphs mark encapsulation boundaries (e.g. “invisible to AS”).
Related
- Introduction — how AuthPlane fits into your stack
- Quickstart — the single-mcp topology, running in 10 minutes
- Concepts: Architecture — what runs inside the AS
- Concepts: Grants & flows — the OAuth grants each topology uses