Public API
TL;DR — Everything AuthPlane exposes on
:9000— the port your MCP clients hit. OAuth 2.1 endpoints (/oauth/authorize,/oauth/token,/oauth/register,/oauth/introspect,/oauth/revoke), discovery (/.well-known/oauth-authorization-server,/.well-known/openid-configuration,/.well-known/jwks.json), federation callback (/oidc/callback,/oidc/start), Broker connect flow (/connect/{provider}), and health checks. Live spec below with try-it-out.
Endpoints at a glance
Discovery and health are unauthenticated. Everything else follows OAuth semantics — see Concepts: Grants & flows for what each grant expects at /oauth/token.
Authentication models
Five models across the public endpoints:
- Unauthenticated —
/.well-known/*,/health,/ready,/oauth/register(withdcr.mode: open),/loginand/oidc/*(these establish a session) - Session cookie —
/oauth/authorize,/consent,/connect/*(user-facing endpoints that require a logged-in user) - Bearer JWT / DPoP — resource-server calls that AuthPlane itself doesn’t serve, but that AS-issued tokens carry
- API key — none on the public API (admin only)
- Client credentials —
/oauth/tokenfor confidential clients (client_secret_basicorclient_secret_post)
Full mapping per endpoint is in the spec below (security field on each operation).
Live spec (Rapidoc)
Search endpoints, expand schemas, try requests inline. The spec below is the exact YAML that ships with the AuthPlane binary — the endpoints your MCP clients hit at runtime.
Related
- Reference: Admin API — the operator surface on
:9001 - Reference: Configuration — every knob that affects what the public API accepts/emits
- Reference: RFC compliance — which RFCs each endpoint implements + intentional deviations
- Reference: Errors — OAuth error codes and
WWW-Authenticatepatterns - Concepts: Architecture — end-to-end auth-code flow through the codebase