Public API

TL;DR — Everything AuthPlane exposes on :9000 — the port your MCP clients hit. OAuth 2.1 endpoints (/oauth/authorize, /oauth/token, /oauth/register, /oauth/introspect, /oauth/revoke), discovery (/.well-known/oauth-authorization-server, /.well-known/openid-configuration, /.well-known/jwks.json), federation callback (/oidc/callback, /oidc/start), Broker connect flow (/connect/{provider}), and health checks. Live spec below with try-it-out.

Endpoints at a glance

PathPurpose
GET /.well-known/oauth-authorization-serverRFC 8414 AS metadata
GET /.well-known/openid-configurationAlias to AS metadata (for OIDC-discovery clients)
GET /.well-known/jwks.jsonPublic signing keys (RFC 7517)
GET /oauth/authorizeUser-facing authorization endpoint (RFC 6749 §4.1 + PKCE)
POST /oauth/tokenToken endpoint — all grants: authorization_code, refresh_token, client_credentials, token-exchange, jwt-bearer
POST /oauth/registerDynamic Client Registration (RFC 7591)
POST /oauth/introspectToken introspection (RFC 7662)
POST /oauth/revokeToken revocation (RFC 7009)
GET /oidc/startKick off upstream OIDC login (federation)
GET /oidc/callbackUpstream OIDC return
GET /connect/{provider}Start Broker Connect flow for an upstream provider
GET /connect/{provider}/callbackBroker Connect return
GET /health, GET /readyHealth probes

Discovery and health are unauthenticated. Everything else follows OAuth semantics — see Concepts: Grants & flows for what each grant expects at /oauth/token.

Authentication models

Five models across the public endpoints:

  • Unauthenticated/.well-known/*, /health, /ready, /oauth/register (with dcr.mode: open), /login and /oidc/* (these establish a session)
  • Session cookie/oauth/authorize, /consent, /connect/* (user-facing endpoints that require a logged-in user)
  • Bearer JWT / DPoP — resource-server calls that AuthPlane itself doesn’t serve, but that AS-issued tokens carry
  • API key — none on the public API (admin only)
  • Client credentials/oauth/token for confidential clients (client_secret_basic or client_secret_post)

Full mapping per endpoint is in the spec below (security field on each operation).

Live spec (Rapidoc)

Search endpoints, expand schemas, try requests inline. The spec below is the exact YAML that ships with the AuthPlane binary — the endpoints your MCP clients hit at runtime.