SDKs overview

TL;DR — Three languages (Python, TypeScript, Go), one shared core primitive package per language, plus one adapter per popular MCP framework. All adapters do the same job: fetch AS metadata, cache the JWKS, publish RFC 9728 PRM, validate incoming JWTs (with or without DPoP), and expose token-exchange for delegation and upstream vending. This page tells you which adapter to install for your stack.

Which adapter for which stack

LanguageAdapter packageMCP framework it targetsFramework repo
Pythonauthplane-mcpOfficial MCP Python SDK — mcp.server.fastmcp.FastMCPmodelcontextprotocol/python-sdk
Pythonauthplane-fastmcpFastMCP (PrefectHQ)PrefectHQ/fastmcp
Pythonauthplane (core)Framework-agnostic primitives
TypeScript@authplane/mcpOfficial MCP TypeScript SDKmodelcontextprotocol/typescript-sdk
TypeScript@authplane/fastmcpFastMCP (punkpeye)punkpeye/fastmcp
TypeScript@authplane/honoHono web frameworkhonojs/hono
TypeScript@authplane/nestjsNestJSnestjs/nest
TypeScript@authplane/sdk (core)Framework-agnostic primitives
GoauthplanemcpOfficial MCP Go SDKmodelcontextprotocol/go-sdk
Goauthplane mark3labsmark3labs/mcp-go community SDKmark3labs/mcp-go
Goauthplane httpGeneric net/http — any Go server
Goauthplane (core)Framework-agnostic primitives

Naming trap. “FastMCP” is the class name of the official MCP Python SDK’s transport (mcp.server.fastmcp.FastMCP) and the name of two independent framework projects (PrefectHQ’s Python FastMCP, punkpeye’s TypeScript FastMCP). They are three different pieces of software. Pick the AuthPlane adapter that matches the framework you actually use.

Feature support

Every adapter delivers the same core functionality; the differences are how per-tool scope enforcement and inbound DPoP are wired.

FeaturePython (mcp)Python (fastmcp)TS (all)Go (all)Core packages
JWT signature validation (RS256/ES256/PS256)
RFC 8414 metadata discovery + cache
JWKS fetch + background rotation
RFC 9728 PRM publishingmanual
Audience binding (aud = resource URI)
Inbound DPoP enforcement (RFC 9449)[needs install_request_context]no extra wiring
Outbound DPoP for calls to AS
Token exchange (RFC 8693) via client.exchange() (Go: client.TokenExchange())
Introspection revocation (RFC 7662)
URL elicitation → MCP JSON-RPC -32042manual
Per-tool scope guardrequire_scope()@mcp.tool(auth=require_scopes(...))requireScopes()ClaimsFromContext() + manual checkmanual

Choose your adapter in three questions

  1. Which MCP framework are you using?
    • Official MCP SDK (Python, TS, or Go) → authplane-mcp / @authplane/mcp / authplanemcp.
    • PrefectHQ FastMCP (Python) → authplane-fastmcp.
    • punkpeye FastMCP (TS) → @authplane/fastmcp.
    • Hono → @authplane/hono.
    • NestJS → @authplane/nestjs.
    • mark3labs/mcp-go → authplane mark3labs.
    • Anything else in Go with plain net/httpauthplane http.
    • No framework, want raw primitives → the core authplane / @authplane/sdk / authplane (Go) package.
  2. Do you need inbound DPoP enforcement? All adapters — including Python’s authplane-fastmcp — verify DPoP proofs when configured. authplane-mcp callers additionally call install_request_context(mcp) so the verifier can see the raw request; authplane-fastmcp needs no extra wiring. See Python: Inbound DPoP.
  3. Do you need to vend upstream tokens (GitHub, Slack, Google) from your tools? All adapters expose client.exchange() (Python), auth.client.exchange() (TS), or client.TokenExchange() (Go). See Guides: Wire up the Token Vault.

Install commands

Python

# For the official MCP Python SDK
pip install authplane-mcp

# For PrefectHQ FastMCP
pip install authplane-fastmcp

# Core primitives only
pip install authplane

Requires Python 3.11+. authplane-mcp supports mcp >=1.23.0, <1.28.0 (MCP 1.28 renamed an elicitation field — update pending).

TypeScript

# For the official MCP TypeScript SDK
npm install @authplane/sdk @authplane/mcp

# For punkpeye FastMCP
npm install @authplane/sdk @authplane/fastmcp fastmcp zod

# For Hono
npm install @authplane/sdk @authplane/hono hono

# For NestJS
npm install @authplane/sdk @authplane/nestjs @nestjs/common @nestjs/core

# Core primitives only
npm install @authplane/sdk

Requires Node.js 20 LTS or newer.

Go

# For the official MCP Go SDK
go get github.com/authplane/go-sdk/mcp

# For mark3labs/mcp-go
go get github.com/authplane/go-sdk/mark3labs

# For plain net/http (any framework)
go get github.com/authplane/go-sdk/http

# Core primitives only
go get github.com/authplane/go-sdk/core

Requires Go 1.24+ for core and http, 1.25+ for mcp, 1.25.5+ for mark3labs.

Versioning & compatibility

All AuthPlane SDKs follow semantic versioning. Same-major-line upgrades are drop-in; a major bump signals a breaking change and comes with a migration note in that repo’s CHANGELOG.md.

  • Python — pinning authplane-mcp==0.x is safe; the underlying MCP SDK version is called out in each release’s compatibility line.
  • TypeScript@authplane/* packages share a version; upgrade the set together. Compatible with fastmcp@^3.35, hono@^4, @nestjs/*@^10 or ^11.
  • Go — module versions independent per adapter; the core module is the shared dependency and follows the same version cadence.

Every SDK ships a conformance test suite that runs against a live AuthPlane instance. Green suite = the adapter meets the spec claims on this page.

What each SDK adapter does under the hood

Regardless of language and framework, the setup call performs the same seven steps described in Your first MCP server:

  1. Discover the AS via RFC 8414 metadata
  2. Fetch the JWKS + start background rotation
  3. Build an in-memory Resource object
  4. Wrap it in a Token Verifier the framework’s authenticate callback calls
  5. Build the RFC 9728 PRM document
  6. Wrap the underlying OAuth client to auto-translate ConsentRequiredError to MCP -32042
  7. Register an on-shutdown hook (aclose() / .close() / defer Close())

The differences between adapters are the surface — how the framework hands the request in, how you enforce scopes, and how the PRM handler gets mounted.