SDKs overview
TL;DR — Three languages (Python, TypeScript, Go), one shared core primitive package per language, plus one adapter per popular MCP framework. All adapters do the same job: fetch AS metadata, cache the JWKS, publish RFC 9728 PRM, validate incoming JWTs (with or without DPoP), and expose token-exchange for delegation and upstream vending. This page tells you which adapter to install for your stack.
Which adapter for which stack
Naming trap. “FastMCP” is the class name of the official MCP Python SDK’s transport (
mcp.server.fastmcp.FastMCP) and the name of two independent framework projects (PrefectHQ’s Python FastMCP, punkpeye’s TypeScript FastMCP). They are three different pieces of software. Pick the AuthPlane adapter that matches the framework you actually use.
Feature support
Every adapter delivers the same core functionality; the differences are how per-tool scope enforcement and inbound DPoP are wired.
Choose your adapter in three questions
- Which MCP framework are you using?
- Official MCP SDK (Python, TS, or Go) →
authplane-mcp/@authplane/mcp/authplanemcp. - PrefectHQ FastMCP (Python) →
authplane-fastmcp. - punkpeye FastMCP (TS) →
@authplane/fastmcp. - Hono →
@authplane/hono. - NestJS →
@authplane/nestjs. - mark3labs/mcp-go →
authplane mark3labs. - Anything else in Go with plain
net/http→authplane http. - No framework, want raw primitives → the core
authplane/@authplane/sdk/authplane(Go) package.
- Official MCP SDK (Python, TS, or Go) →
- Do you need inbound DPoP enforcement? All adapters — including Python’s
authplane-fastmcp— verify DPoP proofs when configured.authplane-mcpcallers additionally callinstall_request_context(mcp)so the verifier can see the raw request;authplane-fastmcpneeds no extra wiring. See Python: Inbound DPoP. - Do you need to vend upstream tokens (GitHub, Slack, Google) from your tools? All adapters expose
client.exchange()(Python),auth.client.exchange()(TS), orclient.TokenExchange()(Go). See Guides: Wire up the Token Vault.
Install commands
Python
# For the official MCP Python SDK
pip install authplane-mcp
# For PrefectHQ FastMCP
pip install authplane-fastmcp
# Core primitives only
pip install authplane
Requires Python 3.11+. authplane-mcp supports mcp >=1.23.0, <1.28.0 (MCP 1.28 renamed an elicitation field — update pending).
TypeScript
# For the official MCP TypeScript SDK
npm install @authplane/sdk @authplane/mcp
# For punkpeye FastMCP
npm install @authplane/sdk @authplane/fastmcp fastmcp zod
# For Hono
npm install @authplane/sdk @authplane/hono hono
# For NestJS
npm install @authplane/sdk @authplane/nestjs @nestjs/common @nestjs/core
# Core primitives only
npm install @authplane/sdk
Requires Node.js 20 LTS or newer.
Go
# For the official MCP Go SDK
go get github.com/authplane/go-sdk/mcp
# For mark3labs/mcp-go
go get github.com/authplane/go-sdk/mark3labs
# For plain net/http (any framework)
go get github.com/authplane/go-sdk/http
# Core primitives only
go get github.com/authplane/go-sdk/core
Requires Go 1.24+ for core and http, 1.25+ for mcp, 1.25.5+ for mark3labs.
Versioning & compatibility
All AuthPlane SDKs follow semantic versioning. Same-major-line upgrades are drop-in; a major bump signals a breaking change and comes with a migration note in that repo’s CHANGELOG.md.
- Python — pinning
authplane-mcp==0.xis safe; the underlying MCP SDK version is called out in each release’s compatibility line. - TypeScript —
@authplane/*packages share a version; upgrade the set together. Compatible withfastmcp@^3.35,hono@^4,@nestjs/*@^10 or ^11. - Go — module versions independent per adapter; the
coremodule is the shared dependency and follows the same version cadence.
Every SDK ships a conformance test suite that runs against a live AuthPlane instance. Green suite = the adapter meets the spec claims on this page.
What each SDK adapter does under the hood
Regardless of language and framework, the setup call performs the same seven steps described in Your first MCP server:
- Discover the AS via RFC 8414 metadata
- Fetch the JWKS + start background rotation
- Build an in-memory Resource object
- Wrap it in a Token Verifier the framework’s
authenticatecallback calls - Build the RFC 9728 PRM document
- Wrap the underlying OAuth client to auto-translate
ConsentRequiredErrorto MCP-32042 - Register an on-shutdown hook (
aclose()/.close()/defer Close())
The differences between adapters are the surface — how the framework hands the request in, how you enforce scopes, and how the PRM handler gets mounted.
Related
- SDKs: Python — the three Python packages in detail
- SDKs: TypeScript — the five
@authplane/*packages in detail - SDKs: Go — the four Go modules in detail
- Quickstart — the shortest path from install to a running server
- Your first MCP server — line-by-line walkthrough of the snippet
- Guides: Wire up the Token Vault — using
client.exchange()to vend upstream tokens