Getting help
TL;DR — Bug reports and feature requests go to GitHub Issues on the relevant repo. Questions and discussions go to GitHub Discussions. Security vulnerabilities go to Private Vulnerability Reporting. Most issues get a response within one business day. Include the version + redacted config + logs with
trace_idand you’ll get help fast.
Where to go
Most issues get an initial response within one business day. Security reports are acknowledged within 48 hours (SLA).
What to include in a bug report
The faster you can give us these five things, the faster we can help:
1. Version.
$ authserver version
authserver v0.1.x commit=abcdef1 built=2026-01-01T00:00:00Z
For containers: the image tag (docker inspect | grep -i tag).
For SDKs: the version from your dependency file (pip show authplane-mcp, npm ls @authplane/mcp, go list -m github.com/authplane/go-sdk/mcp).
2. Config (redacted).
Full YAML config OR relevant AUTHPLANE_* env vars. Redact:
session.secret,admin.api_key- All OAuth
client_secret,client_secret_refvalues data_encryption.aes_master.key_envenv-var VALUES (not names)vault_transit.token/approle.secret_id- Postgres DSN passwords
AUTHPLANE_* names alone are fine; secret VALUES need redaction.
3. Repro steps.
The minimal sequence that reproduces the failure. If it’s the OAuth flow, a redacted curl for each step is ideal. If it’s an SDK bug, a minimal server.py / server.ts / main.go that triggers it.
4. Log lines (with trace_id).
Grab a few lines around the failure — WARN and ERROR levels are usually enough. Include trace_id so we can follow the request across services. Redact tokens — never post an unredacted access token, refresh token, or session cookie in a public issue.
5. What you expected vs what happened.
One sentence each. Skip “it should work” — say “I expected the token endpoint to return an access token with aud=X; instead it returned 403 access_denied”.
Anti-patterns to avoid
- “Nothing works.” — nine of ten times, one specific thing doesn’t work. Isolate it.
- Screenshots of terminals. — paste the text. Screenshots aren’t grep-able and take longer to read.
- Posting tokens. — never. Redact
eyJ...blobs before hitting Send. If we need the token structure, decode the JWT payload and paste the JSON (still redacted for user identifiers). - “Same as issue #X but different.” — link the issue you’re comparing to and describe the delta.
- “Doesn’t work with Claude Code.” — check
authserver/docs/compatibility.mdfirst; known Claude Code quirks are documented (see Guides: Connect an MCP client → Known Claude Code quirks).
For feature requests
Open an issue with the tag feature. Include:
- The problem you’re trying to solve (not the solution you have in mind).
- Why existing features don’t cover it.
- Concrete use case with real numbers where possible (“we have 200 agents, each needing X”).
We prioritize based on breadth of demand + alignment with the roadmap. Not everything gets built — but every request gets read.
For MCP client compatibility
If you’re testing a new MCP client and hit spec-drift issues, file via the MCP compatibility issue template. Document which scenarios (C.1–C.10 per compatibility.md) pass/fail. If you can add an automated test to e2e/scenarios/, even better — PRs welcome.
For security
Never open a public issue for a security vulnerability. Use GitHub Private Vulnerability Reporting — details in Security: Reporting vulnerabilities. Coordinated disclosure preserves users and gets you credit.
Commercial / enterprise support
AuthPlane is AGPL-3.0 open source. There is no paid support tier today — GitHub Issues + Discussions are the entire support surface. If you’re deploying at enterprise scale and need contractual support, contact hello@authplane.ai and we’ll point you at the current options.
Related
- FAQ
- Common errors
- Debugging checklist
- Security: Reporting vulnerabilities
authserver/docs/compatibility.md— living MCP client compatibility matrix