AuthPlane launches self-hosted OAuth 2.1 auth server for MCP
AuthPlane is a self-hosted, AGPL-3.0 OAuth 2.1 and PKCE authorization server built specifically for the Model Context Protocol, distributed as a single Go binary.
Score breakdown
AuthPlane provides a single, spec-compliant infrastructure piece that handles the full OAuth 2.1 authorization layer for MCP servers — including agent-to-agent delegation with auditable `act`-claim chains — which the project describes as the unsolved complexity that remains after building an MCP server itself.
- 01AuthPlane is a self-hosted OAuth 2.1 and PKCE authorization server for the Model Context Protocol (MCP).
- 02Distributed as a single Go binary under the AGPL-3.0 license.
- 03Implements the MCP Authorization spec dated 2025-11-25, end-to-end.
AuthPlane is a self-hosted OAuth 2.1 authorization server purpose-built for the Model Context Protocol (MCP), distributed as a single Go binary under the AGPL-3.0 license. It implements the MCP Authorization spec (version dated 2025-11-25) end-to-end, providing spec-compliant access tokens for MCP servers written in any language, with support for discovery, scopes, audience binding, and refresh rotation in token formats compatible with existing resource servers.
The project addresses federation to existing identity providers — Google, Okta, Azure AD, Auth0, and any OIDC-compliant provider — with AuthPlane handling the OAuth layer while the operator retains access policy control.
The project addresses federation to existing identity providers — Google, Okta, Azure AD, Auth0, and any OIDC-compliant provider — with AuthPlane handling the OAuth layer while the operator retains access policy control. A notable feature is agent-to-agent delegation, where one agent can call another on a user's behalf, with every hop recorded as an `act`-claim chain in both the issued token and the audit log.
The repository includes an `AGENTS.md` file specifically targeting AI coding agents, providing a deterministic workflow for integrating AuthPlane into an existing MCP server, SDK pins per stack, and three rules the project states account for over 90% of `invalid_token` failures. An `llms.txt` file following the llmstxt.org convention is also provided for agents operating from web documentation without a local clone.
Key facts
- 01AuthPlane is a self-hosted OAuth 2.1 and PKCE authorization server for the Model Context Protocol (MCP).
- 02Distributed as a single Go binary under the AGPL-3.0 license.
- 03Implements the MCP Authorization spec dated 2025-11-25, end-to-end.
- 04Supports federation to Google, Okta, Azure AD, Auth0, and any OIDC-compliant identity provider.
- 05Agent-to-agent delegation records every hop as an `act`-claim chain in the issued token and audit log.
- 06Includes an `AGENTS.md` with a deterministic workflow for AI coding agents, SDK pins, and rules the project claims address over 90% of `invalid_token` failures.
- 07An `llms.txt` file in the llmstxt.org convention is provided for agents operating without a local clone.
Summary and scoring are generated automatically from the original article. We always link back to the publisher and never republish images or paywalled content. Last processed Jun 18, 2026 · 10:40 UTC. How this works →