Skip to content

Document the CLI and k8s token exchange setup in guides #306

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Document the CLI and k8s token exchange setup in guides #306

wants to merge 2 commits into from

Conversation

@jhrozek
Copy link
Contributor

@jhrozek jhrozek commented Nov 20, 2025

Description

In addition to the concept guide about back end auth, adds a CLI and a k8s guide. Because a fair amount of config is on the IDP side which is inherently IDP-specific, I kept the guides quite generic.

Related issues/PRs

#240

Screenshots

N/A

Merge checklist

Content

  • New pages include a frontmatter section with title and description at a minimum
  • Sidebar navigation (sidebars.ts) updated for added, deleted, reordered, or renamed files
  • [N/A] Redirects added to vercel.json for moved, renamed, or deleted pages (i.e., if the URL slug changed)

Reviews

  • Content has been reviewed for technical accuracy
  • Content has been reviewed for spelling, grammar, and style

@jhrozek
Add token exchange guide for backend authentication
826520c 
Document how to configure RFC 8693 token exchange so MCP servers can
authenticate to backend APIs using short-lived tokens instead of embedded
secrets. Includes IdP configuration steps, CLI parameters, and an Okta
example with annotated key points.

Fixes: #240
Copilot AI review requested due to automatic review settings November 20, 2025 13:34
@vercel
Copy link

vercel bot commented Nov 20, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
docs-website Ready Ready Preview Comment Nov 20, 2025 2:16pm

Copilot finished reviewing on behalf of jhrozek November 20, 2025 13:38
Copilot AI reviewed Nov 20, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds comprehensive documentation for configuring token exchange to enable backend authentication in ToolHive. Token exchange allows MCP servers to obtain short-lived, properly scoped tokens for authenticating to backend services, replacing the need for embedded secrets.

  • Adds two new guides: one for CLI-based token exchange setup and one for Kubernetes deployments
  • Updates sidebar navigation to include the new token exchange guides in appropriate sections
  • Provides detailed configuration steps, examples, and troubleshooting guidance for both deployment models

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
sidebars.ts Adds token exchange guide entries to both CLI and Kubernetes sections of the navigation
docs/toolhive/guides-cli/token-exchange.mdx New guide documenting CLI-based token exchange configuration with IdP setup steps and examples
docs/toolhive/guides-k8s/token-exchange-k8s.mdx New guide documenting Kubernetes-based token exchange using CRDs with complete YAML examples

@jhrozek
Add Kubernetes token exchange guide
bb948fc 
Document how to configure RFC 8693 token exchange for MCP servers in
Kubernetes using the ToolHive Operator. Covers MCPExternalAuthConfig
resource creation, Secret management, and MCPServer configuration with
an Okta example.

Fixes: #240
@jhrozek jhrozek requested a review from Copilot November 20, 2025 14:30
Copilot finished reviewing on behalf of jhrozek November 20, 2025 14:31
Copilot AI reviewed Nov 20, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated no new comments.

danbarr
danbarr reviewed Nov 20, 2025
View reviewed changes
Copy link
Collaborator

@danbarr danbarr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These look really good. I noted a few questions and optional suggestions.

docs/toolhive/guides-k8s/token-exchange-k8s.mdx
Comment on lines +228 to +229
oidcConfig:
type: inline
Copy link
Collaborator

@danbarr danbarr Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the resourceUrl needed here too, to override the internal service URL with whatever the client-facing URL will be (if it's being exposed outside the cluster)?

docs/toolhive/guides-k8s/token-exchange-k8s.mdx
kubectl get mcpserver -n toolhive-system my-mcp-server
```

2. Connect to the MCP server with a client that supports authentication
Copy link
Collaborator

@danbarr danbarr Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need a step before this, to (optionally) expose the Service outside the cluster?

Also, it might be nice to have slightly more detail here - will the client need any info like the id/secret? Maybe a quick note on how to wire it up using the ToolHive UI or CLI? (I plan to add a general "Connecting clients" guide, but anything specific to this particular config would help here)

docs/toolhive/guides-cli/token-exchange.mdx

To confirm token exchange is working:

1. Connect to the MCP server with a client that supports authentication
Copy link
Collaborator

@danbarr danbarr Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since thv run is used in this case, I guess any clients configured using thv client setup should already be configured?

docs/toolhive/guides-cli/token-exchange.mdx
Comment on lines +102 to +103
The MCP server that ToolHive fronts must accept a per-request authentication
token. Specifically, the server should:
Copy link
Collaborator

@danbarr danbarr Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any examples we can name? MCP Toolbox for Databases?

docs/toolhive/guides-cli/token-exchange.mdx
--token-exchange-client-secret-file /path/to/client-secret \
--token-exchange-audience backend-api \
--token-exchange-scopes "api:read,api:write" \
<server-name>
Copy link
Collaborator

@danbarr danbarr Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
<server-name>
<SERVER_NAME_OR_IMAGE>

docs/toolhive/guides-cli/token-exchange.mdx
--token-exchange-client-secret <TOOLHIVE_CLIENT_SECRET> \
--token-exchange-audience <BACKEND_AUDIENCE> \
--token-exchange-scopes <BACKEND_SCOPES> \
<server-name>
Copy link
Collaborator

@danbarr danbarr Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
<server-name>
<SERVER_NAME_OR_IMAGE>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danbarr danbarr danbarr left review comments

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jhrozek @danbarr