Description
Document the new authServerRef field on MCPServer and MCPRemoteProxy resources in the docs-website, including the combined embedded auth server + outgoing auth configuration pattern and updated YAML examples. This enables users to understand and adopt the preferred approach for configuring the embedded authorization server alongside outgoing auth types like AWS STS.
Context
RFC-0050 adds an authServerRef field to MCPServerSpec and MCPRemoteProxySpec that separates the embedded authorization server (incoming auth) from externalAuthConfigRef (outgoing auth). This allows the embedded auth server to be configured alongside any outgoing auth type on the same resource. The docs-website currently documents the embedded auth server only via externalAuthConfigRef and does not cover the combined auth pattern. See RFC-0050 for full design details.
Dependencies: Depends on ITEM-003 (CRD types, controller logic, and unit tests) being merged first so that the new field exists in the released operator.
Blocks: None
Acceptance Criteria
Technical Approach
Recommended Implementation
Update the existing documentation pages to incorporate the new authServerRef field. The primary changes are:
-
docs/toolhive/guides-k8s/auth-k8s.mdx: Update the "Set up embedded authorization server authentication" section (Approach 5). Change Step 5 to show authServerRef as the preferred configuration path. Add a note that externalAuthConfigRef with type: embeddedAuthServer still works for backward compatibility. Update the YAML example for the MCPServer to use authServerRef instead of externalAuthConfigRef.
-
docs/toolhive/integrations/aws-sts.mdx: Add a new section (or extend Step 4) showing how to combine the embedded auth server with AWS STS on an MCPRemoteProxy. This is the primary use case motivating RFC-0050. Include a complete YAML example with both authServerRef and externalAuthConfigRef on the same resource.
-
docs/toolhive/concepts/embedded-auth-server.mdx: Add a brief section explaining that authServerRef is the preferred field for configuring the embedded auth server on MCPServer and MCPRemoteProxy resources, and that it can be used alongside externalAuthConfigRef for outgoing auth types. Update the MCPServer vs. VirtualMCPServer table to mention authServerRef.
-
docs/toolhive/concepts/backend-auth.mdx: In the "Built-in AWS STS support" subsection or nearby, mention that the embedded auth server can now be combined with AWS STS (or any outgoing auth type) on the same resource using authServerRef.
Patterns & Frameworks
- Follow the Docusaurus conventions documented in the docs-website CLAUDE.md (front matter, admonitions, code block titles, line highlights)
- Follow the docs-website writing style guide: US English, sentence case headings, active voice, second person ("you"), Oxford comma
- Use
:::info, :::note, or :::tip admonitions for backward compatibility notes and recommendations
- Use code block titles (e.g.,
title="mcp-server-auth-server-ref.yaml") and line highlights for new fields
Code Pointers
docs/toolhive/guides-k8s/auth-k8s.mdx - Primary Kubernetes auth guide; "Set up embedded authorization server authentication" section (around line 455) needs authServerRef updates and new YAML examplesdocs/toolhive/integrations/aws-sts.mdx - AWS STS tutorial; Step 4 "Deploy the MCPRemoteProxy" section needs a combined auth example showing authServerRef + externalAuthConfigRefdocs/toolhive/concepts/embedded-auth-server.mdx - Concept page; "MCPServer vs. VirtualMCPServer" section and intro need authServerRef mentiondocs/toolhive/concepts/backend-auth.mdx - Backend auth concepts; "Built-in AWS STS support" section needs combined pattern referencedocs/toolhive/reference/crd-spec.md - Auto-generated CRD reference; will be updated by task crdref-gen in the toolhive repo (no manual edits needed here)
Component Interfaces
The new authServerRef field uses Kubernetes TypedLocalObjectReference:
# New preferred syntax for embedded auth server on MCPServer
spec:
authServerRef:
kind: MCPExternalAuthConfig
name: my-embedded-auth-server
# Combined auth on MCPRemoteProxy (primary use case)
spec:
authServerRef:
kind: MCPExternalAuthConfig
name: my-embedded-auth-server
externalAuthConfigRef:
name: my-aws-sts-configTesting Strategy
Manual Tests
Edge Cases
Out of Scope
- Changes to the auto-generated CRD reference (
docs/toolhive/reference/crd-spec.md) -- this is regenerated from the toolhive repo
- Documentation for VirtualMCPServer
authServerRef (vMCP uses inline authServerConfig, not authServerRef)
- Deprecation notices for
externalAuthConfigRef with type: embeddedAuthServer -- the RFC explicitly does not deprecate the old path
References
Description
Document the new
authServerReffield onMCPServerandMCPRemoteProxyresources in the docs-website, including the combined embedded auth server + outgoing auth configuration pattern and updated YAML examples. This enables users to understand and adopt the preferred approach for configuring the embedded authorization server alongside outgoing auth types like AWS STS.Context
RFC-0050 adds an
authServerReffield toMCPServerSpecandMCPRemoteProxySpecthat separates the embedded authorization server (incoming auth) fromexternalAuthConfigRef(outgoing auth). This allows the embedded auth server to be configured alongside any outgoing auth type on the same resource. The docs-website currently documents the embedded auth server only viaexternalAuthConfigRefand does not cover the combined auth pattern. See RFC-0050 for full design details.Dependencies: Depends on ITEM-003 (CRD types, controller logic, and unit tests) being merged first so that the new field exists in the released operator.
Blocks: None
Acceptance Criteria
docs/toolhive/guides-k8s/auth-k8s.mdx) documentsauthServerRefas the preferred way to configure the embedded authorization server, with updated YAML examples using the new fielddocs/toolhive/concepts/embedded-auth-server.mdx) mentions theauthServerReffield and its relationship toexternalAuthConfigRefdocs/toolhive/integrations/aws-sts.mdx) includes an example or section showing how to combine the embedded auth server (authServerRef) with AWS STS (externalAuthConfigRef) on anMCPRemoteProxydocs/toolhive/concepts/backend-auth.mdx) references the combined auth pattern where the embedded auth server handles incoming auth and a separate outgoing auth type (e.g., AWS STS) handles backend credentialsauthServerReffield syntax (kind: MCPExternalAuthConfig,name: <config-name>) and show both MCPServer and MCPRemoteProxy usageexternalAuthConfigRefwithtype: embeddedAuthServercontinues to worknpm run buildwithout errorsTechnical Approach
Recommended Implementation
Update the existing documentation pages to incorporate the new
authServerReffield. The primary changes are:docs/toolhive/guides-k8s/auth-k8s.mdx: Update the "Set up embedded authorization server authentication" section (Approach 5). Change Step 5 to showauthServerRefas the preferred configuration path. Add a note thatexternalAuthConfigRefwithtype: embeddedAuthServerstill works for backward compatibility. Update the YAML example for the MCPServer to useauthServerRefinstead ofexternalAuthConfigRef.docs/toolhive/integrations/aws-sts.mdx: Add a new section (or extend Step 4) showing how to combine the embedded auth server with AWS STS on an MCPRemoteProxy. This is the primary use case motivating RFC-0050. Include a complete YAML example with bothauthServerRefandexternalAuthConfigRefon the same resource.docs/toolhive/concepts/embedded-auth-server.mdx: Add a brief section explaining thatauthServerRefis the preferred field for configuring the embedded auth server on MCPServer and MCPRemoteProxy resources, and that it can be used alongsideexternalAuthConfigReffor outgoing auth types. Update the MCPServer vs. VirtualMCPServer table to mentionauthServerRef.docs/toolhive/concepts/backend-auth.mdx: In the "Built-in AWS STS support" subsection or nearby, mention that the embedded auth server can now be combined with AWS STS (or any outgoing auth type) on the same resource usingauthServerRef.Patterns & Frameworks
:::info,:::note, or:::tipadmonitions for backward compatibility notes and recommendationstitle="mcp-server-auth-server-ref.yaml") and line highlights for new fieldsCode Pointers
docs/toolhive/guides-k8s/auth-k8s.mdx- Primary Kubernetes auth guide; "Set up embedded authorization server authentication" section (around line 455) needsauthServerRefupdates and new YAML examplesdocs/toolhive/integrations/aws-sts.mdx- AWS STS tutorial; Step 4 "Deploy the MCPRemoteProxy" section needs a combined auth example showingauthServerRef+externalAuthConfigRefdocs/toolhive/concepts/embedded-auth-server.mdx- Concept page; "MCPServer vs. VirtualMCPServer" section and intro needauthServerRefmentiondocs/toolhive/concepts/backend-auth.mdx- Backend auth concepts; "Built-in AWS STS support" section needs combined pattern referencedocs/toolhive/reference/crd-spec.md- Auto-generated CRD reference; will be updated bytask crdref-genin the toolhive repo (no manual edits needed here)Component Interfaces
The new
authServerReffield uses KubernetesTypedLocalObjectReference:Testing Strategy
Manual Tests
npm run buildto verify all pages build without errorsnpm run startand visually inspect each updated pageEdge Cases
authServerRefreferencesOut of Scope
docs/toolhive/reference/crd-spec.md) -- this is regenerated from the toolhive repoauthServerRef(vMCP uses inlineauthServerConfig, notauthServerRef)externalAuthConfigRefwithtype: embeddedAuthServer-- the RFC explicitly does not deprecate the old pathReferences