Restructure backend auth docs for balanced pattern coverage

[jhrozek]

Description

The backend-auth.mdx page was heavily weighted toward token exchange while the embedded authorization server and static credentials got minimal coverage. Restructure so all three backend auth patterns get equal treatment with their own sections, diagrams, and guidance.

The restructuring also helps maintain the page separation: auth-framework.mdx focuses on client-to-MCP-server authentication, backend-auth.mdx focuses on MCP-server-to-backend authentication. The embedded authorization server spans both concerns, so each page covers its respective perspective.

Type of change

• Documentation update

Related issues/PRs

N/A this was just me reading the docs and getting confused

Screenshots

Submitter checklist

Content and formatting

• I have reviewed the content for technical accuracy
• I have reviewed the content for spelling, grammar, and style

Reviewer checklist

Content

• I have reviewed the content for technical accuracy
• I have reviewed the content for spelling, grammar, and style

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs-website	Ready	Preview, Comment	Mar 6, 2026 3:01pm

[Copilot]

Pull request overview

Restructures ToolHive’s backend authentication documentation to give equal coverage to three MCP-server-to-backend auth patterns, while keeping client-to-MCP-server authentication focused in auth-framework.mdx.

Changes:

• Reorganized backend-auth.mdx into three primary backend auth patterns (static credentials, token exchange, embedded authorization server) with expanded diagrams and guidance.
• Moved/condensed embedded authorization server details in auth-framework.mdx, linking to backend-auth.mdx for backend-token storage/forwarding specifics.
• Updated “choosing the right model” guidance into a scenario→pattern table and refreshed related links.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File	Description
docs/toolhive/concepts/backend-auth.mdx	Reframes page around three backend auth patterns and adds detailed embedded authorization server mechanics.
docs/toolhive/concepts/auth-framework.mdx	Tightens embedded authorization server explanation from the client perspective and cross-links to backend-auth for backend-facing details.

[Copilot]

The frontmatter description lists “token exchange, federated identity, and the embedded authorization server” but omits the “static credentials” pattern that the page now presents as one of the three backend auth patterns. Consider updating the description to reflect the three patterns consistently (static credentials, token exchange, embedded authorization server) so the summary matches the page content.

Suggested change

	ToolHive's backend authentication patterns, including token exchange,
	federated identity, and the embedded authorization server.
	ToolHive's backend authentication patterns, including static credentials,
	token exchange, and the embedded authorization server.

[jhrozek]

To my suprise, I agree with Copilot's suggestions and ended up taking them all

[danbarr]

Editorial review

The restructuring achieves its goal: all three patterns now get equal coverage with their own sections, diagrams, and guidance. The decision table and the new "Token storage and forwarding" section are clear improvements. A few issues to address before merge.

---

Primary issues

1. "Security and operational benefits" is now inaccurate

The first bullet says: "MCP servers receive short-lived, properly scoped access tokens instead of embedding long-lived secrets." But the page now documents static credentials as a first-class pattern—those are long-lived secrets. This is only accurate for the token-based patterns.

Suggest scoping the bullet explicitly, or replacing it with something like: "Token-based patterns provide short-lived, properly scoped credentials—see Choosing the right backend authentication model to select the most appropriate level of security for your scenario."

---

2. Terminology inconsistency: "model" vs "pattern"

The document uses "pattern" consistently throughout (intro, ## Backend authentication patterns, inline prose), but the decision-table section heading says "Choosing the right backend authentication model." Change to "pattern."

---

3. "Token exchange in depth" sub-headings don't parallel the overview

The overview uses:

• #### Same IdP with token exchange
• #### Federated IdPs with identity mapping

The in-depth section uses different names for the same sub-patterns:

• ### Token exchange implementation + ### Token transformation
• ### Federation flow

A reader who wants to dig deeper into "Same IdP with token exchange" won't find a matching heading. Suggest renaming the in-depth sub-sections to match, e.g. ### Same IdP: implementation details and ### Federated IdPs: implementation details. Also consider consolidating "Token exchange implementation" and "Token transformation"—they describe consecutive steps of the same flow, not two distinct topics.

---

Secondary issues

Issue	Location	Fix
RFC 8693 is hyperlinked twice within a few lines	"Token exchange" intro + "Same IdP with token exchange" subsection	Remove the link from the intro; the subsection link is sufficient
"they're designed this way" — ambiguous antecedent	auth-framework.mdx, first paragraph	Change to "it's designed this way" (antecedent is "framework")
Embedded auth server flowchart LR shows Proxy → ExtProvider for code exchange but no return arrow for the token response	backend-auth.mdx, flowchart under "### Embedded authorization server"	Add a return arrow from ExtProvider back to Proxy to show the exchange is bidirectional

---

Inline suggestions

backend-auth.mdx, "Token exchange" intro paragraph: "Because the trust relationship between services is pre-configured at the IdP, no consent screen or user interaction is required—the exchange is transparent to the end user." Suggest trimming to: "Because the trust relationship is pre-configured at the IdP, the exchange is transparent to the end user—no consent screen required."

auth-framework.mdx, cross-reference after the 5-step list: "For the complete flow including how upstream tokens are stored and delivered to MCP servers, see Embedded authorization server in the backend authentication documentation." The trailing phrase is redundant given the link. Suggest: "For the complete flow, including token storage and forwarding, see Embedded authorization server."

[jhrozek]

@danbarr thanks for the review and sorry for the offsite-induced delay. I pushed the fixes in a separate patch for easier re-review.

[danbarr]

One minor note and one question, but LGTM!

[danbarr]

This chart has a lot of lines connecting just a few nodes, so it's a bit unclear what the order of operations is without bouncing up and down between it and the list below. Numbering the connector labels might help this?

[jhrozek]

I changed it to a flow chart. Now this is different from the other diagams on this page, so maybe I should change them all to flow charts?

The reason I changed to a flow chart was that the text was rendering white-on-white for me with the usual labels for some reason..

[danbarr]

Mean to say you changed it to a sequence diagram? (it was a flowchart previously)

In any case, I think this style does work better for these ordered processes, thanks.

[danbarr]

BTW if you have a code snippet you can send me that was rendering wrong, I'll investigate if we have a CSS issue somewhere.

[danbarr]

Are we planning to address this? If so, worth linking to the GitHub issue (if there is one)?

[jhrozek]

ah yeah, we merged redis recently but don't have a good guide for it. I've linked to the CRD definitions as a stopgap and will work on the redis amend in parallel