What needs documentation?
docs/toolhive/guides-k8s/embedded-auth-server-k8s.mdx documents oauth2Config upstream providers with only static clientId/clientSecretRef provisioning (see the GitHub example under "Using an OAuth 2.0 upstream provider"). It doesn't mention dcrConfig, which lets the embedded auth server register itself with the upstream automatically via RFC 7591 Dynamic Client Registration instead of requiring a pre-provisioned client ID/secret. Today dcrConfig is documented only in the CRD reference schema (mcpexternalauthconfig reference), not in this hands-on guide.
Worth covering:
dcrConfig.discoveryUrl (RFC 8414 discovery) vs dcrConfig.registrationEndpoint (direct, bypassing discovery)
- It's mutually exclusive with
clientId/clientSecretRef
authorizationEndpoint and tokenEndpoint are still required on oauth2Config even when using dcrConfig (CRD-level requirement, easy to miss)
- Optional fields:
initialAccessTokenRef, softwareId, softwareStatement
- Operational note for the "Configure session storage" section: DCR-issued credentials are cached in the same store as sessions, so without Redis-backed storage, a pod restart re-registers a new client with the upstream instead of reusing the old one, orphaning the previous registration
Context and references
Use case
Upstream OAuth2 providers that only support DCR (no dashboard app registration), like Notion's remote MCP server, have no guidance in the primary embedded-auth-server how-to guide. Readers have to already know dcrConfig exists to find it in the CRD reference.
Additional context
None
What needs documentation?
docs/toolhive/guides-k8s/embedded-auth-server-k8s.mdxdocumentsoauth2Configupstream providers with only staticclientId/clientSecretRefprovisioning (see the GitHub example under "Using an OAuth 2.0 upstream provider"). It doesn't mentiondcrConfig, which lets the embedded auth server register itself with the upstream automatically via RFC 7591 Dynamic Client Registration instead of requiring a pre-provisioned client ID/secret. TodaydcrConfigis documented only in the CRD reference schema (mcpexternalauthconfigreference), not in this hands-on guide.Worth covering:
dcrConfig.discoveryUrl(RFC 8414 discovery) vsdcrConfig.registrationEndpoint(direct, bypassing discovery)clientId/clientSecretRefauthorizationEndpointandtokenEndpointare still required onoauth2Configeven when usingdcrConfig(CRD-level requirement, easy to miss)initialAccessTokenRef,softwareId,softwareStatementContext and references
docs/toolhive/guides-mcp/notion-remote.mdx(Kubernetes tab), validated end-to-end against a real cluster and Notion's live DCR endpointUse case
Upstream OAuth2 providers that only support DCR (no dashboard app registration), like Notion's remote MCP server, have no guidance in the primary embedded-auth-server how-to guide. Readers have to already know
dcrConfigexists to find it in the CRD reference.Additional context
None