Skip to content

feat: update MCP quickstart for On-Behalf-Of Token Exchange#1052

Closed
lrzhou25 wants to merge 4 commits into
mainfrom
auth_for_mcp_ga_docs
Closed

feat: update MCP quickstart for On-Behalf-Of Token Exchange#1052
lrzhou25 wants to merge 4 commits into
mainfrom
auth_for_mcp_ga_docs

Conversation

@lrzhou25

@lrzhou25 lrzhou25 commented Apr 27, 2026

Copy link
Copy Markdown
Contributor

Summary

Updates the "Call Your API on a User's Behalf" MCP quickstart to reflect the new On-Behalf-Of (OBO) Token Exchange implementation, replacing the previous Custom Token Exchange approach.

Changes

JavaScript Updates (based on auth0-samples PR #79)

  • Sample folder: fastmcp-mcp-customtokenexchange-jsfastmcp-mcp-on-behalf-of-tokenexchange-js
  • Terminology: "Custom Token Exchange" → "On-Behalf-Of Token Exchange"
  • Environment variables:
    • Removed MCP_AUTH0_SUBJECT_TOKEN_TYPE
    • Simplified MCP_AUTH0_EXCHANGE_SCOPE from "openid offline_access read:private" to "read:private"
    • Fixed API_BASE_URL trailing slash
  • Token exchange implementation:
    • Function: exchangeCustomToken()exchangeTokenOnBehalfOf()
    • SDK method: getTokenByExchangeProfile()getTokenOnBehalfOf()
    • ApiClient uses AUTH0_AUDIENCE instead of API_AUTH0_AUDIENCE
    • Removed subjectTokenType parameter

Python Updates (based on auth0-samples PR #81)

  • Sample folder: fastmcp-mcp-customtokenexchange-pythonfastmcp-mcp-on-behalf-of-tokenexchange-python
  • Terminology: "Custom Token Exchange" → "On-Behalf-Of Token Exchange"
  • Token exchange implementation:
    • Function: exchange_custom_token()exchange_token_on_behalf_of()
    • SDK method: get_token_by_exchange_profile()get_token_on_behalf_of()
    • ApiClient uses AUTH0_AUDIENCE instead of API_AUTH0_AUDIENCE
    • Removed subject_token_type parameter

Additional Improvements

  • Added rate limit note for Auth0 for AI Agents add-on
  • Added client grant configuration instructions
  • Created OBO token exchange enablement component
  • Updated prerequisites with OBO-specific requirements

Files Changed

  • mcp/get-started/call-your-apis-on-users-behalf.mdx - Main quickstart page
  • snippets/mcp/get-started/call-your-apis/create-env-file.mdx - Environment setup
  • snippets/mcp/get-started/call-your-apis/exchange-access-token-js.mdx - JavaScript explanation
  • snippets/mcp/get-started/call-your-apis/exchange-access-token-python.mdx - Python explanation
  • snippets/mcp/get-started/pre-reqs/enable-obo-token-exchange.mdx - New OBO enablement component
  • snippets/mcp/get-started/pre-reqs/prerequisites.mdx - Updated prerequisites

Testing

  • Verify JavaScript quickstart instructions work with new sample code
  • Verify Python quickstart instructions work with new sample code
  • Verify all code snippets are accurate
  • Verify links to sample repos are correct
  • Test OBO token exchange flow end-to-end

🤖 Generated with Claude Code

lrzhou25 and others added 4 commits April 27, 2026 12:17
@lrzhou25 @claude
chore: update internal links for third-party application documentatio…
8065abe 
…n restructuring

Migrate internal links across English, French-Canadian (fr-ca), and Japanese (ja-jp) documentation from the old /confidential-and-public-applications/ path structure to the new flattened structure.

Updates include:
- Move first-party-and-third-party-applications to top-level applications directory
- Move user-consent-and-third-party-applications to third-party-applications subdirectory
- Move enable-third-party-applications to third-party-applications/configure-third-party-applications
- Consolidate view/update application ownership references to first-party applications

Files updated:
- 55+ documentation files across all three languages
- Updated links in markdown content, imports, and cross-references
- Preserved anchor links and URL fragments during migration
- Updated docs.json with new navigation structure

This commit prepares the documentation for the corresponding deletion of old documentation pages under /confidential-and-public-applications/.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@lrzhou25 @claude
chore: sync French and Japanese navigation with English Applications …
a58cf7f 
…section

Add missing pages to French (fr-ca) and Japanese (ja-jp) navigation:
- first-party-and-third-party-applications
- Third-Party Applications group with all sub-pages
- application-access-to-apis-client-grants (fr-ca only)
- revoke-api-access

This ensures all three language versions have consistent navigation structure.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@lrzhou25 @claude
feat: add French and Japanese translations for third-party applications
f53c83d 
Create missing translation files to match English navigation structure:

French (fr-ca):
- first-party-and-third-party-applications.mdx
- third-party-applications.mdx + 5 sub-pages
- application-access-to-apis-client-grants.mdx
- revoke-api-access.mdx

Japanese (ja-jp):
- first-party-and-third-party-applications.mdx
- third-party-applications.mdx + 5 sub-pages
- revoke-api-access.mdx

Total: 17 new translation files

Note: These are copies of English content and will need proper translation
by the localization team.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@lrzhou25 @claude
feat: update MCP quickstart for On-Behalf-Of Token Exchange
716c974 
Updates the "Call Your API on a User's Behalf" quickstart to reflect
the new On-Behalf-Of (OBO) Token Exchange implementation.

JavaScript changes (PR #79):
- Update sample folder: fastmcp-mcp-on-behalf-of-tokenexchange-js
- Replace Custom Token Exchange with On-Behalf-Of terminology
- Simplify environment variables (remove MCP_AUTH0_SUBJECT_TOKEN_TYPE)
- Update token exchange: exchangeTokenOnBehalfOf() using getTokenOnBehalfOf()
- Simplify MCP_AUTH0_EXCHANGE_SCOPE to "read:private"

Python changes (PR #81):
- Update sample folder: fastmcp-mcp-on-behalf-of-tokenexchange-python
- Replace Custom Token Exchange with On-Behalf-Of terminology
- Update token exchange: exchange_token_on_behalf_of() using get_token_on_behalf_of()

Additional improvements:
- Add rate limit note for Auth0 for AI Agents add-on
- Add client grant configuration instructions
- Add OBO token exchange enablement component
- Update prerequisites with OBO-specific requirements

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@lrzhou25 lrzhou25 requested review from a team as code owners April 27, 2026 21:30
@mintlify

mintlify Bot commented Apr 27, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Preview deployment for your docs. Learn more about Mintlify Previews.

Project Status Preview Updated (UTC)
auth0-genai 🟢 Ready View Preview Apr 27, 2026, 9:32 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

@mintlify

mintlify Bot commented Apr 27, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Preview deployment for your docs. Learn more about Mintlify Previews.

Project Status Preview Updated (UTC)
auth0 🟢 Ready View Preview Apr 27, 2026, 9:38 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

@github-actions

github-actions Bot commented Apr 27, 2026

Copy link
Copy Markdown
Contributor

Summary

Status Count
🔍 Total 1015
✅ Successful 134
⏳ Timeouts 0
🔀 Redirected 24
👻 Excluded 844
❓ Unknown 0
🚫 Errors 13
⛔ Unsupported 0

Errors per input

Errors in main/docs/fr-ca/get-started/applications.mdx

Errors in main/docs/fr-ca/get-started/applications/application-grant-types.mdx

Errors in main/docs/fr-ca/get-started/applications/confidential-and-public-applications.mdx

Errors in main/docs/get-started/applications.mdx

Errors in main/docs/ja-jp/get-started/applications.mdx

Errors in main/docs/ja-jp/get-started/applications/application-grant-types.mdx

Errors in main/docs/ja-jp/get-started/applications/confidential-and-public-applications.mdx

Redirects per input

Redirects in auth4genai/mcp/get-started/call-your-apis-on-users-behalf.mdx

Redirects in main/docs/authenticate/login/oidc-conformant-authentication.mdx

Redirects in main/docs/fr-ca/get-started/applications/application-grant-types.mdx

Redirects in main/docs/fr-ca/get-started/applications/application-settings.mdx

Redirects in main/docs/fr-ca/get-started/applications/first-party-and-third-party-applications.mdx

Redirects in main/docs/fr-ca/libraries/auth0-single-page-app-sdk.mdx

Redirects in main/docs/fr-ca/libraries/auth0js.mdx

Redirects in main/docs/fr-ca/libraries/lock.mdx

Redirects in main/docs/fr-ca/secure/tokens/json-web-tokens/json-web-token-claims.mdx

Redirects in main/docs/fr-ca/secure/tokens/refresh-tokens/multi-resource-refresh-token.mdx

Redirects in main/docs/ja-jp/get-started/applications/application-settings.mdx

Redirects in main/docs/ja-jp/get-started/applications/first-party-and-third-party-applications.mdx

Redirects in main/docs/ja-jp/libraries/auth0-single-page-app-sdk.mdx

Redirects in main/docs/ja-jp/secure/tokens/refresh-tokens/multi-resource-refresh-token.mdx

Redirects in main/docs/libraries/auth0-single-page-app-sdk.mdx

Redirects in main/docs/libraries/auth0js.mdx

@lrzhou25

lrzhou25 commented Apr 27, 2026

Copy link
Copy Markdown
Contributor Author

Closing this PR - created a clean version without unrelated changes from 3p_redirects branch. See new PR.

@lrzhou25 lrzhou25 closed this Apr 27, 2026
@hazel-nut hazel-nut deleted the auth_for_mcp_ga_docs branch May 1, 2026 17:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lrzhou25