lastmile-ai
diff --git a/‎docs/cloud/getting-started.mdx‎
Lines changed: 45 additions & 33 deletions b/‎docs/cloud/getting-started.mdx‎
Lines changed: 45 additions & 33 deletions
diff --git a/‎docs/deployment/authentication/deployment-auth.mdx‎
Lines changed: 89 additions & 14 deletions b/‎docs/deployment/authentication/deployment-auth.mdx‎
Lines changed: 89 additions & 14 deletions
diff --git a/‎docs/deployment/authentication/external-mcp-auth.mdx‎
Lines changed: 116 additions & 7 deletions b/‎docs/deployment/authentication/external-mcp-auth.mdx‎
Lines changed: 116 additions & 7 deletions
@@ -88,7 +88,7 @@ Before you begin, make sure you have:
     You'll see output like:
     ```
     App ID: app_abc123xyz
-    App URL: https://deployments.mcp-agent.com/servers/my-first-agent
+    App URL: https://<app_id>.deployments.mcp-agent.com
     App Status: ONLINE
     ```
   </Step>
@@ -219,7 +219,7 @@ Your agent is now available as an MCP server. Here's how to use it:
     First configure the agent (this handles authentication and user secrets):
 
     ```bash
-    mcp-agent cloud configure --id https://deployments.mcp-agent.com/servers/web-summarizer
+    mcp-agent cloud configure --id https://<app_id>.deployments.mcp-agent.com
     ```
 
     Then add to your Claude Desktop config (`~/.claude-desktop/config.json`):
@@ -232,7 +232,7 @@ Your agent is now available as an MCP server. Here's how to use it:
           "args": [
             "-y",
             "mcp-remote",
-            "https://deployments.mcp-agent.com/servers/web-summarizer/sse",
+            "https://<app_id>.deployments.mcp-agent.com/sse",
             "--header",
             "Authorization: Bearer <MCP_AGENT_API_KEY>"
           ]
@@ -245,39 +245,51 @@ Your agent is now available as an MCP server. Here's how to use it:
   </Tab>
 
   <Tab title="Python Client">
-    ```python
-    from mcp_agent.mcp.gen_client import gen_client
-    
-    async def use_cloud_agent():
-        # Connect to your cloud agent
-        async with gen_client("https://deployments.mcp-agent.com/servers/web-summarizer") as server:
-            # Run the workflow
-            result = await server.call_tool(
-                "workflows-WebSummarizerWorkflow-run",
-                arguments={
-                    "run_parameters": {
-                        "url": "https://www.anthropic.com/research/building-effective-agents"
-                    }
-                }
-            )
-            
-            # Get the run ID
-            run_id = result.content[0].text
-            
-            # Check status
-            status = await server.call_tool(
-                "workflows-get_status",
-                arguments={"run_id": run_id}
-            )
-            
-            print(f"Summary: {status.content[0].text}")
-    ```
+    1. Add the deployed server to your config:
+
+       ```yaml mcp_agent.config.yaml
+       mcp:
+         servers:
+           web_summarizer_cloud:
+             transport: sse
+             url: "https://<app_id>.deployments.mcp-agent.com/sse"
+             headers:
+               Authorization: "Bearer ${MCP_API_KEY}"
+       ```
+
+    2. Call the workflow via the shared registry:
+
+       ```python
+       import asyncio
+       from mcp_agent.config import get_settings
+       from mcp_agent.mcp.gen_client import gen_client
+
+       async def use_cloud_agent():
+           async with gen_client("web_summarizer_cloud", server_registry=registry) as server:
+               result = await server.call_tool(
+                   "workflows-WebSummarizerWorkflow-run",
+                   arguments={
+                       "run_parameters": {
+                           "url": "https://www.anthropic.com/research/building-effective-agents"
+                       }
+                   },
+               )
+
+               run_id = result.content[0].text
+               status = await server.call_tool(
+                   "workflows-get_status",
+                   arguments={"run_id": run_id},
+               )
+               print(f"Summary: {status.content[0].text}")
+
+       asyncio.run(use_cloud_agent())
+       ```
   </Tab>
 
   <Tab title="cURL">
     ```bash
     # Run workflow
-    curl -X POST https://deployments.mcp-agent.com/servers/web-summarizer/call_tool \
+    curl -X POST https://<app_id>.deployments.mcp-agent.com/call_tool \
       -H "Authorization: Bearer $MCP_AGENT_TOKEN" \
       -H "Content-Type: application/json" \
       -d '{
@@ -443,10 +455,10 @@ Help users connect to your deployed agent:
 
 ```bash
 # Configure access for a deployed agent (handles auth and secrets)
-mcp-agent cloud configure --id https://deployments.mcp-agent.com/servers/my-agent
+mcp-agent cloud configure --id https://<app_id>.deployments.mcp-agent.com
 
 # Show required parameters for configuration
-mcp-agent cloud configure --id https://deployments.mcp-agent.com/servers/my-agent --params
+mcp-agent cloud configure --id https://<app_id>.deployments.mcp-agent.com --params
 ```
 
 After configuration, users can connect with their MCP client using the server URL and appropriate transport (SSE or streamable HTTP).
 
@@ -1,27 +1,102 @@
 ---
 title: Deployment Auth
 sidebarTitle: "Deployment Auth"
-description: "Configure authentication for deployed agents (--no-auth, bearer token, OAuth)"
+description: "Configure authentication for deployed MCP servers"
 icon: key
 ---
 
-<Info>
-Content on --no-auth flag, bearer token authentication, and OAuth for deployments.
-</Info>
+Every deployment needs an explicit stance on who can call its tools. This page covers the options supported today and what’s coming next.
 
-## Deployment Authentication Options
+## 1. Bearer token authentication (default)
 
-- **--no-auth** - Deploy without authentication (development only)
-- **Bearer Token** - Simple token-based authentication
-- **OAuth** - Full OAuth 2.1 authentication flows
+- Each user runs `mcp-agent login` to obtain an API key (`lm_mcp_api_*`).
+- Keys are stored locally (`~/.config/mcp-agent/credentials.json`) and can also be provided via the `MCP_API_KEY` environment variable (CI, containers).
+- Clients include the key in the `Authorization: Bearer <token>` header.
+- Deployments validate the token before executing requests.
+
+### Share instructions with users
+
+```
+1. Install mcp-agent (uv tool install mcp-agent)
+2. Run mcp-agent login and follow the browser prompts
+3. Configure the client (mcp-agent install ... --client claude_desktop)
+```
+
+### Rotate or revoke
+
+- Re-run `mcp-agent login` to issue a new key (old keys will stop working).
+- Delete the key file to force re-authentication.
+- Per-user revocation UI is on the roadmap; in the interim contact support if a key is compromised.
+
+### CLI recap
 
 ```bash
-# Deploy with OAuth
-mcp-agent deploy my-agent --auth oauth
+mcp-agent login                # browser flow
+mcp-agent cloud auth whoami    # confirm identity
+mcp-agent install <url> --client cursor  # writes config with Authorization header
+```
+
+## 2. Unauthenticated access (`--no-auth`)
 
-# Deploy with bearer token
-mcp-agent deploy my-agent --auth bearer
+Use this mode for public servers, demos, or ChatGPT Apps (which cannot provide custom headers).
 
-# Deploy without auth (not recommended)
-mcp-agent deploy my-agent --no-auth
+```bash
+mcp-agent deploy blog-tools --no-auth
 ```
+
+- Anyone with the server URL can call it.
+- Logs still capture caller metadata (IP, user agent) for monitoring.
+- You can re-enable auth later:
+
+  ```bash
+  mcp-agent deploy blog-tools --auth
+  ```
+
+  (`--auth` toggles `unauthenticatedAccess` back to false.)
+
+> For apps deployed without auth, consider rate limiting or requiring custom user-provided secrets to avoid abuse.
+
+## 3. OAuth 2.1 (coming soon, preview)
+
+The upcoming release implements the MCP OAuth specification across three surfaces:
+
+1. **Authorization server** (control plane)  
+   - Metadata endpoint: `/.well-known/oauth-authorization-server`  
+   - Supports Google + GitHub providers initially  
+   - Issues access & refresh tokens
+2. **Resource server** (your deployment)  
+   - Implements `/.well-known/oauth-protected-resource` (RFC 9728)  
+   - Validates JWTs or proxies to token introspection  
+   - Allows per-scope access control (e.g., `read`, `write`, `admin`)
+3. **Client tooling**  
+   - `mcp-agent install` and `mcp-agent cloud configure` will drive the auth flow for supported clients (browser-based loopback or device code).
+
+Keep an eye on release notes for timelines. The migration will be additive—existing bearer-token flows continue to work.
+
+## 4. Combining with secrets management
+
+- Store long-lived service credentials in `mcp_agent.secrets.yaml` as deployment secrets; the runtime injects them securely.
+- Ask end-users for their own credentials via `mcp-agent cloud configure` (user secrets). You can enforce domain restrictions or other policies in code when processing those secrets.
+
+## 5. Security best practices
+
+<AccordionGroup>
+  <Accordion title="Least privilege">
+    Only expose tools/resources that need to be public. For internal deployments, keep `--auth` enabled and share API keys via secure channels.
+  </Accordion>
+  <Accordion title="Audit logs">
+    The platform records every API call (user, timestamp, tool, outcome). A user-facing audit surface is planned—ask the team if you need access before it ships.
+  </Accordion>
+  <Accordion title="Secret rotation">
+    Rotate provider API keys regularly. Redeploy with updated secrets; the CLI invalidates old handles automatically.
+  </Accordion>
+  <Accordion title="Client distribution">
+    Provide install scripts (`mcp-agent install`) rather than asking users to edit config files manually. This reduces the risk of misconfigured auth headers.
+  </Accordion>
+</AccordionGroup>
+
+## References
+
+- [Authentication overview →](/deployment/authentication/overview)
+- [External MCP server auth (downstream credentials) →](/deployment/authentication/external-mcp-auth)
+- [Secrets management →](/deployment/mcp-agent-cloud/manage-secrets)
@@ -1,16 +1,125 @@
 ---
 title: External MCP Auth
 sidebarTitle: "External MCP Auth"
-description: "Authentication for external MCP servers"
+description: "Configure your agent to authenticate when calling downstream MCP servers"
 icon: link
 ---
 
-<Info>
-Link to MCP Server Authentication section.
-</Info>
+Many agents call other MCP servers (e.g., Linear, GitHub, Slack). Each downstream server may require API keys or OAuth credentials. Use `mcp_agent.config.yaml` to specify how your agent should authenticate when acting as an MCP client.
 
-## External MCP Server Authentication
+## API key (static) authentication
 
-When your agents connect to external MCP servers that require authentication, configure auth in your application.
+```yaml mcp_agent.config.yaml
+mcp:
+  servers:
+    github:
+      command: "uvx"
+      args: ["mcp-server-github"]
+      auth:
+        api_key: "${GITHUB_TOKEN}"    # injected from secrets
+```
 
-[See MCP Server Authentication →](/mcp-agent-sdk/mcp/server-authentication)
+- Store the actual token in `mcp_agent.secrets.yaml` (deployment secret) or `mcp_agent.configured.secrets.yaml` (user secret).
+- At runtime, `ServerRegistry` injects the `Authorization` header when connecting to the MCP server.
+- Supports any header name via `auth.headers` if the server expects a custom format.
+
+## OAuth client credentials / authorization code
+
+For MCP servers that implement OAuth (Linear, Notion, custom internal IdPs), configure the `oauth` block:
+
+```yaml
+mcp:
+  servers:
+    notion:
+      command: "uvx"
+      args: ["mcp-server-notion"]
+      auth:
+        oauth:
+          enabled: true
+          authorization_server: "https://auth.notion.com"
+          client_id: "${NOTION_CLIENT_ID}"
+          client_secret: "${NOTION_CLIENT_SECRET}"
+          scopes: ["documents.read", "documents.write"]
+          resource: "https://mcp.notion.com"
+          redirect_uri_options:
+            - "http://127.0.0.1:33418/callback"
+            - "https://<app_id>.deployments.mcp-agent.com/oauth/callback"
+```
+
+How it works:
+
+1. When the agent first needs the server, the OAuth manager checks the token store.
+2. If no token exists, it launches an authorization flow (internal callback inside the deployment or local loopback while running locally).
+3. Access + refresh tokens are stored in the configured token store (memory or Redis).
+4. Tokens are refreshed automatically before expiry (`refresh_leeway_seconds`).
+
+### Token store configuration
+
+```yaml
+oauth:
+  token_store:
+    backend: "redis"
+    redis_url: "${REDIS_URL}"
+    redis_prefix: "mcp_agent:oauth_tokens"
+```
+
+- `memory` (default) – in-memory, process-scoped. Great for development but not shared across workers.
+- `redis` – recommended for cloud deployments if your app uses multiple processes or needs persistence across restarts.
+
+## Seeding tokens manually
+
+If you already have an access token:
+
+```yaml
+mcp:
+  servers:
+    linear:
+      auth:
+        oauth:
+          enabled: true
+          access_token: "${LINEAR_ACCESS_TOKEN}"
+          refresh_token: "${LINEAR_REFRESH_TOKEN}"
+          expires_at: 1740694445
+```
+
+This bypasses the interactive flow; the token manager will refresh using the provided refresh token when needed.
+
+## Request-time headers
+
+For bespoke auth schemes, you can specify arbitrary headers or environment variables:
+
+```yaml
+mcp:
+  servers:
+    internal_search:
+      command: "./bin/internal-search"
+      env:
+        SEARCH_API_KEY: "${SEARCH_API_KEY}"
+      auth:
+        headers:
+          X-Org: "lastmile"
+          Authorization: "Bearer ${SEARCH_API_KEY}"
+```
+
+## Best practices
+
+<AccordionGroup>
+  <Accordion title="Keep secrets out of code">
+    Always reference `${ENV_VAR}` placeholders in config and store the actual values in secrets files. Never hardcode tokens in Python modules.
+  </Accordion>
+  <Accordion title="Differentiate developer vs user secrets">
+    If every user needs their own credential (e.g., personal GitHub PAT), mark it as `!user_secret` so `mcp-agent cloud configure` collects it when they onboard the app.
+  </Accordion>
+  <Accordion title="Token sharing">
+    For OAuth-protected upstream servers you probably want a shared token cache (Redis) to avoid re-authorizing for every workflow run.
+  </Accordion>
+  <Accordion title="Handle scope failures">
+    Downstream servers may reject requests if scopes are missing. Log the response body and expose a clear error so users know to re-run the configure flow.
+  </Accordion>
+</AccordionGroup>
+
+## Related docs
+
+- [Secrets management →](/deployment/mcp-agent-cloud/manage-secrets)
+- [Authentication overview →](/deployment/authentication/overview)
+- [MCP server configuration reference →](/reference/configuration#mcp-servers)