Runnable proofs that adding Authplane auth to your MCP server is a handful of extra lines — every line CI-counted and verified.
The numbers are the auth-specific lines inside // authplane:begin /
// authplane:end markers in each example's main source file
(server.py / server.ts / main.go), excluding imports — measured
by tools/loccount and CI-enforced against the per-tier budget.
| Tier | What it shows | Go | TypeScript | Python |
|---|---|---|---|---|
| 01 basic server | MCP server protected by JWT, single tool, client_credentials token |
5 lines | 5 lines | 5 lines |
| 02 calling another resource | The same MCP server mints a token via the SDK to call a second protected resource | 5 lines | 5 lines | 8 lines |
| 03 DPoP + per-tool scopes | RFC 9449 sender-constrained tokens, per-tool scope enforcement | 15 lines | 15 lines | 15 lines |
| 04 MCP server fronting a Broker | RFC 8693 token exchange against an upstream provider (GitHub), ConsentRequiredError handling |
19 lines | 21 lines | 26 lines |
A separate before/after pair, not part of the tier ladder. Same three
tools in two versions (before/ unauthed, after/ with the 5-line
auth block applied). make verify brings up both side-by-side and
proves the same tools/call returns 200 to one and 401 to the other.
Go · TypeScript · Python
cd examples/<lang>/<tier>/
cp .env.example .env
make run # bring up authserver + the example
make verify # registers resource/client/policy, mints token, calls the tool
make clean # tear downEvery example defaults to authplane/authserver:latest. To
run against a locally-built image, follow the LOCAL BUILD ESCAPE HATCH
block inside _shared/docker-compose.authserver.yml.
- docs/start/ — guided tutorials wrapping these examples
- docs/concepts/ — vocabulary + mental model
- docs/reference/ — generated CLI + HTTP API reference