docs(mcp,a2a): code-verified auth reference fixes + overview page#156
Open
michelligabriele wants to merge 5 commits into
Open
docs(mcp,a2a): code-verified auth reference fixes + overview page#156michelligabriele wants to merge 5 commits into
michelligabriele wants to merge 5 commits into
Conversation
…ersection model, hub-vs-public-internet distinction
…t propagation, agent access groups and full intersection model
…en anchor from a2a.md, documents dual JWT/SigV4 auth modes and full credential chain
…rent LiteLLM source
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
A pass over the MCP and A2A gateway auth documentation, verified field-by-field against the current LiteLLM source. Closes several gaps in the dedicated pages, fixes a broken link to a missing
#litellm-a2a-gatewayanchor on the Bedrock AgentCore page, and adds a single newauth_overview.mdpage that side-by-sides MCP and A2A authn/authz so readers comparing the two surfaces don't have to stitch together four pages mentally.Every config field, header name, default value, and error code in these changes was checked against the codebase before landing.
Changes
docs/mcp.mdauth_typetable from 5 to 9 values (none,oauth2,oauth2_token_exchange,tokenwere missing); cross-linked the OAuth and OBO pages.Authorization: ApiKey <value>instead ofX-API-Keyforauth_type: api_key.docs/mcp_oauth.mdoauth2_flow,authorization_url,registration_url,token_validation,token_storage_ttl_seconds(all present in examples elsewhere but never enumerated in the reference table).docs/mcp_control.md## Permission Hierarchysection documenting the 5-level intersection (Key → Team → End-user → Agent → Org-as-ceiling) with a mermaid flowchart.## Per-entity Tool-Level Permissionssection documentingobject_permission.mcp_tool_permissions(per-key/team/agent dict, distinct from server-registrationallowed_tools/disallowed_tools).docs/mcp_public_internet.mdavailable_on_public_internet(the IP-based filter, defaults toTrue) is independent oflitellm.public_mcp_servers+litellm.public_mcp_hub_strict_whitelist(theGET /public/mcp_hubadvertisement). Two mechanisms that are easy to conflate.docs/a2a.mdx-litellm-api-keyas the preferred header when the inboundAuthorizationcarries a backend-bound token.require_trace_id_on_calls_to_agent(returns 400, not 403) and its_by_agentsibling; sub-agent identity propagation — onlyX-LiteLLM-Trace-IdandX-LiteLLM-Agent-Idare forwarded downstream, not the caller's virtual key or end-user-id.docs/a2a_agent_permissions.md## Agent Access Groupssection documentingobject_permission.agent_access_groupson a key/team (the field is exposed onLiteLLM_ObjectPermissionBase). Notes that tagging an agent with access groups is a dashboard-only operation today —POST /v1/agentsdoes not exposeagent_access_groupsas a top-level field.docs/providers/bedrock_agentcore.md## LiteLLM A2A Gatewaysection (fixes the broken#litellm-a2a-gatewayanchor thatdocs/a2a.mdlinked to). Covers registration, dual outbound auth modes (Bearer/JWT short-circuit whenlitellm_params.api_keyis set, SigV4 viabase_aws_llm.get_credentialsotherwise), the full 6-entry-point credential chain with EKS-relevant fields (aws_external_id,aws_web_identity_token,aws_profile_name,aws_sts_endpoint), and IRSA on EKS.docs/auth_overview.md(new) +sidebars.jsauth_typeenum vs A2A's inferred-from-litellm_paramsmode), per-user passthrough conventions (MCP's first-dash-split vs A2A's exact-prefix-match), RBAC (MCP is 5-level, A2A is 2-level today), trace IDs + identity propagation, guardrails, and a copy-paste header cheatsheet. Mostly cross-links into the now-corrected dedicated pages.sidebars.js: addsauth_overviewas the first item in the "Agent & MCP Gateway" category.Test plan
npm run buildsucceeds (verifies all internal cross-links resolve)npm run startand visually skim the new/docs/auth_overviewpage + each modified pagebedrock_agentcore#litellm-a2a-gatewayanchor renders and resolves fromdocs/a2a.mdmcp_control.mdanda2a_agent_permissions.mdNotes for reviewer
A code-review pass surfaced several errors in an earlier draft of this PR — most notably an inverted default for `available_on_public_internet` and an over-extrapolated 4-level A2A intersection model. Both were corrected in the final commit (`792edfd1`) before pushing. The commit message names it as a "fixup from code-review pass" so the history reflects the verification step.
One known open item that did NOT make this PR: `agent_access_groups` as a top-level field on `POST /v1/agents` — the field exists at the Prisma layer but is not exposed on `AgentConfig`. The docs note this and direct readers to the dashboard. Adding it to the Pydantic schema (and verifying end-to-end) is a separate code change.
(Supersedes the closed PR #155; commits rebased to attribute correctly.)