Skip to content

docs(mcp,a2a): code-verified auth reference fixes + overview page#156

Merged
mubashir1osmani merged 5 commits into
BerriAI:mubashir/validate-changesfrom
michelligabriele:litellm_docs_authn_authz_reference
May 20, 2026
Merged

docs(mcp,a2a): code-verified auth reference fixes + overview page#156
mubashir1osmani merged 5 commits into
BerriAI:mubashir/validate-changesfrom
michelligabriele:litellm_docs_authn_authz_reference

Conversation

@michelligabriele

@michelligabriele michelligabriele commented May 18, 2026

Copy link
Copy Markdown
Contributor

Summary

A pass over the MCP and A2A gateway auth documentation, verified field-by-field against the current LiteLLM source. Closes several gaps in the dedicated pages, fixes a broken link to a missing #litellm-a2a-gateway anchor on the Bedrock AgentCore page, and adds a single new auth_overview.md page that side-by-sides MCP and A2A authn/authz so readers comparing the two surfaces don't have to stitch together four pages mentally.

Every config field, header name, default value, and error code in these changes was checked against the codebase before landing.

Changes

docs/mcp.md

  • Extended the auth_type table from 5 to 9 values (none, oauth2, oauth2_token_exchange, token were missing); cross-linked the OAuth and OBO pages.
  • Added a note that the header table describes the managed SSE/HTTP transport path — the OpenAPI-tool path emits Authorization: ApiKey <value> instead of X-API-Key for auth_type: api_key.

docs/mcp_oauth.md

  • Extended the Config Reference table to cover oauth2_flow, authorization_url, registration_url, token_validation, token_storage_ttl_seconds (all present in examples elsewhere but never enumerated in the reference table).

docs/mcp_control.md

  • New ## Permission Hierarchy section documenting the 5-level intersection (Key → Team → End-user → Agent → Org-as-ceiling) with a mermaid flowchart.
  • New ## Per-entity Tool-Level Permissions section documenting object_permission.mcp_tool_permissions (per-key/team/agent dict, distinct from server-registration allowed_tools/disallowed_tools).

docs/mcp_public_internet.md

  • New "Public Internet vs MCP Hub Visibility" section clarifying that available_on_public_internet (the IP-based filter, defaults to True) is independent of litellm.public_mcp_servers + litellm.public_mcp_hub_strict_whitelist (the GET /public/mcp_hub advertisement). Two mechanisms that are easy to conflate.

docs/a2a.md

  • Expanded the Authentication section to mention x-litellm-api-key as the preferred header when the inbound Authorization carries a backend-bound token.
  • New subsections: per-agent 403 RBAC; require_trace_id_on_calls_to_agent (returns 400, not 403) and its _by_agent sibling; sub-agent identity propagation — only X-LiteLLM-Trace-Id and X-LiteLLM-Agent-Id are forwarded downstream, not the caller's virtual key or end-user-id.

docs/a2a_agent_permissions.md

  • New ## Agent Access Groups section documenting object_permission.agent_access_groups on a key/team (the field is exposed on LiteLLM_ObjectPermissionBase). Notes that tagging an agent with access groups is a dashboard-only operation today — POST /v1/agents does not expose agent_access_groups as a top-level field.

docs/providers/bedrock_agentcore.md

  • New ## LiteLLM A2A Gateway section (fixes the broken #litellm-a2a-gateway anchor that docs/a2a.md linked to). Covers registration, dual outbound auth modes (Bearer/JWT short-circuit when litellm_params.api_key is set, SigV4 via base_aws_llm.get_credentials otherwise), the full 6-entry-point credential chain with EKS-relevant fields (aws_external_id, aws_web_identity_token, aws_profile_name, aws_sts_endpoint), and IRSA on EKS.

docs/auth_overview.md (new) + sidebars.js

  • Single side-by-side reference for MCP and A2A: client→gateway auth (the MCP-ASGI-checks-only-2-of-6-headers gap is called out), backend auth (MCP's auth_type enum vs A2A's inferred-from-litellm_params mode), per-user passthrough conventions (MCP's first-dash-split vs A2A's exact-prefix-match), RBAC (MCP is 5-level, A2A is 2-level today), trace IDs + identity propagation, guardrails, and a copy-paste header cheatsheet. Mostly cross-links into the now-corrected dedicated pages.
  • sidebars.js: adds auth_overview as the first item in the "Agent & MCP Gateway" category.

Test plan

  • npm run build succeeds (verifies all internal cross-links resolve)
  • npm run start and visually skim the new /docs/auth_overview page + each modified page
  • Confirm the bedrock_agentcore#litellm-a2a-gateway anchor renders and resolves from docs/a2a.md
  • Mermaid diagrams render in mcp_control.md and a2a_agent_permissions.md

Notes for reviewer

A code-review pass surfaced several errors in an earlier draft of this PR — most notably an inverted default for `available_on_public_internet` and an over-extrapolated 4-level A2A intersection model. Both were corrected in the final commit (`792edfd1`) before pushing. The commit message names it as a "fixup from code-review pass" so the history reflects the verification step.

One known open item that did NOT make this PR: `agent_access_groups` as a top-level field on `POST /v1/agents` — the field exists at the Prisma layer but is not exposed on `AgentConfig`. The docs note this and direct readers to the dashboard. Adding it to the Pydantic schema (and verifying end-to-end) is a separate code change.

(Supersedes the closed PR #155; commits rebased to attribute correctly.)

@michelligabriele michelligabriele requested a review from a team May 18, 2026 18:54
@vercel

vercel Bot commented May 18, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
litellm Ready Ready Preview, Comment May 18, 2026 6:55pm

Request Review

@mubashir1osmani mubashir1osmani changed the base branch from main to mubashir/validate-changes May 20, 2026 23:13
@mubashir1osmani mubashir1osmani merged commit 77cccf8 into BerriAI:mubashir/validate-changes May 20, 2026
2 checks passed
mubashir1osmani added a commit that referenced this pull request May 21, 2026
@mubashir1osmani @michelligabriele
docs(mcp,a2a): code-verified auth reference fixes + overview page (#156
b943f47 
…) (#184)

* docs(mcp,a2a): code-verified auth reference fixes + overview page (#156)

* docs(mcp): complete auth_type table, OAuth config reference, RBAC intersection model, hub-vs-public-internet distinction

* docs(a2a): document x-litellm-api-key, trace-id enforcement, sub-agent propagation, agent access groups and full intersection model

* docs(bedrock_agentcore): add LiteLLM A2A Gateway section — fixes broken anchor from a2a.md, documents dual JWT/SigV4 auth modes and full credential chain

* docs: add AuthN/AuthZ overview page side-by-siding MCP and A2A gateways

* docs(fixup): corrections from code-review pass — verified against current LiteLLM source

* make changes

---------

Co-authored-by: michelligabriele <gabriele.michelli@icloud.com>
mubashir1osmani added a commit that referenced this pull request May 21, 2026
@ishaan-berri @Chesars
@harish-berri @milan-berri @mubashir1osmani @michelligabriele
docs: LLM-as-a-Judge guardrail (#17)
2ca2023 
* docs: add LLM-as-a-Judge guardrail guide with screenshots

New guardrail type that uses an LLM to score responses against
weighted criteria. Includes UI walkthrough, YAML config examples,
blocked/passed response examples, and configuration reference.

* docs(llm-judge): replace placeholder screenshots with real spend logs UI screenshots

* docs(llm-judge): use real spend logs UI screenshots for blocked/passed guardrail views

* docs(blog): make /blog responsive (#51)

* docs(blog): make /blog responsive

- Add mobile styles to swizzled BlogListPage (hero, marquee, posts, pagination).
- Fix horizontal overflow caused by the marquee's white-space: nowrap propagating
  width up the flex chain. Break it with min-width: 0 on .page and #__docusaurus > *,
  plus defensive overflow-x: clip.
- Respect prefers-reduced-motion (stop marquee animation).

* Remove global overflow prevention styles

Removed global styles to prevent horizontal overflow on mobile.

* docs(proxy): add Grafana Cloud Pyroscope user and API token configuration options (#52)

* docs(auth): document scope and wildcard support for JWT routing overrides (#31)

Backfills the `BerriAI/litellm-docs` site with the changes that originally
shipped under `docs/my-website/` in BerriAI/litellm#25939 / #26325. After
the docs source was migrated to this repo, those edits could no longer
be carried in the code PR and were dropped on rebase.

- proxy/token_auth.md: expand "Matching behavior" with AND semantics,
  the new optional `scope` selector, list/string forms, shell-style
  wildcards (`*`, `?`, case-sensitive), and the scope-only space-split
  rule (iss/aud/client_id are never split on spaces). Adds a worked
  example combining `scope` with a wildcard `client_id`.
- proxy/oauth2.md: cross-reference the new wildcard/scope behavior and
  point readers to token_auth.md for full details.

Code change is in BerriAI/litellm#26325 (litellm_internal_staging).

* docs(mcp,a2a): code-verified auth reference fixes + overview page (#156) (#184)

* docs(mcp,a2a): code-verified auth reference fixes + overview page (#156)

* docs(mcp): complete auth_type table, OAuth config reference, RBAC intersection model, hub-vs-public-internet distinction

* docs(a2a): document x-litellm-api-key, trace-id enforcement, sub-agent propagation, agent access groups and full intersection model

* docs(bedrock_agentcore): add LiteLLM A2A Gateway section — fixes broken anchor from a2a.md, documents dual JWT/SigV4 auth modes and full credential chain

* docs: add AuthN/AuthZ overview page side-by-siding MCP and A2A gateways

* docs(fixup): corrections from code-review pass — verified against current LiteLLM source

* make changes

---------

Co-authored-by: michelligabriele <gabriele.michelli@icloud.com>

---------

Co-authored-by: Cesar Garcia <128240629+Chesars@users.noreply.github.com>
Co-authored-by: harish-berri <harish@berri.ai>
Co-authored-by: milan-berri <milan@berri.ai>
Co-authored-by: mubashir1osmani <mubashir.osmani777@gmail.com>
Co-authored-by: michelligabriele <gabriele.michelli@icloud.com>
@mubashir1osmani mubashir1osmani mentioned this pull request May 21, 2026
Open
mubashir1osmani added a commit that referenced this pull request May 21, 2026
@mateo-berri @Chesars
@harish-berri @milan-berri @mubashir1osmani @michelligabriele @agent-shin @Sameerlite @cursoragent @yuneng-berri
docs: replace slow Inkeep search with offline local search (#192)
727ad0a 
* docs(blog): make /blog responsive (#51)

* docs(blog): make /blog responsive

- Add mobile styles to swizzled BlogListPage (hero, marquee, posts, pagination).
- Fix horizontal overflow caused by the marquee's white-space: nowrap propagating
  width up the flex chain. Break it with min-width: 0 on .page and #__docusaurus > *,
  plus defensive overflow-x: clip.
- Respect prefers-reduced-motion (stop marquee animation).

* Remove global overflow prevention styles

Removed global styles to prevent horizontal overflow on mobile.

* docs(proxy): add Grafana Cloud Pyroscope user and API token configuration options (#52)

* docs(auth): document scope and wildcard support for JWT routing overrides (#31)

Backfills the `BerriAI/litellm-docs` site with the changes that originally
shipped under `docs/my-website/` in BerriAI/litellm#25939 / #26325. After
the docs source was migrated to this repo, those edits could no longer
be carried in the code PR and were dropped on rebase.

- proxy/token_auth.md: expand "Matching behavior" with AND semantics,
  the new optional `scope` selector, list/string forms, shell-style
  wildcards (`*`, `?`, case-sensitive), and the scope-only space-split
  rule (iss/aud/client_id are never split on spaces). Adds a worked
  example combining `scope` with a wildcard `client_id`.
- proxy/oauth2.md: cross-reference the new wildcard/scope behavior and
  point readers to token_auth.md for full details.

Code change is in BerriAI/litellm#26325 (litellm_internal_staging).

* docs(mcp,a2a): code-verified auth reference fixes + overview page (#156) (#184)

* docs(mcp,a2a): code-verified auth reference fixes + overview page (#156)

* docs(mcp): complete auth_type table, OAuth config reference, RBAC intersection model, hub-vs-public-internet distinction

* docs(a2a): document x-litellm-api-key, trace-id enforcement, sub-agent propagation, agent access groups and full intersection model

* docs(bedrock_agentcore): add LiteLLM A2A Gateway section — fixes broken anchor from a2a.md, documents dual JWT/SigV4 auth modes and full credential chain

* docs: add AuthN/AuthZ overview page side-by-siding MCP and A2A gateways

* docs(fixup): corrections from code-review pass — verified against current LiteLLM source

* make changes

---------

Co-authored-by: michelligabriele <gabriele.michelli@icloud.com>

* Update Claude Code compatibility matrix (#175)

litellm_version: v1.83.14-stable
claude_code_version: 2.1.126
generated_at: 2026-05-20T06:09:45Z

Co-authored-by: litellm-compat-matrix-bot <litellm-bot@berri.ai>

* docs(mcp): pass guardrails via extra_body in OpenAI SDK example (#188)

The OpenAI Python SDK rejects guardrails as a top-level argument; use extra_body to send LiteLLM-specific params to the proxy.

Co-authored-by: Cursor <cursoragent@cursor.com>

* docs(release_notes): add v1.84.1 and v1.85.1 patch release notes (#191)

Patch releases on top of v1.84.0 and v1.85.0, each shipping the same
three PRs: Gemini 3.5 Flash day-0 support (#28268), a Vertex AI
tool-calling fix for Gemini 3.5+ HTTP 400 errors (#28324), and a
cross-pod spend-counter seeding fix (#27854).

Adds release_notes/v1.84.1/ and release_notes/v1.85.1/ pages and
updates the release_notes overview (Latest Release block + table).

* docs: replace slow Inkeep search with offline @easyops-cn/docusaurus-search-local

Inkeep search was reported as slow and exhibited focus / Cmd+K bugs
(cursor in the wrong place, page preventing repeated searches). Swap
the navbar SearchBar over to @easyops-cn/docusaurus-search-local, which
builds a static lunr index at build time and renders results instantly
on the client.

- Add @easyops-cn/docusaurus-search-local theme with both docs and
  release_notes routes indexed.
- Keep stop words and stems (technical docs frequently search short
  tokens) and enable highlight-on-target-page.
- Drop the SearchBar config from @inkeep/cxkit-docusaurus so it only
  provides the floating Ask AI chat button (still useful for AI Q&A).

Co-authored-by: Mateo Wang <mateo-berri@users.noreply.github.com>

---------

Co-authored-by: Cesar Garcia <128240629+Chesars@users.noreply.github.com>
Co-authored-by: harish-berri <harish@berri.ai>
Co-authored-by: milan-berri <milan@berri.ai>
Co-authored-by: mubashir1osmani <mubashir.osmani777@gmail.com>
Co-authored-by: michelligabriele <gabriele.michelli@icloud.com>
Co-authored-by: agent-shin <279878236+agent-shin@users.noreply.github.com>
Co-authored-by: litellm-compat-matrix-bot <litellm-bot@berri.ai>
Co-authored-by: Sameer Kankute <sameer@berri.ai>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: yuneng-jiang <yuneng@berri.ai>
Co-authored-by: Mateo Wang <mateo-berri@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@michelligabriele @mubashir1osmani