cli.md

CLI Reference

The authserver binary exposes the operator surface for the Authplane MCP Authorization Server. A self-hosted OAuth 2.1 Authorization Server purpose-built for MCP. Top-level subcommands include serve (run the AS), admin (client / user / key / resource / provider / grant / issuance / fronting management), migrate (run DB migrations), purge (one-shot expired-data cleanup), and version (print build version). The sections below are auto-generated from the cobra command tree in cmd/authserver/; flag tables include any format-syntax notes from tools/docsgen/quirks/cli.yaml.

Index

Command	Synopsis
authserver admin	Administrative operations
authserver admin client	Manage OAuth clients
authserver admin client create	Create a new OAuth client
authserver admin client delete	Permanently delete a client
authserver admin client list	List registered clients
authserver admin client rotate-secret	Rotate a client's secret
authserver admin client update	Update an existing client
authserver admin dcr	Manage Dynamic Client Registration settings
authserver admin dcr get	Show current DCR settings
authserver admin dcr set	Update DCR settings
authserver admin fronting	Manage cross-Mint fronting links
authserver admin fronting create	Create a fronting link
authserver admin fronting delete	Delete a fronting link
authserver admin fronting get	Get a fronting link by (source, target)
authserver admin fronting list	List fronting links
authserver admin fronting update	Update a fronting link's scope_map (PATCH)
authserver admin grant	Inspect + revoke user grants (consent + broker)
authserver admin grant list-user-grants	List a user's consent and broker grants
authserver admin grant revoke-broker	Revoke a broker grant by id (no issuance cascade — upstream tokens are not AS-revocable)
authserver admin grant revoke-consent	Revoke a consent grant by id (cascades onto live Mint issuances)
authserver admin issuance	Inspect + revoke issuances (per-token forensic records)
authserver admin issuance get	Get an issuance by id (issuance UUID)
authserver admin issuance list	List issuances (filter by --user / --client / --jti / --resource)
authserver admin issuance revoke	Revoke an issuance (soft-delete; idempotent)
authserver admin key	Manage signing keys
authserver admin key list	List signing keys
authserver admin key rotate	Rotate the signing key
authserver admin provider	Manage broker providers
authserver admin provider create	Create a broker provider
authserver admin provider delete	Delete a broker provider
authserver admin provider get	Get a broker provider by id
authserver admin provider list	List broker providers
authserver admin provider update	Update a broker provider (PATCH)
authserver admin resource	Manage unified resources (mint + broker)
authserver admin resource create	Create a resource
authserver admin resource delete	Delete a resource
authserver admin resource get	Get a resource by id
authserver admin resource list	List resources
authserver admin resource runtime-client	Manage policy.runtime.client_ids on a resource
authserver admin resource runtime-client add	Authorize a client to act AS the resource
authserver admin resource runtime-client list	List runtime client_ids on a resource
authserver admin resource runtime-client remove	Revoke a client's authorization to act AS the resource
authserver admin resource update	Update a resource (PATCH)
authserver admin user	Manage users
authserver admin user create	Create a new user
authserver admin user delete	Delete a user
authserver admin user force-logout	Revoke all tokens for a user
authserver admin user list	List all users
authserver admin user update	Update an existing user
authserver migrate	Run database migrations
authserver purge	Run a single pass of expired-data cleanup and exit
authserver serve	Start the server
authserver version	Print version

authserver admin

Synopsis — authserver admin

Short — Administrative operations

Long

Manage clients, users, keys, resources, providers, grants, and issuances via CLI.

Source — cmd/authserver/admin.go:15

authserver admin client

Synopsis — authserver admin client

Short — Manage OAuth clients

Source — cmd/authserver/admin_client.go:14

authserver admin client create

Synopsis — authserver admin client create --name <name> [flags]

Short — Create a new OAuth client

Required flags

Flag	Type	Notes
--name	string	Client name

Optional flags

Flag	Type	Default	Notes
--agent	bool	false	Register as agent client
--agent-description	string		Agent description (max 500 chars)
--auth-method	string	none	Token endpoint auth method
--grant-types	string	authorization_code	Comma-separated grant-type identifiers (e.g. authorization_code,refresh_token,client_credentials).
--redirect-uris	string		Comma-separated full URLs. Each must include a scheme.
--scope	string		Space-separated scopes

Source — cmd/authserver/admin_client.go:23

authserver admin client delete

Synopsis — authserver admin client delete --id <id> [flags]

Short — Permanently delete a client

Required flags

Flag	Type	Notes
--id	string	Client ID

Optional flags

Flag	Type	Default	Notes
--force	bool	false	Force delete even with active tokens

Source — cmd/authserver/admin_client.go:133

authserver admin client list

Synopsis — authserver admin client list [flags]

Short — List registered clients

Optional flags

Flag	Type	Default	Notes
--limit	int	100	Maximum results
--source	string		Filter by registration source (dcr, admin)
--status	string		Filter by status (active, suspended, revoked)

Source — cmd/authserver/admin_client.go:192

authserver admin client rotate-secret

Synopsis — authserver admin client rotate-secret --id <id>

Short — Rotate a client's secret

Required flags

Flag	Type	Notes
--id	string	Client ID

Source — cmd/authserver/admin_client.go:162

authserver admin client update

Synopsis — authserver admin client update --id <id> [flags]

Short — Update an existing client

Required flags

Flag	Type	Notes
--id	string	Client ID

Optional flags

Flag	Type	Default	Notes
--grant-types	string		Comma-separated grant-type identifiers.
--name	string		New client name
--redirect-uris	string		Comma-separated full URLs.
--scope	string		New scopes (space-separated)

Source — cmd/authserver/admin_client.go:83

authserver admin dcr

Synopsis — authserver admin dcr

Short — Manage Dynamic Client Registration settings

Source — cmd/authserver/admin_dcr.go:11

authserver admin dcr get

Synopsis — authserver admin dcr get

Short — Show current DCR settings

Source — cmd/authserver/admin_dcr.go:20

authserver admin dcr set

Synopsis — authserver admin dcr set [flags]

Short — Update DCR settings

Optional flags

Flag	Type	Default	Notes
--mode	string		DCR mode: open, admin_only, approved_redirects

Source — cmd/authserver/admin_dcr.go:44

authserver admin fronting

Synopsis — authserver admin fronting

Short — Manage cross-Mint fronting links

Long

Manage operator-declared fronting links. A fronting link declares that a Mint Resource (source) may mint tokens for a downstream Resource (target) via RFC 8693 token-exchange, translating scopes per the supplied scope-map. The runtime path that consumes these rows lands in (Inc N+1).

Source — cmd/authserver/admin_fronting.go:16

authserver admin fronting create

Synopsis — authserver admin fronting create --scope-map <scope-map> --source <source> --target <target> [flags]

Short — Create a fronting link

Long

Create a fronting link. --scope-map encodes the source→target scope translation as comma-separated entries; each entry may carry multiple targets via '+'.

Examples: --scope-map A:AA,B:BB source=A→[AA]; source=B→[BB] --scope-map read:repo+org,write:repo source=read→[repo,org]; source=write→[repo]

Pass --dry-run to validate without persisting (the service runs every pre-write rule including cycle detection).

Required flags

Flag	Type	Notes
--scope-map	string	Source→target scope translation. Comma separates entries; colon separates source from targets; + fans out one source to multiple targets. Examples: A:AA,B:BB — A → [AA], B → [BB] read:repo+org,write:repo — read → [repo, org], write → [repo]
--source	string	Source slug
--target	string	Target slug

Optional flags

Flag	Type	Default	Notes
--dry-run	bool	false	Validate without persisting (runs all pre-write rules)

Source — cmd/authserver/admin_fronting.go:111

authserver admin fronting delete

Synopsis — authserver admin fronting delete --source <source> --target <target>

Short — Delete a fronting link

Required flags

Flag	Type	Notes
--source	string	Source slug
--target	string	Target slug

Source — cmd/authserver/admin_fronting.go:217

authserver admin fronting get

Synopsis — authserver admin fronting get --source <source> --target <target> [flags]

Short — Get a fronting link by (source, target)

Required flags

Flag	Type	Notes
--source	string	Source slug
--target	string	Target slug

Optional flags

Flag	Type	Default	Notes
--json	bool	false	Emit JSON instead of human-readable lines

Source — cmd/authserver/admin_fronting.go:77

authserver admin fronting list

Synopsis — authserver admin fronting list [flags]

Short — List fronting links

Optional flags

Flag	Type	Default	Notes
--json	bool	false	Emit JSON instead of human-readable lines
--source	string		Filter by source slug
--target	string		Filter by target slug

Source — cmd/authserver/admin_fronting.go:30

authserver admin fronting update

Synopsis — authserver admin fronting update --source <source> --target <target> [flags]

Short — Update a fronting link's scope_map (PATCH)

Long

Replace the scope_map of an existing fronting link. Only --scope-map is patchable; rewiring source/target requires delete + create. Omitting --scope-map leaves the existing map untouched.

Required flags

Flag	Type	Notes
--source	string	Source slug
--target	string	Target slug

Optional flags

Flag	Type	Default	Notes
--scope-map	string		Same src:tgt[+tgt2],src2:tgt3 grammar as admin fronting create --scope-map. Omitting the flag leaves the existing map untouched.

Source — cmd/authserver/admin_fronting.go:174

authserver admin grant

Synopsis — authserver admin grant

Short — Inspect + revoke user grants (consent + broker)

Long

Read and revoke user grants. A user has up to two shapes:

• consent_grants — per-MCP user→Agent authorization
• broker_grants — per-provider upstream credential Both surface here; revocation is split because the cascade semantics differ.

Source — cmd/authserver/admin_grant.go:16

authserver admin grant list-user-grants

Synopsis — authserver admin grant list-user-grants --user <user> [flags]

Short — List a user's consent and broker grants

Required flags

Flag	Type	Notes
--user	string	User id

Optional flags

Flag	Type	Default	Notes
--json	bool	false	Emit JSON instead of human-readable lines

Source — cmd/authserver/admin_grant.go:30

authserver admin grant revoke-broker

Synopsis — authserver admin grant revoke-broker --id <id>

Short — Revoke a broker grant by id (no issuance cascade — upstream tokens are not AS-revocable)

Required flags

Flag	Type	Notes
--id	string	Broker grant id

Source — cmd/authserver/admin_grant.go:97

authserver admin grant revoke-consent

Synopsis — authserver admin grant revoke-consent --id <id>

Short — Revoke a consent grant by id (cascades onto live Mint issuances)

Required flags

Flag	Type	Notes
--id	string	Consent grant id

Source — cmd/authserver/admin_grant.go:72

authserver admin issuance

Synopsis — authserver admin issuance

Short — Inspect + revoke issuances (per-token forensic records)

Source — cmd/authserver/admin_issuance.go:29

authserver admin issuance get

Synopsis — authserver admin issuance get --id <id> [flags]

Short — Get an issuance by id (issuance UUID)

Required flags

Flag	Type	Notes
--id	string	Issuance UUID

Optional flags

Flag	Type	Default	Notes
--json	bool	false	Emit JSON instead of human-readable lines

Source — cmd/authserver/admin_issuance.go:137

authserver admin issuance list

Synopsis — authserver admin issuance list [flags]

Short — List issuances (filter by --user / --client / --jti / --resource)

Long

List issuances filtered by any combination of --user, --client, --resource, or --jti (at least one is required). --since accepts Go durations plus 'd' (days) and 'w' (weeks) suffixes; default 24h, max 30d. --jti is a point-query: --since is ignored, and other filters narrow the single-row result.

Optional flags

Flag	Type	Default	Notes
--client	string		Filter issuances by client id (actor)
--json	bool	false	Emit JSON instead of human-readable lines
--jti	string		Look up a single issuance by JTI (incident response; --since ignored)
--limit	int	500	Maximum rows returned (1..5000)
--resource	string		Filter issuances by resource id
--since	string		Go duration plus d/w suffixes (e.g. 7d, 2w, 30m). Default 24h, max 30d (720h). Ignored when --jti is set (point-query).
--user	string		Filter issuances by subject user id

Source — cmd/authserver/admin_issuance.go:38

authserver admin issuance revoke

Synopsis — authserver admin issuance revoke --id <id>

Short — Revoke an issuance (soft-delete; idempotent)

Required flags

Flag	Type	Notes
--id	string	Issuance UUID

Source — cmd/authserver/admin_issuance.go:177

authserver admin key

Synopsis — authserver admin key

Short — Manage signing keys

Source — cmd/authserver/admin_key.go:11

authserver admin key list

Synopsis — authserver admin key list

Short — List signing keys

Source — cmd/authserver/admin_key.go:42

authserver admin key rotate

Synopsis — authserver admin key rotate

Short — Rotate the signing key

Source — cmd/authserver/admin_key.go:20

authserver admin provider

Synopsis — authserver admin provider

Short — Manage broker providers

Long

Manage broker providers (upstream OAuth apps, API-key vendors, service-account JSON owners) shared by Broker resources.

Source — cmd/authserver/admin_provider.go:19

authserver admin provider create

Synopsis — authserver admin provider create --config-data <config-data> --display-name <display-name> --protocol <protocol> --slug <slug>

Short — Create a broker provider

Long

Create a broker provider. --config-data points to a file holding the protocol-specific JSON. For OAuth providers the JSON's client_secret_env field carries the NAME of the env var the AS will look up at runtime, NOT the secret value itself.

Required flags

Flag	Type	Notes
--config-data	string	Path to JSON file holding the provider's protocol-specific config . For OAuth, client_secret_env is the env var NAME, not the secret.
--display-name	string	Human-readable name
--protocol	string	Protocol: oauth | api_key | service_account
--slug	string	Provider slug

Source — cmd/authserver/admin_provider.go:100

authserver admin provider delete

Synopsis — authserver admin provider delete --id <id>

Short — Delete a broker provider

Required flags

Flag	Type	Notes
--id	string	Provider id

Source — cmd/authserver/admin_provider.go:206

authserver admin provider get

Synopsis — authserver admin provider get --id <id> [flags]

Short — Get a broker provider by id

Required flags

Flag	Type	Notes
--id	string	Provider id

Optional flags

Flag	Type	Default	Notes
--json	bool	false	Emit JSON instead of human-readable lines

Source — cmd/authserver/admin_provider.go:68

authserver admin provider list

Synopsis — authserver admin provider list [flags]

Short — List broker providers

Optional flags

Flag	Type	Default	Notes
--json	bool	false	Emit JSON instead of human-readable lines

Source — cmd/authserver/admin_provider.go:30

authserver admin provider update

Synopsis — authserver admin provider update --id <id> [flags]

Short — Update a broker provider (PATCH)

Long

Update a broker provider with PATCH semantics: omitted flags leave their fields unchanged.

Required flags

Flag	Type	Notes
--id	string	Provider id

Optional flags

Flag	Type	Default	Notes
--config-data	string		Path to JSON file with replacement config
--display-name	string		New display name
--protocol	string		New protocol: oauth | api_key | service_account
--slug	string		New slug

Source — cmd/authserver/admin_provider.go:154

authserver admin resource

Synopsis — authserver admin resource

Short — Manage unified resources (mint + broker)

Long

Manage unified resources. backend_kind=mint resources are JWT-signed by the AS; backend_kind=broker resources are vended via a broker adapter against an upstream provider.

Source — cmd/authserver/admin_resource.go:18

authserver admin resource create

Synopsis — authserver admin resource create --backend-kind <backend-kind> --slug <slug> [flags]

Short — Create a resource

Long

Create a resource. --scopes is repeatable; each value is a tuple 'name|upstream|description'. Example: --scopes 'repo|repo|Repository read/write'. For Mint resources upstream is conventionally empty: --scopes 'tasks:summarize||'. --scopes-file is the bulk JSON form (mutually exclusive with --scopes).

Required flags

Flag	Type	Notes
--backend-kind	string	Backend kind: mint | broker
--slug	string	Resource slug

Optional flags

Flag	Type	Default	Notes
--broker-provider	string		Broker provider id (required for broker resources)
--description	string		Free-form description (kept for forward compat; not persisted today)
--display-name	string		Human-readable display name
--policy-allowed-clients	stringSlice		Comma-separated client_ids permitted to act as the actor at /oauth/token. Empty = any.
--policy-allowed-return-urls	stringSlice		Comma-separated return URLs accepted by the broker connect flow.
--policy-runtime-client-ids	stringSlice		Comma-separated client_ids authorized to act AS this Resource at runtime . Empty = default-deny (no client may act as this Resource).
--scopes	stringArray		Format: name|upstream|description. Repeatable. For broker resources upstream maps the local scope name to the upstream OAuth scope (e.g. repo|repo|Repository read/write). For mint resources upstream is conventionally empty — double-pipe: tasks:summarize||Summarise tasks. Mutually exclusive with --scopes-file.
--scopes-file	string		Path to JSON file holding an array of {name, upstream, description}. Mutually exclusive with --scopes.
--uri	string		Resource URI (optional)

Source — cmd/authserver/admin_resource.go:115

authserver admin resource delete

Synopsis — authserver admin resource delete --id <id>

Short — Delete a resource

Required flags

Flag	Type	Notes
--id	string	Resource id

Source — cmd/authserver/admin_resource.go:371

authserver admin resource get

Synopsis — authserver admin resource get --id <id> [flags]

Short — Get a resource by id

Required flags

Flag	Type	Notes
--id	string	Resource id

Optional flags

Flag	Type	Default	Notes
--json	bool	false	Emit JSON instead of human-readable lines

Source — cmd/authserver/admin_resource.go:82

authserver admin resource list

Synopsis — authserver admin resource list [flags]

Short — List resources

Optional flags

Flag	Type	Default	Notes
--backend-kind	string		Filter by backend kind: mint | broker
--broker-provider	string		Filter by broker provider id
--json	bool	false	Emit JSON instead of human-readable lines

Source — cmd/authserver/admin_resource.go:30

authserver admin resource runtime-client

Synopsis — authserver admin resource runtime-client

Short — Manage policy.runtime.client_ids on a resource

Long

Manage the OAuth client_ids authorized to act AS this Resource at runtime. Empty list = no client may act as this Resource (default-deny); multi-entry models multi-tier deployments where each tier authenticates with its own credentials but maps to the same Resource.

Source — cmd/authserver/admin_resource.go:261

authserver admin resource runtime-client add

Synopsis — authserver admin resource runtime-client add --client-id <client-id> --slug <slug>

Short — Authorize a client to act AS the resource

Required flags

Flag	Type	Notes
--client-id	string	OAuth client_id to authorize as this Resource
--slug	string	Resource slug

Source — cmd/authserver/admin_resource.go:272

authserver admin resource runtime-client list

Synopsis — authserver admin resource runtime-client list --slug <slug> [flags]

Short — List runtime client_ids on a resource

Required flags

Flag	Type	Notes
--slug	string	Resource slug

Optional flags

Flag	Type	Default	Notes
--json	bool	false	Emit JSON instead of human-readable lines

Source — cmd/authserver/admin_resource.go:332

authserver admin resource runtime-client remove

Synopsis — authserver admin resource runtime-client remove --client-id <client-id> --slug <slug>

Short — Revoke a client's authorization to act AS the resource

Required flags

Flag	Type	Notes
--client-id	string	OAuth client_id to remove
--slug	string	Resource slug

Source — cmd/authserver/admin_resource.go:302

authserver admin resource update

Synopsis — authserver admin resource update --id <id> [flags]

Short — Update a resource (PATCH)

Long

Update a resource with PATCH semantics: omitted flags leave their fields UNCHANGED. Use --scopes-clear / --policy-clear to wipe a field explicitly. The CLI verb is update for operator friendliness; the underlying port method is Patch.

Required flags

Flag	Type	Notes
--id	string	Resource id

Optional flags

Flag	Type	Default	Notes
--backend-kind	string		New backend kind: mint | broker
--broker-provider	string		New broker provider id
--display-name	string		New display name
--policy-allowed-clients	stringSlice		Replacement allowlist of client_ids
--policy-allowed-return-urls	stringSlice		Replacement allowlist of return URLs
--policy-clear	bool	false	Clear the entire policy field (allowlists become empty)
--policy-runtime-client-ids	stringSlice		Replacement runtime.client_ids list
--scopes	stringArray		Same name|upstream|description tuple grammar as admin resource create --scopes. Replaces the existing scope set wholesale; use --scopes-clear to set the empty list.
--scopes-clear	bool	false	Clear scopes (set to empty)
--scopes-file	string		Path to JSON file with replacement scopes
--slug	string		New slug
--uri	string		New URI

Source — cmd/authserver/admin_resource.go:171

authserver admin user

Synopsis — authserver admin user

Short — Manage users

Source — cmd/authserver/admin_user.go:14

authserver admin user create

Synopsis — authserver admin user create --email <email> --password <password> [flags]

Short — Create a new user

Required flags

Flag	Type	Notes
--email	string	User email
--password	string	User password

Optional flags

Flag	Type	Default	Notes
--name	string		User display name
--role	string	user	User role: admin or user

Source — cmd/authserver/admin_user.go:23

authserver admin user delete

Synopsis — authserver admin user delete --id <id> [flags]

Short — Delete a user

Required flags

Flag	Type	Notes
--id	string	User ID

Optional flags

Flag	Type	Default	Notes
--force	bool	false	Force delete even with active tokens

Source — cmd/authserver/admin_user.go:112

authserver admin user force-logout

Synopsis — authserver admin user force-logout --id <id>

Short — Revoke all tokens for a user

Required flags

Flag	Type	Notes
--id	string	User ID

Source — cmd/authserver/admin_user.go:141

authserver admin user list

Synopsis — authserver admin user list

Short — List all users

Source — cmd/authserver/admin_user.go:169

authserver admin user update

Synopsis — authserver admin user update --id <id> [flags]

Short — Update an existing user

Required flags

Flag	Type	Notes
--id	string	User ID

Optional flags

Flag	Type	Default	Notes
--email	string		New email
--name	string		New display name

Source — cmd/authserver/admin_user.go:74

authserver migrate

Synopsis — authserver migrate

Short — Run database migrations

Source — cmd/authserver/migrate.go:13

authserver purge

Synopsis — authserver purge [flags]

Short — Run a single pass of expired-data cleanup and exit

Long

Purge removes expired rows from all purgeable tables in a single pass. Designed to be scheduled via cron, systemd timer, or Kubernetes CronJob.

By default all tables are purged. Use --only to select specific targets: authserver purge --only=refresh-tokens,sessions

The command aborts after --timeout (default 10m) and on SIGINT/SIGTERM. Pass --timeout=0 to disable the internal deadline.

Optional flags

Flag	Type	Default	Notes
--only	string		Comma-separated target names. Run authserver purge --help to see the live target list; common values include refresh-tokens, sessions, consent-grants, broker-grants, issuances, dpop-nonces.
--timeout	duration	defaultPurgeTimeout	Go duration (e.g. 30s, 5m, 1h). --timeout=0 disables the internal deadline; the run still aborts on SIGINT/SIGTERM.

Source — cmd/authserver/purge.go:118

authserver serve

Synopsis — authserver serve

Short — Start the server

Long

Start the Authplane MCP Authorization Server.

Source — cmd/authserver/serve.go:42

authserver version

Synopsis — authserver version

Short — Print version

Source — cmd/authserver/main.go:39