File tree Expand file tree Collapse file tree
docs/toolhive/guides-vmcp Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -427,10 +427,9 @@ at `authed_user.access_token`). Add a `tokenResponseMapping` block to the
427427# ## Incoming auth with the embedded auth server
428428
429429When using the embedded auth server, configure `incomingAuth` to validate the
430- JWTs it issues. The `issuer` must match `authServerConfig.issuer`. If the issuer
431- URL resolves to a private or cluster-internal IP address (typical in
432- Kubernetes), set `jwksAllowPrivateIP` to `true` so the OIDC middleware can fetch
433- the JWKS from the embedded auth server's discovery endpoint :
430+ JWTs it issues. The `issuer` must match `authServerConfig.issuer`. Note that as
431+ of version 0.15.0, `jwksAllowPrivateIP : true` is no longer needed because JWKS
432+ retrieval is done in-process when the embedded auth server is present.
434433
435434` ` ` yaml title="VirtualMCPServer resource"
436435spec:
@@ -442,7 +441,6 @@ spec:
442441 inline:
443442 issuer: https://auth.example.com
444443 audience: https://mcp.example.com/mcp
445- jwksAllowPrivateIP: true
446444` ` `
447445
448446The `resourceUrl` is the externally reachable URL of the MCP endpoint. MCP
@@ -575,7 +573,6 @@ spec:
575573 inline:
576574 issuer: https://auth.example.com
577575 audience: https://mcp.example.com/mcp
578- jwksAllowPrivateIP: true
579576 outgoingAuth:
580577 source: inline
581578 backends:
You can’t perform that action at this time.
0 commit comments