Skip to main content

Protect your first application

AuthSec puts OAuth in front of an MCP server, AI agent, or API you already run. You register the application, install a small SDK wrapper, declare the tools it exposes, review who can call what, and launch. About 10 minutes the first time.

The admin UI walks the same five steps. This guide does too.

The five steps

  1. Register an application — paste its Public Base URL and Protected Path. AuthSec generates the Resource URI and a one-time introspection secret.
  2. Install protection — copy the secret, drop the AuthSec SDK wrapper into your codebase (Python, Go, TypeScript).
  3. Publish the tool manifest — declare which tools your application exposes. The SDK does this on startup; you can also scan over the wire.
  4. Review tool access — pick which scope each tool requires, then decide what new users get on first login.
  5. Launch — flip the application from "Not launched" to live. The Applications list then shows Readiness, Risk, Last Signal, and Next Action per app.

After launch, the same screen is your operational view. Anything that changes the live policy — a scope deleted, a tool unmapped, a secret rotated — shows up as a drift event.

Before you start

You need three things:

  • An application to protect. An MCP server, an AI agent endpoint, or an HTTP API. Reachable over HTTPS — e.g. https://mcp.acme.example. (For local dev against a service on your laptop, AuthSec also accepts loopback addresses; see local development.)
  • Admin access to AuthSec. If the Applications screen loads, you're set.
  • Five minutes to install an SDK. Python, Go, and TypeScript all ship a one-line wrapper.

What you'll have at the end

  • Your application rejects calls without a valid token (401 with a usable challenge URL).
  • The right people get a 200 on the right tools.
  • Anyone calling a tool they don't have a scope for gets a 403 with the missing scope spelled out.
  • The Applications list shows your app as launched, with live Readiness and Risk.

Two paths from here

  • You want the linear walkthrough. Open From zero to launched. It takes the five steps above and runs them end to end with screenshots, one decision per step.
  • You're setting up the workspace itself first. Sign in, configure MFA, create the workspace, then come back. Start at Sign in & account setup and follow the order in the sidebar.

The walkthrough is what you want if you already have an AuthSec account and just want to protect something. The workspace setup is what you want the very first time.

Where things live in the docs

If you want to...Read
Protect one application, end to endFrom zero to launched
Understand the language: members, end users, scopes, audiencesConcepts
Install the SDKPython · Go · TypeScript
Map a deep dive on one of the five stepsProtect an application (the lifecycle guide)
Look up an API endpoint or response shapeReference
Manage members or end users after launchAdministration

Continue with From zero to launched.