Overview and launch
The Overview tab is the gate between "I'm setting this up" and "this is live." It shows the current top blocker and the operator action queue; nothing launches until every blocker is resolved.
What the UI does
Three sections on the Overview tab:
- Top blocker — the one issue preventing launch or the most important post-launch remediation.
- Action queue — unmapped tools, public/risky tools, access gaps, failed tests, drift, and recent denied calls.
- Activation preview — what your policy will look like at the moment of launch. Tool counts, mapped/public/unmapped, default role grants, viewer scopes, public tools.
When everything is green, the Activate button at the top lights up.
The checklist
| Step | Required for activation | What it checks |
|---|---|---|
| Register | Always green after registration | Resource server row exists. |
| Tool inventory | At least one tool | last_successful_generation > 0. |
| Define scopes | At least one scope | oauth_scopes count > 0 for this RS. |
| Map tools to scopes | No unmapped tools | Every tool from the latest scan generation has either a scope mapping or is_public = true. |
| Default role | Default role exists and is enabled | resource_server_access_policies.enabled = true AND default_role_id set. |
| Activate | All five above are green | can_activate = true (computed). |
The can_activate field is computed on the fly by GET /authsec/resource-servers/:id/setup — it's not stored. The same call returns the full checklist state.
The activation preview
Sourced from GET /authsec/resource-servers/:id/activation-preview. What the policy will look like the moment you launch:
{
"tool_counts": {"total": 101, "mapped": 5, "public": 1, "unmapped": 96},
"default_role_grants": [],
"viewer_scopes": [],
"first_time_user_grant": null,
"public_tools": ["actions_get"]
}
This is what the SDK will be enforcing in five seconds if you click Activate now. Read it carefully — it's the last preview before you commit.
What Activate does
POST /authsec/resource-servers/:id/activate:
- Re-runs the
can_activatecheck. Bails with 409 if anything regressed since you loaded the page. - Updates
resource_serverswith:state = 'ready'setup_completed_at = NOW()setup_completed_by = <admin_user_id>
- Emits an audit event so the action shows up in audit logs.
- The SDK ScopeMatrixClient picks up the new policy on its next stale read (typically within 5 minutes; can be forced by restarting your MCP server).
The change is one-way logical but technically reversible: there's no Un-activate button, but you can rotate the introspection secret to force SDK calls to fail and effectively shut the integration down. For ongoing changes, edit on the Tools tab and the runtime picks them up.
Re-running activation after changes
You don't have to re-activate when you change scopes or mappings after launch. The state stays ready; the changes just propagate to the SDK on its next policy refresh.
What does require activation:
- Going from
needs_setup→readyfor the first time. - After a scan rebuild from scratch (e.g. deleted all tools and rescanned), if
can_activateregressed to false.
What state = ready changes at runtime
When the SDK fetches the policy and sees state = 'ready', enforcement is on. Before that, the SDK is technically running but the policy is empty — every tool call falls back to "no policy", which under PolicyModeRemoteRequired means 503. So in practice, activating is what turns the SDK from "always fail closed" to "enforce real policy."
The setup_completed_at timestamp is informational — drift events use it to know whether an event is post-activation (worth surfacing on the Monitor tab) or pre-activation (just admin housekeeping).
Troubleshooting
Activate is greyed out. The Overview action queue tells you exactly which step is pending. Fix that step.
Activate fails with 409. can_activate regressed between page load and click — someone deleted a scope, unmapped a tool, or disabled the access policy in the meantime. Reload the page and check the action queue.
Activate succeeded but my MCP server is still 503ing. The SDK's policy cache hasn't refreshed yet. Either wait up to 5 minutes for the natural refresh, or restart your MCP server.
Auth scheme
| Endpoint | Auth |
|---|---|
GET /authsec/resource-servers/:id/setup | Admin JWT |
GET /authsec/resource-servers/:id/activation-preview | Admin JWT |
POST /authsec/resource-servers/:id/activate | Admin JWT |
None of these are SDK-facing.
Related
- Run the protection test — final pre-flight
- Monitor drift and runtime — what to watch after launch
- Go SDK reference — how the SDK picks up policy after activation