Role Bindings

Role bindings are now presented as application access assignments. They connect a principal to an application role, and the role determines which tools and scopes are reachable at runtime.

The runtime SDK does not create or remove access assignments from inside a protected application. That keeps grant changes auditable and lets AuthSec preview the blast radius before an operator changes access.

Where to manage access assignments

Application Access: assign users or groups to application roles after the application is launched.
Global Role Bindings: review application role bindings across the workspace. Workspace-admin/platform bindings are intentionally separate from application access.
Effective Access: answer "why can this user call this tool?" or "why was this denied?" using the same resolver as runtime policy.

Runtime SDK behavior

The SDK validates the token, fetches the current policy, and checks the scopes granted through active assignments.

import { loadConfigFromEnv, mountMCP } from "@authsec/sdk";

mountMCP(app, {
  path: "/mcp",
  handler: mcpHandler,
  config: loadConfigFromEnv(),
});

from authsec_sdk import from_env, mount_mcp

cfg = from_env()
mount_mcp(app, "/mcp", existing_handler, cfg)

The older authz-sdk role-binding helper examples are retained only for legacy projects. New MCP applications should use the console or aggregate APIs so AuthSec can produce impact previews and audit evidence.

Where to manage access assignments​

Runtime SDK behavior​

Where to manage access assignments

Runtime SDK behavior