docs: Add MCP OAuth 2.1 deployment configuration (#1638)

bjcoombs · web-flow · commit 6dff3c601ca8 · 2026-03-12T20:39:18.000Z
* docs: Add MCP OAuth 2.1 env vars to demo .env example

Document all MCP OAuth configuration variables with descriptions,
generation commands, and format notes (escaped newlines for PEM keys).

* fix: Mark required OAuth vars and document PEM format prerequisite

---------

Co-authored-by: Ben Coombs &lt;bjcoombs@users.noreply.github.com&gt;
diff --git a/deploy/demo/.env.demo.example b/deploy/demo/.env.demo.example
@@ -176,6 +176,44 @@ MCP_BASE_URL=https://demo.meridianhub.cloud
 # Must match an entry in API_KEYS above (format: "key:identity").
 MERIDIAN_API_KEY=changeme
 
+# [OPTIONAL] Enable OAuth 2.1 for MCP clients (Claude.ai, etc.).
+# When true, MCP clients must complete an OAuth flow to get a JWT.
+MCP_OAUTH_ENABLED=false
+
+# [OPTIONAL] OAuth client ID that MCP clients use to authenticate.
+#MCP_OAUTH_CLIENT_ID=meridian-mcp
+
+# [OPTIONAL] Base domain for subdomain-based tenant resolution on MCP requests.
+#MCP_BASE_DOMAIN=demo.meridianhub.cloud
+
+# [REQUIRED when MCP_OAUTH_ENABLED=true] Dex OIDC issuer URL (internal).
+# The MCP server acts as an OIDC client of Dex for delegated authentication.
+#MCP_DEX_ISSUER_URL=http://dex:5556/dex
+
+# [OPTIONAL] Dex static client ID for the MCP server's OIDC integration.
+#MCP_DEX_CLIENT_ID=meridian-service
+
+# [REQUIRED when MCP_OAUTH_ENABLED=true] MCP server's OIDC callback URL (must be registered in dex.yaml).
+#MCP_DEX_CALLBACK_URL=https://demo.meridianhub.cloud/oauth/callback
+
+# [REQUIRED when MCP_OAUTH_ENABLED=true] JWKS URL for validating bearer tokens on MCP requests.
+# Points to the BFF's JWKS endpoint so BFF-issued tokens are accepted.
+#MCP_JWKS_URL=https://demo.meridianhub.cloud/api/auth/jwks
+
+# [REQUIRED when MCP_OAUTH_ENABLED=true] RSA private key for JWT signing.
+# Must be the same key used by the BFF for cross-subdomain session sharing.
+# Store as a single line with literal \n for newlines (docker-compose .env limitation).
+# Generate: openssl genrsa 2048 | awk '{printf "%s\\n", $0}'
+# NOTE: The Meridian binary must include the escaped-newline PEM fix
+# (strings.ReplaceAll for \n literals) for this format to work.
+#JWT_SIGNING_KEY=-----BEGIN PRIVATE KEY-----\nMIIEv...base64...==\n-----END PRIVATE KEY-----
+
+# [OPTIONAL] Key ID for the JWT signing key (must match JWKS).
+#JWT_SIGNING_KEY_ID=meridian-1
+
+# [OPTIONAL] JWT issuer claim.
+#JWT_SIGNING_ISSUER=meridian
+
 # ---------------------------------------------------------------------------
 # Frontend
 # ---------------------------------------------------------------------------
