Add API Key, DPoP, and Mutual TLS running instructions to multiprotocol examples

nypdmax · nypdmax · commit b68a193abab6 · 2026-02-06T11:18:16.000+08:00
diff --git a/examples/README.md b/examples/README.md
@@ -1,5 +1,25 @@
 # Python SDK Examples
 
-This folders aims to provide simple examples of using the Python SDK. Please refer to the
+This folder aims to provide simple examples of using the Python SDK. Please refer to the
 [servers repository](https://github.com/modelcontextprotocol/servers)
 for real-world servers.
+
+## Multi-protocol auth
+
+- **Server**: [simple-auth-multiprotocol](servers/simple-auth-multiprotocol/) — RS with OAuth, API Key, DPoP, and Mutual TLS (placeholder).
+
+**API Key**
+
+- Use `MCP_API_KEY` on the client; start RS with `--api-keys=...` (no AS required).
+- One-command test (from repo root): `MCP_PHASE2_PROTOCOL=api_key ./scripts/run_phase2_multiprotocol_integration_test.sh`
+
+**OAuth + DPoP**
+
+- Start AS and RS with `--dpop-enabled`; client: `MCP_USE_OAUTH=1 MCP_DPOP_ENABLED=1`.
+- One-command test (from repo root): `./scripts/run_phase4_dpop_integration_test.sh` (use `MCP_SKIP_OAUTH=1` to skip manual OAuth step).
+
+**Mutual TLS (placeholder)**
+
+- mTLS is a placeholder (no client cert validation). Script: `MCP_PHASE2_PROTOCOL=mutual_tls ./scripts/run_phase2_multiprotocol_integration_test.sh`
+
+**Client**: [simple-auth-multiprotocol-client](clients/simple-auth-multiprotocol-client/) — supports API Key (`MCP_API_KEY`), OAuth+DPoP (`MCP_USE_OAUTH=1`, `MCP_DPOP_ENABLED=1`), and mTLS placeholder.
diff --git a/examples/clients/simple-auth-multiprotocol-client/README.md b/examples/clients/simple-auth-multiprotocol-client/README.md
@@ -12,6 +12,50 @@ MCP client example using **MultiProtocolAuthProvider** with **API Key** and **Mu
 2. From this directory: `uv run mcp-simple-auth-multiprotocol-client` or `uv run python -m mcp_simple_auth_multiprotocol_client`.
 3. Optional: `MCP_SERVER_URL=http://localhost:8002/mcp` to override server URL.
 
+## Running with API Key
+
+When the server supports API Key (e.g. `simple-auth-multiprotocol` with `--api-keys`), set:
+
+- **`MCP_API_KEY`** – your API key (e.g. `demo-api-key-12345`). The client sends it as `X-API-Key`.
+- **`MCP_SERVER_URL`** – optional; default is `http://localhost:8002/mcp` when using the default client config.
+
+Example (server on port 8002, no OAuth/AS required):
+
+```bash
+MCP_SERVER_URL=http://localhost:8002/mcp MCP_API_KEY=demo-api-key-12345 uv run mcp-simple-auth-multiprotocol-client
+```
+
+**One-command test** from repo root:  
+`MCP_PHASE2_PROTOCOL=api_key ./scripts/run_phase2_multiprotocol_integration_test.sh`  
+starts the resource server and this client with API Key; at `mcp>` run `list`, `call get_time {}`, `quit`.
+
+## Running with OAuth + DPoP
+
+When the server has DPoP enabled (`--dpop-enabled`), use OAuth and DPoP together:
+
+- **`MCP_USE_OAUTH=1`** – enable OAuth (required for DPoP).
+- **`MCP_DPOP_ENABLED=1`** – send DPoP-bound access tokens (DPoP proof in each request).
+
+Example (server on port 8002 with DPoP, AS on 9000):
+
+```bash
+MCP_SERVER_URL=http://localhost:8002/mcp MCP_USE_OAUTH=1 MCP_DPOP_ENABLED=1 uv run mcp-simple-auth-multiprotocol-client
+```
+
+Complete OAuth in the browser; then at `mcp>` run `list`, `call get_time {}`, `quit`. Server logs should show "Authentication successful with DPoP".
+
+**One-command test** from repo root:  
+`./scripts/run_phase4_dpop_integration_test.sh` — starts AS and RS with DPoP, then runs this client (OAuth+DPoP). Use `MCP_SKIP_OAUTH=1` to run only the automated curl tests and skip the manual client step.
+
+## Running with Mutual TLS (placeholder)
+
+Mutual TLS is a **placeholder** in this example: the client registers the `mutual_tls` protocol but does **not** perform client certificate authentication. Selecting mTLS will show a "not implemented" style message.
+
+- **`MCP_PHASE2_PROTOCOL=mutual_tls`** (with the phase2 script) runs this client in mTLS mode; the client will start but mTLS auth is not implemented.
+
+**One-command test** from repo root:  
+`MCP_PHASE2_PROTOCOL=mutual_tls ./scripts/run_phase2_multiprotocol_integration_test.sh`
+
 ## Commands
 
 - `list` – list tools  
diff --git a/examples/servers/simple-auth-multiprotocol/README.md b/examples/servers/simple-auth-multiprotocol/README.md
@@ -19,11 +19,62 @@ MCP Resource Server example that supports **OAuth 2.0** (introspection), **API K
    - API Key: set header `X-API-Key: demo-api-key-12345` or `Authorization: Bearer demo-api-key-12345` (default key).  
    Custom keys: `--api-keys=key1,key2`.
 
+## Running with API Key only
+
+You can run the Resource Server **without** the Authorization Server when using API Key authentication:
+
+1. **Start the Resource Server** (from this directory):
+   ```bash
+   uv run mcp-simple-auth-multiprotocol-rs --port=8002 --api-keys=demo-api-key-12345
+   ```
+
+2. **Run the client** from `examples/clients/simple-auth-multiprotocol-client`:
+   ```bash
+   MCP_SERVER_URL=http://localhost:8002/mcp MCP_API_KEY=demo-api-key-12345 uv run mcp-simple-auth-multiprotocol-client
+   ```
+
+3. At the `mcp>` prompt, run `list`, `call get_time {}`, then `quit`.
+
+**One-command verification** (from repo root):  
+`MCP_PHASE2_PROTOCOL=api_key ./scripts/run_phase2_multiprotocol_integration_test.sh`  
+This starts the RS, then the client with API Key; complete the session with `list`, `call get_time {}`, `quit`.
+
+## Running with DPoP (OAuth + DPoP)
+
+DPoP (Demonstrating Proof-of-Possession, RFC 9449) binds the access token to a client-held key. Use it together with OAuth.
+
+1. **Start the Authorization Server** (from `examples/servers/simple-auth`):  
+   `uv run mcp-simple-auth-as --port=9000`
+
+2. **Start this Resource Server with DPoP enabled** (from this directory):
+   ```bash
+   uv run mcp-simple-auth-multiprotocol-rs --port=8002 --auth-server=http://localhost:9000 --api-keys=demo-api-key-12345 --dpop-enabled
+   ```
+
+3. **Run the client** with OAuth and DPoP from `examples/clients/simple-auth-multiprotocol-client`:
+   ```bash
+   MCP_SERVER_URL=http://localhost:8002/mcp MCP_USE_OAUTH=1 MCP_DPOP_ENABLED=1 uv run mcp-simple-auth-multiprotocol-client
+   ```
+   Complete OAuth in the browser, then at `mcp>` run `list`, `call get_time {}`, `quit`. Server logs should show "Authentication successful with DPoP".
+
+**One-command verification** (from repo root):  
+`./scripts/run_phase4_dpop_integration_test.sh` — starts AS and RS (with `--dpop-enabled`), runs automated DPoP tests, then optionally the OAuth+DPoP client (use `MCP_SKIP_OAUTH=1` to skip the manual OAuth step).
+
+## Running with Mutual TLS (placeholder)
+
+Mutual TLS is a **placeholder** in this example: the server accepts the `mutual_tls` protocol in PRM/discovery but does **not** perform client certificate validation. Selecting mTLS in the client will show a "not implemented" style message.
+
+- **Server**: No extra flags; `auth_protocols` already includes `mutual_tls`.
+- **Client** (from repo root):  
+  `MCP_PHASE2_PROTOCOL=mutual_tls ./scripts/run_phase2_multiprotocol_integration_test.sh`  
+  The client will start but mTLS authentication is not implemented in this example.
+
 ## Options
 
 - `--port`: RS port (default 8002).
 - `--auth-server`: AS URL (default http://localhost:9000).
 - `--api-keys`: Comma-separated valid API keys (default demo-api-key-12345).
 - `--oauth-strict`: Enable RFC 8707 resource validation.
+- `--dpop-enabled`: Enable DPoP proof verification (RFC 9449); use with OAuth.
 
 Mutual TLS is a placeholder (no client certificate validation).
