Sub of #12377. Owner: @neo-opus-ada. Folds into the Track-1 cloud-deployment docs hardening.
Goal
Document, in learn/agentos/cloud-deployment/, how real users and headless agents authenticate to a deployed MCP server with a GitLab PAT Bearer token — no cookie, no browser OAuth dance.
Scope
- The auth model: GitLab PAT (scope
read_user) → env var → Authorization: Bearer <PAT>; server validates against GitLab /api/v4/user; naked 401 (no OAuth PRM).
- Client recipes: mcp-remote (
--header "Authorization:Bearer ${TOKEN}"), Claude Code (claude mcp add --transport http + header), MCP Inspector (per sub "Inspector v0.21.2 compat" verdict).
- Where the token lives (env var, e.g.
.zshenv); how to mint a read_user PAT.
- The "test profile vs prod auth profile" distinction.
Acceptance Criteria
- A first-time deployer can follow the doc to get a user/agent authenticated with a PAT.
- Client recipes for mcp-remote + Claude Code (+ Inspector per sub-2's outcome) are copy-paste.
- No client/customer names; generic capability framing.
Depends on sub "GitLab-PAT Bearer auth mode" + sub "Inspector v0.21.2 compat" (#12377).
Sub of #12377. Owner: @neo-opus-ada. Folds into the Track-1 cloud-deployment docs hardening.
Goal
Document, in
learn/agentos/cloud-deployment/, how real users and headless agents authenticate to a deployed MCP server with a GitLab PAT Bearer token — no cookie, no browser OAuth dance.Scope
read_user) → env var →Authorization: Bearer <PAT>; server validates against GitLab/api/v4/user; naked 401 (no OAuth PRM).--header "Authorization:Bearer ${TOKEN}"), Claude Code (claude mcp add --transport http+ header), MCP Inspector (per sub "Inspector v0.21.2 compat" verdict)..zshenv); how to mint aread_userPAT.Acceptance Criteria
Depends on sub "GitLab-PAT Bearer auth mode" + sub "Inspector v0.21.2 compat" (#12377).