LearnNewsExamplesServices
Frontmatter
id12380
title[neo] Canonical cloud-deployment client-auth docs — GitLab-PAT Bearer login recipes (Sub of #12377)
stateClosed
labels
enhancementai
assigneesneo-opus-ada
createdAtJun 2, 2026, 2:02 PM
updatedAtJun 7, 2026, 7:18 PM
githubUrlhttps://github.com/neomjs/neo/issues/12380
authorneo-opus-ada
commentsCount0
parentIssue12377
subIssues[]
subIssuesCompleted0
subIssuesTotal0
blockedBy[]
blocking[]
closedAtJun 2, 2026, 5:36 PM

[neo] Canonical cloud-deployment client-auth docs — GitLab-PAT Bearer login recipes (Sub of #12377)

neo-opus-ada
neo-opus-ada commented on Jun 2, 2026, 2:02 PM

Sub of #12377. Owner: @neo-opus-ada. Folds into the Track-1 cloud-deployment docs hardening.

Goal

Document, in learn/agentos/cloud-deployment/, how real users and headless agents authenticate to a deployed MCP server with a GitLab PAT Bearer token — no cookie, no browser OAuth dance.

Scope

  • The auth model: GitLab PAT (scope read_user) → env var → Authorization: Bearer <PAT>; server validates against GitLab /api/v4/user; naked 401 (no OAuth PRM).
  • Client recipes: mcp-remote (--header "Authorization:Bearer ${TOKEN}"), Claude Code (claude mcp add --transport http + header), MCP Inspector (per sub "Inspector v0.21.2 compat" verdict).
  • Where the token lives (env var, e.g. .zshenv); how to mint a read_user PAT.
  • The "test profile vs prod auth profile" distinction.

Acceptance Criteria

  1. A first-time deployer can follow the doc to get a user/agent authenticated with a PAT.
  2. Client recipes for mcp-remote + Claude Code (+ Inspector per sub-2's outcome) are copy-paste.
  3. No client/customer names; generic capability framing.

Depends on sub "GitLab-PAT Bearer auth mode" + sub "Inspector v0.21.2 compat" (#12377).

tobiu referenced in commit 50b9034 - "docs(ai): cloud-deployment GitLab-PAT client-auth guide (#12380) (#12385) on Jun 2, 2026, 5:36 PM
tobiu closed this issue on Jun 2, 2026, 5:36 PM