Skip to content

docs(mcp-gateway): outbound credential brokering + dynamic short-lived credentials (PR 4e)#629

Open
EliMoshkovich wants to merge 1 commit into
masterfrom
PER-14853/pr4e/dynamic-credential-issuance
Open

docs(mcp-gateway): outbound credential brokering + dynamic short-lived credentials (PR 4e)#629
EliMoshkovich wants to merge 1 commit into
masterfrom
PER-14853/pr4e/dynamic-credential-issuance

Conversation

@EliMoshkovich
Copy link
Copy Markdown
Contributor

@EliMoshkovich EliMoshkovich commented May 22, 2026

Why

Companion customer-docs for agent-security PR #295 (PER-14853, PR 4e — Dynamic / Short-Lived Credential Issuance). The gateway can now mint short-lived, identity-scoped credentials for agents' outbound API calls instead of storing a long-lived secret — a customer-facing behavioral change that needs documentation.

Linear: PER-14853.

What

  • New page docs/permit-mcp-gateway/outbound-credentials.mdx (sidebar 8.5): documents the gateway as an outbound credential broker — the agent never holds the upstream secret; the gateway injects it per request, authorizes the destination against policy, and scrubs the credential from the response. Covers the three credential types:
    • Static stored secret (header / query / basic auth).
    • AWS STS — assume the configured IAM role per request → temporary credentials → SigV4-signed request; no long-lived AWS key stored or injected.
    • OAuth — refresh token stays vaulted (never injected, never logged); only a short-lived minted access token is injected.
    • Plus caching/freshness, a security summary, and the AWS-side IAM requirements (assume-role permission, target-role trust policy + per-tenant external ID, MaxSessionDuration).
  • advanced-features.mdx: new "Outbound Credential Brokering" section cross-linking the page + a Feature Maturity Summary row.
  • cspell.json: added SigV4, IRSA, HashiCorp, EKS.

How it was tested

Docs-only. Verified internal links resolve to existing pages (human-in-the-loop, enterprise-deployment, the new outbound-credentials), frontmatter matches the existing permit-mcp-gateway pages, and added the new technical terms to cspell.json so the spell-check passes. No emojis; Docusaurus admonitions used per house style.

Notes

Dynamic issuance is flagged as an Enterprise capability under active development; static credential injection + response scrubbing are described as available today. Phrasing is intentionally conservative on maturity, matching the surrounding Advanced Features page.

🤖 Generated with Claude Code

@EliMoshkovich
docs(mcp-gateway): outbound credential brokering + dynamic short-live…
21725ec 
…d credentials (PR 4e)

New Outbound Credentials page: the gateway brokers agents' outbound API
credentials — per-request injection + response scrubbing, plus dynamic
short-lived issuance (AWS STS temporary credentials via SigV4, OAuth access
tokens minted from a vaulted refresh token that never leaves the gateway).
Cross-linked from Advanced Features + maturity table; cspell terms added.

Companion to agent-security PR #295 (PER-14853 PR 4e). Push/PR deferred to
batch the full PER-14853 customer-docs work.
Copilot AI review requested due to automatic review settings May 22, 2026 15:04
@linear-code
Copy link
Copy Markdown

linear-code Bot commented May 22, 2026

PER-14853

@netlify
Copy link
Copy Markdown

netlify Bot commented May 22, 2026
edited
Loading

Deploy Preview for permitio-docs ready!

Name Link
🔨 Latest commit 21725ec
🔍 Latest deploy log https://app.netlify.com/projects/permitio-docs/deploys/6a1070914507180008b1f94f
😎 Deploy Preview https://deploy-preview-629--permitio-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

Copilot AI reviewed May 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds customer-facing documentation for Permit MCP Gateway’s new outbound credential brokering behavior, including dynamic short-lived credential issuance (AWS STS + OAuth) and cross-linking from existing “Advanced Features” docs.

Changes:

  • Added a new Outbound Credentials guide describing static secret injection, AWS STS assume-role + SigV4 signing, and OAuth access-token minting from a vaulted refresh token.
  • Updated the “Advanced Features” page with a new “Outbound Credential Brokering” section and a corresponding Feature Maturity Summary row.
  • Extended cspell.json dictionary with new technical terms used by the docs.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
docs/permit-mcp-gateway/outbound-credentials.mdx New dedicated documentation page for outbound credential brokering and dynamic credential issuance.
docs/permit-mcp-gateway/advanced-features.mdx Adds cross-linking section + maturity table entry for outbound credential brokering.
cspell.json Adds spell-check allowlist entries for new terminology (SigV4, IRSA, HashiCorp, EKS).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@EliMoshkovich