Login and instance registration as a single action: an instance is its URL, and the token is valid only against that URL. Plus the server-side discovery the client relies on to find its authorization server.
Delivered
- Browser login —
amctl login OAuth2 PKCE authorization-code flow for interactive use.
- Headless login —
amctl login --client-id --client-secret client-credentials flow for CI/automation.
- Server-side discovery —
GET /.well-known/oauth-protected-resource (RFC 9728) and a WWW-Authenticate: Bearer challenge with a resource_metadata pointer on 401 (RFC 6750); SERVER_PUBLIC_URL / OAUTH_AUTHORIZATION_SERVERS config with startup validation. Used by both amctl and the MCP server.
- Default endpoint —
amctl login defaults to the Agent Platform SaaS URL when --url is omitted; explicit --url still targets any instance (incl. http://localhost:9000).
PRs
Status
Done; #994 in review.
Part of the Agent Manager CLI epic.
Login and instance registration as a single action: an instance is its URL, and the token is valid only against that URL. Plus the server-side discovery the client relies on to find its authorization server.
Delivered
amctl loginOAuth2 PKCE authorization-code flow for interactive use.amctl login --client-id --client-secretclient-credentials flow for CI/automation.GET /.well-known/oauth-protected-resource(RFC 9728) and aWWW-Authenticate: Bearerchallenge with aresource_metadatapointer on 401 (RFC 6750);SERVER_PUBLIC_URL/OAUTH_AUTHORIZATION_SERVERSconfig with startup validation. Used by both amctl and the MCP server.amctl logindefaults to the Agent Platform SaaS URL when--urlis omitted; explicit--urlstill targets any instance (incl.http://localhost:9000).PRs
Status
Done; #994 in review.
Part of the Agent Manager CLI epic.