From 0e29fea857906ca48f4af8fc4500696b29bf846d Mon Sep 17 00:00:00 2001
From: Ryan Malloy <ryan@supported.systems>
Date: Sat, 27 Dec 2025 06:03:59 -0700
Subject: [PATCH] docs: add OAuth multi-user mode to README

- Add Multi-User / OAuth Mode section with quick setup
- Document permission groups for RBAC
- Update transport option to streamable-http
- Link to OAUTH-ARCHITECTURE.md for details
---
 README.md | 31 ++++++++++++++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 3900bc7..4b2c95b 100644
--- a/README.md
+++ b/README.md
@@ -195,11 +195,40 @@ Claude: [snapshots 12 VMs in parallel]
 | `VCENTER_CLUSTER` | Target cluster | *auto-detect* |
 | `VCENTER_DATASTORE` | Default datastore | *auto-detect* |
 | `VCENTER_NETWORK` | Default network | *auto-detect* |
-| `MCP_TRANSPORT` | `stdio` or `sse` | `stdio` |
+| `MCP_TRANSPORT` | `stdio` or `streamable-http` | `stdio` |
 | `LOG_LEVEL` | Logging verbosity | `INFO` |
 
 ---
 
+## Multi-User / OAuth Mode
+
+For shared infrastructure or production deployments, mcvsphere supports OAuth 2.1 with any OIDC provider (Authentik, Keycloak, Auth0, etc.):
+
+```bash
+# Enable HTTP transport with OAuth
+export MCP_TRANSPORT=streamable-http
+export OAUTH_ENABLED=true
+export OAUTH_ISSUER_URL=https://auth.example.com/application/o/mcvsphere/
+export OAUTH_CLIENT_ID=your-client-id
+export OAUTH_CLIENT_SECRET=your-client-secret
+export OAUTH_BASE_URL=https://mcp.example.com
+
+uvx mcvsphere
+```
+
+Users authenticate via browser, and group memberships map to permission levels:
+
+| Group | Access |
+|-------|--------|
+| `vsphere-super-admins` | Full control |
+| `vsphere-admins` | VM management |
+| `vsphere-operators` | Basic operations |
+| `vsphere-viewers` | Read-only |
+
+See [OAUTH-ARCHITECTURE.md](OAUTH-ARCHITECTURE.md) for detailed setup instructions.
+
+---
+
 ## Docker
 
 ```bash