docs: add OAuth multi-user mode to README

- Add Multi-User / OAuth Mode section with quick setup - Document permission groups for RBAC - Update transport option to streamable-http - Link to OAUTH-ARCHITECTURE.md for details
2025-12-27 06:03:59 -07:00 · 2025-12-27 06:03:59 -07:00 · 0e29fea857
commit 0e29fea857
parent 4890950e19
1 changed files with 30 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -195,11 +195,40 @@ Claude: [snapshots 12 VMs in parallel]
 | `VCENTER_CLUSTER` | Target cluster | *auto-detect* |
 | `VCENTER_DATASTORE` | Default datastore | *auto-detect* |
 | `VCENTER_NETWORK` | Default network | *auto-detect* |
-| `MCP_TRANSPORT` | `stdio` or `sse` | `stdio` |
+| `MCP_TRANSPORT` | `stdio` or `streamable-http` | `stdio` |
 | `LOG_LEVEL` | Logging verbosity | `INFO` |

 ---

+## Multi-User / OAuth Mode
+
+For shared infrastructure or production deployments, mcvsphere supports OAuth 2.1 with any OIDC provider (Authentik, Keycloak, Auth0, etc.):
+
+```bash
+# Enable HTTP transport with OAuth
+export MCP_TRANSPORT=streamable-http
+export OAUTH_ENABLED=true
+export OAUTH_ISSUER_URL=https://auth.example.com/application/o/mcvsphere/
+export OAUTH_CLIENT_ID=your-client-id
+export OAUTH_CLIENT_SECRET=your-client-secret
+export OAUTH_BASE_URL=https://mcp.example.com
+
+uvx mcvsphere
+```
+
+Users authenticate via browser, and group memberships map to permission levels:
+
+| Group | Access |
+|-------|--------|
+| `vsphere-super-admins` | Full control |
+| `vsphere-admins` | VM management |
+| `vsphere-operators` | Basic operations |
+| `vsphere-viewers` | Read-only |
+
+See [OAUTH-ARCHITECTURE.md](OAUTH-ARCHITECTURE.md) for detailed setup instructions.
+
+---
+
 ## Docker

 ```bash