Skip to main content

fastmcp.server.auth.authorization

Authorization checks for FastMCP components. This module provides callable-based authorization for tools, resources, and prompts. Auth checks are functions that receive an AuthContext and return True to allow access or False to deny. Auth checks can also raise exceptions:
  • AuthorizationError: Propagates with the custom message for explicit denial
  • Other exceptions: Masked for security (logged, treated as auth failure)
Example: 
from fastmcp import FastMCP
from fastmcp.server.auth import require_auth, require_scopes

mcp = FastMCP()

@mcp.tool(auth=require_auth)
def protected_tool(): ...

@mcp.resource("data://secret", auth=require_scopes("read"))
def secret_data(): ...

@mcp.prompt(auth=require_auth)
def admin_prompt(): ...

Functions

require_auth 

require_auth(ctx: AuthContext) -> bool
Require any valid authentication. Returns True if the request has a valid token, False otherwise.

require_scopes 

require_scopes(*scopes: str) -> AuthCheck
Require specific OAuth scopes. Returns an auth check that requires ALL specified scopes to be present in the token (AND logic). Args:
  • *scopes: One or more scope strings that must all be present.

restrict_tag 

restrict_tag(tag: str) -> AuthCheck
Restrict components with a specific tag to require certain scopes. If the component has the specified tag, the token must have ALL the required scopes. If the component doesn’t have the tag, access is allowed. Args:
  • tag: The tag that triggers the scope requirement.
  • scopes: List of scopes required when the tag is present.

run_auth_checks 

run_auth_checks(checks: AuthCheck | list[AuthCheck], ctx: AuthContext) -> bool
Run auth checks with AND logic. All checks must pass for authorization to succeed. Auth checks can:
  • Return True to allow access
  • Return False to deny access
  • Raise AuthorizationError to deny with a custom message (propagates)
  • Raise other exceptions (masked for security, treated as denial)
Args:
  • checks: A single check function or list of check functions.
  • ctx: The auth context to pass to each check.
Returns:
  • True if all checks pass, False if any check fails.
Raises:
  • AuthorizationError: If an auth check explicitly raises it.

Classes

AuthContext

Context passed to auth check callables. This object is passed to each auth check function and provides access to the current authentication token and the component being accessed. Attributes:
  • token: The current access token, or None if unauthenticated.
  • component: The component (tool, resource, or prompt) being accessed.
  • tool: Backwards-compatible alias for component when it’s a Tool.
Methods:

tool 

tool(self) -> Tool | None
Backwards-compatible access to the component as a Tool. Returns the component if it’s a Tool, None otherwise.