ContextQMD
Back to Fastmcp

authorization

docs/python-sdk/fastmcp-server-auth-authorization.mdx

3.2.43.9 KB
Original Source

fastmcp.server.auth.authorization

Authorization checks for FastMCP components.

This module provides callable-based authorization for tools, resources, and prompts. Auth checks are functions that receive an AuthContext and return True to allow access or False to deny.

Auth checks can also raise exceptions:

  • AuthorizationError: Propagates with the custom message for explicit denial
  • Other exceptions: Masked for security (logged, treated as auth failure)

Example: ```python from fastmcp import FastMCP from fastmcp.server.auth import require_scopes

mcp = FastMCP()

@mcp.tool(auth=require_scopes("write"))
def protected_tool(): ...

@mcp.resource("data://secret", auth=require_scopes("read"))
def secret_data(): ...

@mcp.prompt(auth=require_scopes("admin"))
def admin_prompt(): ...
```

Functions

require_scopes <sup><a href="https://github.com/PrefectHQ/fastmcp/blob/main/src/fastmcp/server/auth/authorization.py#L78" target="_blank"><Icon icon="github" style="width: 14px; height: 14px;" /></a></sup>

python
require_scopes(*scopes: str) -> AuthCheck

Require specific OAuth scopes.

Returns an auth check that requires ALL specified scopes to be present in the token (AND logic).

Args:

  • *scopes: One or more scope strings that must all be present.

restrict_tag <sup><a href="https://github.com/PrefectHQ/fastmcp/blob/main/src/fastmcp/server/auth/authorization.py#L106" target="_blank"><Icon icon="github" style="width: 14px; height: 14px;" /></a></sup>

python
restrict_tag(tag: str) -> AuthCheck

Restrict components with a specific tag to require certain scopes.

If the component has the specified tag, the token must have ALL the required scopes. If the component doesn't have the tag, access is allowed.

Args:

  • tag: The tag that triggers the scope requirement.
  • scopes: List of scopes required when the tag is present.

run_auth_checks <sup><a href="https://github.com/PrefectHQ/fastmcp/blob/main/src/fastmcp/server/auth/authorization.py#L134" target="_blank"><Icon icon="github" style="width: 14px; height: 14px;" /></a></sup>

python
run_auth_checks(checks: AuthCheck | list[AuthCheck], ctx: AuthContext) -> bool

Run auth checks with AND logic.

All checks must pass for authorization to succeed. Checks can be synchronous or asynchronous functions.

Auth checks can:

  • Return True to allow access
  • Return False to deny access
  • Raise AuthorizationError to deny with a custom message (propagates)
  • Raise other exceptions (masked for security, treated as denial)

Args:

  • checks: A single check function or list of check functions. Each check can be sync (returns bool) or async (returns Awaitable[bool]).
  • ctx: The auth context to pass to each check.

Returns:

  • True if all checks pass, False if any check fails.

Raises:

  • AuthorizationError: If an auth check explicitly raises it.

Classes

AuthContext <sup><a href="https://github.com/PrefectHQ/fastmcp/blob/main/src/fastmcp/server/auth/authorization.py#L48" target="_blank"><Icon icon="github" style="width: 14px; height: 14px;" /></a></sup>

Context passed to auth check callables.

This object is passed to each auth check function and provides access to the current authentication token and the component being accessed.

Attributes:

  • token: The current access token, or None if unauthenticated.
  • component: The component (tool, resource, or prompt) being accessed.
  • tool: Backwards-compatible alias for component when it's a Tool.

Methods:

tool <sup><a href="https://github.com/PrefectHQ/fastmcp/blob/main/src/fastmcp/server/auth/authorization.py#L64" target="_blank"><Icon icon="github" style="width: 14px; height: 14px;" /></a></sup>

python
tool(self) -> Tool | None

Backwards-compatible access to the component as a Tool.

Returns the component if it's a Tool, None otherwise.