Skip to content

Add authorization checks to components and servers #2855

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jlowin merged 8 commits into from
Jan 13, 2026
Merged

Add authorization checks to components and servers #2855

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
a17a414
Add callable-based tool authorization with STDIO bypass
jlowin Jan 12, 2026
030e719
Extend authorization to resources and prompts
jlowin Jan 12, 2026
b71d0fa
Exclude auth from serialization and fix AccessToken claims
jlowin Jan 12, 2026
9335be4
Fix template auth bypass and update doc comment
jlowin Jan 12, 2026
eca0181
Add authorization feature to v3 release notes
jlowin Jan 12, 2026
24edfdf
Address CodeRabbit nitpicks
jlowin Jan 12, 2026
5dc1bd3
Add authorization to docs.json and icon to lifespan
jlowin Jan 13, 2026
f096301
Update docs: authorization, lifespan, context transport
jlowin Jan 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 53 additions & 0 deletions docs/development/v3-notes/v3-features.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -267,6 +267,59 @@ fastmcp dev server.py # Includes --reload by default

---

## Component Authorization

v3.0 introduces callable-based authorization for tools, resources, and prompts (`src/fastmcp/server/auth/authorization.py`).

**Component-level auth**:

```python
from fastmcp import FastMCP
from fastmcp.server.auth import require_auth, require_scopes

mcp = FastMCP()

@mcp.tool(auth=require_auth)
def protected_tool(): ...

@mcp.resource("data://secret", auth=require_scopes("read"))
def secret_data(): ...

@mcp.prompt(auth=require_scopes("admin"))
def admin_prompt(): ...
```

**Server-wide auth via middleware**:

```python
from fastmcp.server.middleware import AuthMiddleware
from fastmcp.server.auth import require_auth, restrict_tag

# Require auth for all components
mcp = FastMCP(middleware=[AuthMiddleware(auth=require_auth)])

# Tag-based restrictions
mcp = FastMCP(middleware=[
AuthMiddleware(auth=restrict_tag("admin", scopes=["admin"]))
])
```

Built-in checks:
- `require_auth`: Requires any valid token
- `require_scopes(*scopes)`: Requires specific OAuth scopes
- `restrict_tag(tag, scopes)`: Requires scopes only for tagged components

Custom checks receive `AuthContext` with `token` and `component`:

```python
def custom_check(ctx: AuthContext) -> bool:
return ctx.token is not None and "admin" in ctx.token.scopes
```

STDIO transport bypasses all auth checks (no OAuth concept).

---

## Deprecated Features

These emit deprecation warnings but continue to work.
Expand Down
5 changes: 3 additions & 2 deletions docs/docs.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,7 @@
"group": "Features",
"icon": "stars",
"pages": [
"servers/tasks",
"servers/authorization",
"servers/context",
"servers/elicitation",
"servers/icons",
Expand All @@ -129,7 +129,8 @@
"servers/middleware",
"servers/progress",
"servers/sampling",
"servers/storage-backends"
"servers/storage-backends",
"servers/tasks"
]
},
{
Expand Down
Loading
Loading