Remove require_auth in favor of scope-based authorization

[jlowin]

Description

This PR removes the require_auth built-in authorization check and updates all documentation and examples to use scope-based authorization via require_scopes instead.

Changes Made

• Removed require_auth function from fastmcp.server.auth.authorization module
• Updated exports in fastmcp.server.auth.__init__.py to remove require_auth
• Updated all documentation in docs/development/v3-notes/v3-features.mdx and docs/servers/authorization.mdx:
  • Removed require_auth examples and references
  • Updated examples to use require_scopes for all authorization scenarios
  • Added clarification that when an AuthProvider is configured, all requests must carry valid tokens (unauthenticated requests are rejected at transport level)
  • Improved documentation on component-level vs server-level authorization
  • Added comprehensive example showing layered authorization (component + middleware)
  • Updated the "Built-in checks" section to list only require_scopes and restrict_tag
• Updated all tests in tests/server/auth/test_authorization.py:
  • Removed TestRequireAuth test class
  • Updated all test cases to use require_scopes instead of require_auth
  • Updated middleware examples to use scope-based checks

Rationale

The require_auth check was a simple boolean check for token presence, but since the authorization model now requires an AuthProvider to be configured (which rejects unauthenticated requests at the transport level), this check became redundant. Using require_scopes is more explicit and provides better granularity for authorization policies. This change encourages users to define clear scope requirements rather than just checking for token presence.

Testing

• All existing tests have been updated to use require_scopes instead of require_auth
• Test coverage remains the same with updated examples
• Documentation examples are consistent across all files

Contributors Checklist

• My change closes [docs] Unclear that AuthMiddleware blocks execution for component-level auth #3090
• I have followed the repository's development workflow
• I have tested my changes manually and by adding relevant tests
• I have performed all required documentation updates

Review Checklist

• I have self-reviewed my changes
• My Pull Request is ready for review

https://claude.ai/code/session_01WWzwcBfLWnxoN9XNs5Fhxr

[coderabbitai]

Walkthrough

This pull request removes require_auth from the public API of fastmcp.server.auth and updates all code examples and documentation to use require_scopes exclusively. Changes include removing the require_auth export from the auth module's __init__.py file, deleting the function definition from authorization.py, and updating all documentation files and middleware examples to demonstrate scope-based authorization patterns instead. No functional changes are made to existing authorization logic or the require_scopes implementation.

Possibly related PRs

• Add v3.0 feature tracking document #2822: Modifies the same v3-features documentation file with related changes to the public API surface.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: removing require_auth in favor of scope-based authorization via require_scopes.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Description check	✅ Passed	PR description is comprehensive, clearly structured, and addresses all key aspects: removed functionality, updated documentation, rationale, and testing. All required checklist items are documented.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch claude/investigate-issue-3090-TACeM

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}