Skip to main content
Verification answers “who is calling?”; authorization answers “what may they do?”. FastMCP expresses authorization as checks attached to the server or to individual tools, resources, and prompts.
This page is under construction. The outline below sketches what it will cover.
  • requireScopes(...scopes) — gate components on token scopes; failures surface as AuthorizationError.
  • Per-component auth checks — every ToolConfig / ResourceConfig / PromptConfig accepts an auth check; unauthorized components are hidden from list responses for that caller.
  • multiAuth — combine several verifiers so different token types map to the same identity model.
  • Caching caveat — partition CachingMiddleware by caller identity (custom CacheKeyFn) when responses differ per caller.