| Name | pangea-authz-fastmcp JSON |
| Version |
0.1.0
JSON |
| download |
| home_page | None |
| Summary | Pangea AuthZ integration for FastMCP |
| upload_time | 2025-07-29 14:48:37 |
| maintainer | None |
| docs_url | None |
| author | None |
| requires_python | >=3.11 |
| license | None |
| keywords |
|
| VCS |
 |
| bugtrack_url |
|
| requirements |
No requirements were recorded.
|
| Travis-CI |
No Travis.
|
| coveralls test coverage |
No coveralls.
|
# pangea-authz-fastmcp
Easily add authorization to a FastMCP server with Pangea's [AuthZ][] service.
## Installation
```
pip install -U pangea-authz-fastmcp
```
## Pangea AuthZ setup
1. Create a Pangea account at https://pangea.cloud/signup. During the account
creation process, an organization (top-level group) and project
(individual app) will be created as well. On the "Get started with a common
service" dialog, just click on the **Skip** button to get redirected to the
developer console.
2. In the developer console, there will be a list of services in the left hand
panel. Click the **AuthZ** service to enable it.
3. In the modal, there will be a prompt to create a new Pangea API token or to
extend an existing one. Choose **Create a new token** and click on **Done**.
4. An additional dialog of example schemas will appear. Select **Blank Schema**
and then click **Done**.
5. From this AuthZ Overview page, click on **Resource Types**. We'll want to
create the following resource types:
6. Click on **Roles & Access**. We'll want to configure the following roles:
7. Click on **Assigned Roles & Relations**. From this page one can assign users
or groups to be callers of select tools or readers of select resources.
## Usage
Use FastMCP's `add_middleware` method to add the authorization middleware to a
FastMCP server. The middleware requires a Pangea AuthZ token (to perform
authorization checks) and a function that maps an OAuth access token to a list
of subject IDs.
```python
import os
from fastmcp.server.dependencies import AccessToken
from fastmcp.server.middleware import MiddlewareContext
from mcp.types import CallToolRequestParams, ReadResourceRequestParams
from pangea_authz_fastmcp import PangeaAuthzMiddleware
async def get_subject_ids(
access_token: AccessToken,
context: MiddlewareContext[CallToolRequestParams] | MiddlewareContext[ReadResourceRequestParams],
) -> list[str]:
# Fetch the subject ID(s) for the given access token. For example, this can
# be just the associated user ID, or it can be a list of group IDs that the
# user is a member of. How this function is implemented will depend on the
# identity provider.
return ["id1", "id2"]
mcp = FastMCP(name="My MCP Server")
mcp.add_middleware(
PangeaAuthzMiddleware(pangea_authz_token=os.getenv("PANGEA_AUTHZ_TOKEN", ""), get_subject_ids=get_subject_ids)
)
```
If you're already using the [pangea-authn-fastmcp][] package to authenticate
users, then this package can recognize that and will automatically fetch the
user's AuthN group memberships.
```python
import os
from fastmcp import FastMCP
from pangea_authn_fastmcp import PangeaOAuthProvider
from pangea_authz_fastmcp import PangeaAuthzMiddleware
oauth_provider = PangeaOAuthProvider(...)
mcp= FastMCP(name="My MCP Server", auth=oauth_provider)
mcp.add_middleware(
PangeaAuthzMiddleware(
# Need an AuthN token to fetch the user's group memberships.
pangea_authn_token=os.getenv("PANGEA_AUTHN_TOKEN", ""),
# Still need the AuthZ token.
pangea_authz_token=os.getenv("PANGEA_AUTHZ_TOKEN", ""),
# get_subject_ids is no longer required.
)
)
```
## Google Workspace groups
This package comes with an optional command-line tool that can be used to
enumerate groups from a Google Workspace and map these groups to MCP resources
and tools in AuthZ. To install it, run:
```bash
pip install -U pangea-authz-fastmcp[cli]
```
Prerequisites:
1. The [Admin SDK API](https://console.cloud.google.com/apis/library/admin.googleapis.com) must be enabled.
2. An [OAuth 2.0 client](https://console.cloud.google.com/apis/credentials).
Download the client secret as JSON and save it to a file like `credentials.json`.
```
Usage: pangea-authz-fastmcp google-workspace [ARGS] [OPTIONS]
╭─ Parameters ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ CUSTOMER --customer The unique ID for the customer's Google Workspace account. │
│ DOMAIN --domain The domain name. Use this flag to get groups from only one domain. To return all domains for a │
│ customer account, use the --customer flag instead. │
│ CREDENTIALS --credentials The path to the credentials file. [default: credentials.json] │
│ MAX-GROUPS --max-groups Maximum number of groups to fetch. [default: 30] │
│ FILES --files --empty-files Files to discover MCP servers from. [default: │
│ ['~/AppData/Roaming/Claude/claude_desktop_config.json', '~/.cursor/mcp.json', │
│ '~/.codeium/windsurf/mcp_config.json']] │
│ SUBJECT-TYPE --subject-type Pangea AuthZ subject type. [default: group] │
│ RESOURCE-RELATION --resource-relation Pangea AuthZ tuple relation for MCP resources. [default: reader] │
│ TOOL-RELATION --tool-relation Pangea AuthZ tuple relation for MCP tools. [default: caller] │
│ RESOURCE-RESOURCE-TYPE --resource-resource-type Pangea AuthZ resource type for MCP resources. [default: resource] │
│ TOOL-RESOURCE-TYPE --tool-resource-type Pangea AuthZ resource type for MCP tools. [default: tool] │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
```
```bash
export PANGEA_AUTHZ_TOKEN="pts_..."
pangea-authz-fastmcp google-workspace --credentials path/to/credentials.json --domain example.org
```
[AuthZ]: https://pangea.cloud/docs/authz/
[pangea-authn-fastmcp]: https://github.com/pangeacyber/pangea-authn-fastmcp
Raw data
{
"_id": null,
"home_page": null,
"name": "pangea-authz-fastmcp",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.11",
"maintainer_email": null,
"keywords": null,
"author": null,
"author_email": "Pangea <support@pangea.cloud>",
"download_url": "https://files.pythonhosted.org/packages/af/cd/492efe886080429fc34322a04cb110258bf71a0e03934deceb347057eb1d/pangea_authz_fastmcp-0.1.0.tar.gz",
"platform": null,
"description": "# pangea-authz-fastmcp\n\nEasily add authorization to a FastMCP server with Pangea's [AuthZ][] service.\n\n## Installation\n\n```\npip install -U pangea-authz-fastmcp\n```\n\n## Pangea AuthZ setup\n\n1. Create a Pangea account at https://pangea.cloud/signup. During the account\n creation process, an organization (top-level group) and project\n (individual app) will be created as well. On the \"Get started with a common\n service\" dialog, just click on the **Skip** button to get redirected to the\n developer console.\n2. In the developer console, there will be a list of services in the left hand\n panel. Click the **AuthZ** service to enable it.\n3. In the modal, there will be a prompt to create a new Pangea API token or to\n extend an existing one. Choose **Create a new token** and click on **Done**.\n4. An additional dialog of example schemas will appear. Select **Blank Schema**\n and then click **Done**.\n5. From this AuthZ Overview page, click on **Resource Types**. We'll want to\n create the following resource types:\n\n\n\n\n\n\n\n6. Click on **Roles & Access**. We'll want to configure the following roles:\n\n\n\n\n\n\n7. Click on **Assigned Roles & Relations**. From this page one can assign users\n or groups to be callers of select tools or readers of select resources.\n\n## Usage\n\nUse FastMCP's `add_middleware` method to add the authorization middleware to a\nFastMCP server. The middleware requires a Pangea AuthZ token (to perform\nauthorization checks) and a function that maps an OAuth access token to a list\nof subject IDs.\n\n```python\nimport os\n\nfrom fastmcp.server.dependencies import AccessToken\nfrom fastmcp.server.middleware import MiddlewareContext\nfrom mcp.types import CallToolRequestParams, ReadResourceRequestParams\n\nfrom pangea_authz_fastmcp import PangeaAuthzMiddleware\n\n\nasync def get_subject_ids(\n access_token: AccessToken,\n context: MiddlewareContext[CallToolRequestParams] | MiddlewareContext[ReadResourceRequestParams],\n) -> list[str]:\n # Fetch the subject ID(s) for the given access token. For example, this can\n # be just the associated user ID, or it can be a list of group IDs that the\n # user is a member of. How this function is implemented will depend on the\n # identity provider.\n return [\"id1\", \"id2\"]\n\n\nmcp = FastMCP(name=\"My MCP Server\")\nmcp.add_middleware(\n PangeaAuthzMiddleware(pangea_authz_token=os.getenv(\"PANGEA_AUTHZ_TOKEN\", \"\"), get_subject_ids=get_subject_ids)\n)\n```\n\nIf you're already using the [pangea-authn-fastmcp][] package to authenticate\nusers, then this package can recognize that and will automatically fetch the\nuser's AuthN group memberships.\n\n```python\nimport os\n\nfrom fastmcp import FastMCP\nfrom pangea_authn_fastmcp import PangeaOAuthProvider\n\nfrom pangea_authz_fastmcp import PangeaAuthzMiddleware\n\noauth_provider = PangeaOAuthProvider(...)\n\nmcp= FastMCP(name=\"My MCP Server\", auth=oauth_provider)\nmcp.add_middleware(\n PangeaAuthzMiddleware(\n # Need an AuthN token to fetch the user's group memberships.\n pangea_authn_token=os.getenv(\"PANGEA_AUTHN_TOKEN\", \"\"),\n\n # Still need the AuthZ token.\n pangea_authz_token=os.getenv(\"PANGEA_AUTHZ_TOKEN\", \"\"),\n\n # get_subject_ids is no longer required.\n )\n)\n```\n\n## Google Workspace groups\n\nThis package comes with an optional command-line tool that can be used to\nenumerate groups from a Google Workspace and map these groups to MCP resources\nand tools in AuthZ. To install it, run:\n\n```bash\npip install -U pangea-authz-fastmcp[cli]\n```\n\nPrerequisites:\n\n1. The [Admin SDK API](https://console.cloud.google.com/apis/library/admin.googleapis.com) must be enabled.\n2. An [OAuth 2.0 client](https://console.cloud.google.com/apis/credentials).\n Download the client secret as JSON and save it to a file like `credentials.json`.\n\n```\nUsage: pangea-authz-fastmcp google-workspace [ARGS] [OPTIONS]\n\n\u256d\u2500 Parameters \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 CUSTOMER --customer The unique ID for the customer's Google Workspace account. \u2502\n\u2502 DOMAIN --domain The domain name. Use this flag to get groups from only one domain. To return all domains for a \u2502\n\u2502 customer account, use the --customer flag instead. \u2502\n\u2502 CREDENTIALS --credentials The path to the credentials file. [default: credentials.json] \u2502\n\u2502 MAX-GROUPS --max-groups Maximum number of groups to fetch. [default: 30] \u2502\n\u2502 FILES --files --empty-files Files to discover MCP servers from. [default: \u2502\n\u2502 ['~/AppData/Roaming/Claude/claude_desktop_config.json', '~/.cursor/mcp.json', \u2502\n\u2502 '~/.codeium/windsurf/mcp_config.json']] \u2502\n\u2502 SUBJECT-TYPE --subject-type Pangea AuthZ subject type. [default: group] \u2502\n\u2502 RESOURCE-RELATION --resource-relation Pangea AuthZ tuple relation for MCP resources. [default: reader] \u2502\n\u2502 TOOL-RELATION --tool-relation Pangea AuthZ tuple relation for MCP tools. [default: caller] \u2502\n\u2502 RESOURCE-RESOURCE-TYPE --resource-resource-type Pangea AuthZ resource type for MCP resources. [default: resource] \u2502\n\u2502 TOOL-RESOURCE-TYPE --tool-resource-type Pangea AuthZ resource type for MCP tools. [default: tool] \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n```\n\n```bash\nexport PANGEA_AUTHZ_TOKEN=\"pts_...\"\n\npangea-authz-fastmcp google-workspace --credentials path/to/credentials.json --domain example.org\n```\n\n[AuthZ]: https://pangea.cloud/docs/authz/\n[pangea-authn-fastmcp]: https://github.com/pangeacyber/pangea-authn-fastmcp\n",
"bugtrack_url": null,
"license": null,
"summary": "Pangea AuthZ integration for FastMCP",
"version": "0.1.0",
"project_urls": {
"Changelog": "https://github.com/pangeacyber/pangea-authz-fastmcp/releases",
"Documentation": "https://github.com/pangeacyber/pangea-authz-fastmcp",
"Homepage": "https://github.com/pangeacyber/pangea-authz-fastmcp",
"Source": "https://github.com/pangeacyber/pangea-authz-fastmcp"
},
"split_keywords": [],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "eecd6e1be54ea974b5c6f89e8f36fdb7ee96e333c74d236f8a583c29a7cfd6c3",
"md5": "2179d07a2439e19512bf526671271129",
"sha256": "847bad61704f7b73e2dcd8af669621db500df89725e299f71c4fd0d2357381d9"
},
"downloads": -1,
"filename": "pangea_authz_fastmcp-0.1.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "2179d07a2439e19512bf526671271129",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.11",
"size": 10311,
"upload_time": "2025-07-29T14:48:36",
"upload_time_iso_8601": "2025-07-29T14:48:36.220021Z",
"url": "https://files.pythonhosted.org/packages/ee/cd/6e1be54ea974b5c6f89e8f36fdb7ee96e333c74d236f8a583c29a7cfd6c3/pangea_authz_fastmcp-0.1.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "afcd492efe886080429fc34322a04cb110258bf71a0e03934deceb347057eb1d",
"md5": "e358056d9515d542d4aaa4c32a1db983",
"sha256": "cf8f456abc133d9c1626ffb28032df7b98c276c73637bec5174f8991f2321c0f"
},
"downloads": -1,
"filename": "pangea_authz_fastmcp-0.1.0.tar.gz",
"has_sig": false,
"md5_digest": "e358056d9515d542d4aaa4c32a1db983",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.11",
"size": 346907,
"upload_time": "2025-07-29T14:48:37",
"upload_time_iso_8601": "2025-07-29T14:48:37.553085Z",
"url": "https://files.pythonhosted.org/packages/af/cd/492efe886080429fc34322a04cb110258bf71a0e03934deceb347057eb1d/pangea_authz_fastmcp-0.1.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-07-29 14:48:37",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "pangeacyber",
"github_project": "pangea-authz-fastmcp",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "pangea-authz-fastmcp"
}
