Skip to content

v0.4.0: Authentication & Authorization System

Choose a tag to compare

View all tags
@KeshavVarad KeshavVarad released this 04 Nov 19:14
· 24 commits to main since this release
v0.4.0
5d6425b
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

πŸ” Authentication & Authorization System

NextMCP v0.4.0 introduces a complete, production-ready authentication and authorization system with multiple providers, RBAC, and comprehensive middleware support.

✨ Highlights

  • 3 Built-in Auth Providers: API Key, JWT, and Session-based authentication
  • Complete RBAC System: Fine-grained permissions with wildcard support
  • Middleware Decorators: Easy-to-use decorators for protecting tools
  • 62 New Tests: Comprehensive test coverage for all auth features
  • 3 Complete Examples: Working examples for each authentication method
  • 100% Backward Compatible: All existing features continue to work

πŸš€ Key Features

Built-in Authentication Providers

Provider Use Case Dependencies
APIKeyProvider Simple key-based auth None
JWTProvider Token-based, stateless PyJWT
SessionProvider Session-based, stateful None

RBAC with Wildcard Permissions

# Define permissions with wildcards
rbac.define_permission("admin:*")  # All admin permissions
rbac.define_permission("read:posts")  # Specific permission

# Check permissions
if auth_context.has_permission("admin:users"):
    # Has admin:* or admin:users
    pass

Middleware Decorators

from nextmcp import NextMCP, requires_auth_async, requires_role_async

app = NextMCP("my-app")
provider = APIKeyProvider(valid_keys={...})

@app.tool()
@requires_auth_async(provider=provider)
@requires_role_async("admin")
async def admin_tool(auth: AuthContext, data: str) -> dict:
    return {"user": auth.username, "data": data}

πŸ“¦ What's New

Core Components

  • AuthContext: Authentication context with user info, roles, and permissions
  • AuthProvider: Base class for custom authentication strategies
  • Permission & Role: Fine-grained access control models
  • RBAC: Complete role-based access control system

Auth Providers

  • APIKeyProvider: Pre-configured or custom validation functions
  • JWTProvider: HS256/RS256 algorithms, automatic expiration
  • SessionProvider: In-memory sessions with auto-cleanup

Middleware

  • @requires_auth / @requires_auth_async
  • @requires_role / @requires_role_async
  • @requires_permission / @requires_permission_async

πŸ“š Examples

Three complete examples with READMEs:

  1. API Key Auth (examples/auth_api_key/): Simple key-based authentication
  2. JWT Auth (examples/auth_jwt/): Token-based authentication with login
  3. RBAC (examples/auth_rbac/): Fine-grained permission control

πŸ§ͺ Testing

  • 26 Auth Provider Tests: APIKeyProvider, JWTProvider, SessionProvider
  • 36 RBAC Tests: Permission, Role, AuthContext, RBAC system
  • 297 Total Tests: All passing βœ“

πŸ› οΈ Development Tools

  • Pre-commit Hook: Automatic linting, formatting, and testing
  • Installation Script: ./scripts/install-hooks.sh

πŸ“– Documentation

  • Comprehensive auth section in README (~400 lines)
  • Full API documentation
  • Security best practices
  • Migration guide from previous versions

πŸ”„ Backward Compatibility

This release is 100% backward compatible. All 235 existing tests pass without modification.

πŸ“ Full Changelog

See CHANGELOG.md for complete details.

πŸ™ Contributors

Built with Claude Code

Installation: pip install nextmcp==0.4.0
PyPI: https://pypi.org/project/nextmcp/
Documentation: See README.md

Assets 2
Loading