---
title: "Framework Connectors"
url: "https://docs.caracal.run/sdks/connectors/"
markdown_url: "https://docs.caracal.run/markdown/sdks/connectors.md"
description: "Framework adapters for Caracal-protected resource servers."
page_type: "page"
concepts: []
requires: []
---

# Framework Connectors

Canonical URL: https://docs.caracal.run/sdks/connectors/
Markdown URL: https://docs.caracal.run/markdown/sdks/connectors.md
Description: Framework adapters for Caracal-protected resource servers.
Page type: page
Concepts: none
Requires: none

---

Framework connectors adapt the lower-level identity and MCP auth transport packages to common server frameworks. Use them before reaching for lower-level verification APIs.

## Connector Map

| Connector | Package | Use it for |
| --- | --- | --- |
| [Express](/sdks/connectors/express/) | `@caracalai/mcp-express` | Protecting Express 5 routes with Caracal mandate verification. |
| [ASGI](/sdks/connectors/asgi/) | `caracalai-asgi` | Protecting FastAPI, Starlette, and other Python ASGI apps with Caracal mandate verification. |
| [FastMCP](/sdks/connectors/fastmcp/) | `@caracalai/mcp-fastmcp`, `caracalai-mcp-fastmcp` | Verifying FastMCP bearer tokens before tool execution. |
| [Go net/http](/sdks/connectors/nethttp/) | `github.com/garudex-labs/caracal/packages/connectors/nethttp/go` | Protecting Go HTTP handlers. |

## Choose a Verification Layer

| Need | Use |
| --- | --- |
| Framework-neutral verification | [MCP Auth Transport](/sdks/transport-mcp/) |
| Express route middleware | [Express Connector](/sdks/connectors/express/) |
| FastAPI/Starlette (ASGI) middleware | [ASGI Connector](/sdks/connectors/asgi/) |
| FastMCP tool/server authentication | [FastMCP Connector](/sdks/connectors/fastmcp/) |
| Go HTTP middleware | [Go net/http Connector](/sdks/connectors/nethttp/) |
| Shared revocation store | [Redis Revocation Store](/sdks/connectors/redis/) |

## Boundary Semantics

Every HTTP connector maps verification failures through one canonical status function in `@caracalai/transport-mcp` (`httpStatusForAuthError` in TypeScript, `transportmcp.HTTPStatus` in Go), so the boundary behaves identically across frameworks and languages:

- **401** — the credential itself was not accepted: `missing_token`, `invalid_token`, `invalid_zone`, `session_revoked`, `delegation_stale`.
- **403** — the mandate verified but its authority is insufficient for the route: `insufficient_scope`, `agent_required`, `delegation_required`, `chain_mismatch`, `hop_count_exceeded`.

Connectors never re-derive these status codes; they consume the shared mapping.

## Related State Backends

- [Redis Revocation Store](/sdks/connectors/redis/)
- [Postgres Token State Backend](/sdks/connectors/postgres/)

## Related Guides

- [Verification Layer Overview](/sdks/verification-layer/)
- [Protect an MCP Server](/guides/protect-mcp/)
- [Protect an Express App](/guides/protect-express/)
- [Protect a FastAPI App](/guides/protect-fastapi/)
- [Protect a FastMCP App](/guides/protect-fastmcp/)
- [Protect a Go net/http Service](/guides/protect-nethttp/)
