Skip to content

Framework Connectors

Framework connectors adapt the lower-level identity and MCP auth transport packages to common server frameworks. Use them before reaching for lower-level verification APIs.

ConnectorPackageUse it for
Express@caracalai/mcp-expressProtecting Express 5 routes with Caracal mandate verification.
ASGIcaracalai-asgiProtecting FastAPI, Starlette, and other Python ASGI apps with Caracal mandate verification.
FastMCP@caracalai/mcp-fastmcp, caracalai-mcp-fastmcpVerifying FastMCP bearer tokens before tool execution.
Go net/httpgithub.com/garudex-labs/caracal/packages/connectors/nethttp/goProtecting Go HTTP handlers.
NeedUse
Framework-neutral verificationMCP Auth Transport
Express route middlewareExpress Connector
FastAPI/Starlette (ASGI) middlewareASGI Connector
FastMCP tool/server authenticationFastMCP Connector
Go HTTP middlewareGo net/http Connector
Shared revocation storeRedis Revocation Store

Every HTTP connector maps verification failures through one canonical status function in @caracalai/transport-mcp (httpStatusForAuthError in TypeScript, transportmcp.HTTPStatus in Go), so the boundary behaves identically across frameworks and languages:

  • 401 — the credential itself was not accepted: missing_token, invalid_token, invalid_zone, session_revoked, delegation_stale.
  • 403 — the mandate verified but its authority is insufficient for the route: insufficient_scope, agent_required, delegation_required, chain_mismatch, hop_count_exceeded.

Connectors never re-derive these status codes; they consume the shared mapping.