Skip to content

FastMCP Connector

FastMCP connectors expose small verifier APIs that delegate to the MCP transport packages. Use them when your FastMCP integration needs to authenticate a bearer token before running a tool.

EcosystemPackage
TypeScriptnpm install @caracalai/mcp-fastmcp @caracalai/transport-mcp @caracalai/revocation
Pythonpip install caracalai-mcp-fastmcp
import { extractBearer, verifyFastMcpToken } from "@caracalai/mcp-fastmcp";
import { createMandateVerifier } from "@caracalai/transport-mcp";
import { InMemoryRevocationStore } from "@caracalai/revocation";
const verifier = createMandateVerifier({
issuer: "https://sts.example.com",
audience: "https://mcp.example.com",
zoneId: "zone_prod",
revocations: new InMemoryRevocationStore(),
});
const token = extractBearer(request.headers.get("authorization") ?? "");
if (!token) throw new Error("missing bearer token");
const context = await verifyFastMcpToken(token, verifier, {
requiredScopes: ["mcp:tool:call"],
requiredTargets: ["https://mcp.example.com"],
requireAgent: true,
});
console.log(context.sub, context.zoneId, context.scope);

verifyFastMcpToken() returns { sub, zoneId, scope } or throws FastMcpAuthError.

from caracalai_mcp_fastmcp import CaracalAuth, CaracalAuthError
auth = CaracalAuth(
issuer="https://sts.example.com",
audience="https://mcp.example.com",
zone_id="zone_prod",
required_scopes=["mcp:tool:call"],
required_targets=["https://mcp.example.com"],
require_agent=True,
revocations=revocations,
)
try:
context = await auth.verify_token(token)
except CaracalAuthError as exc:
raise RuntimeError(exc.code) from exc

The connector verifies tokens; it does not create agent sessions or delegation edges. Use the Python SDK or TypeScript SDK to create Caracal context before making outbound calls.