Skip to content

angee.mcp.verifier

FastMCP token verifier: authenticate the inbound bearer to a REBAC actor.

Authentication is the transport's job (rebac proposal 0004), so it lives here, not in rebac. The bearer→actor map belongs to whichever addon owns the MCP catalogue; it is named by ANGEE_MCP_ACTOR_VERIFIER and this wraps it as a FastMCP :class:~fastmcp.server.auth.TokenVerifier. FastMCP then gates every call (401 on a bad bearer) and carries the resolved actor on the request; the per-call :class:~angee.mcp.middleware.ActorMiddleware reads it back off :func:~fastmcp.server.dependencies.get_access_token and brackets the tool body in rebac.actor_context so the body scopes to that actor.

MCPActorVerifier

A verify(bearer) -> SubjectRef | None callable named by ANGEE_MCP_ACTOR_VERIFIER.

RebacTokenVerifier

python
class RebacTokenVerifier(TokenVerifier)

Resolve a bearer to its REBAC actor, carried as the token subject.

Declines (None401) for an empty bearer, an unconfigured catalogue verifier, or a bearer no credential matches — the fail-closed posture: an unauthenticated MCP request reaches no tool.

verify_token

python
async def verify_token(token: str) -> AccessToken | None

Return an :class:AccessToken carrying the resolved actor, or None.

Released under the AGPL-3.0 License.