AuthSec SDK for MCP auth, services, CIBA, and SPIFFE integration
Project description
AuthSec Python SDK (authsec-sdk)
Add OAuth + authorization enforcement to MCP tools.
Install
python3 -m pip install authsec-sdk
Import path:
from authsec_sdk import protected_by_AuthSec, run_mcp_server_with_oauth
Legacy import path is also supported in this release:
from AuthSec_SDK import protected_by_AuthSec, run_mcp_server_with_oauth
Trust Delegation SDK
Pull a delegated JWT-SVID for an AI agent and use it for downstream API calls.
from authsec_sdk import DelegationClient
client = DelegationClient(
client_id="YOUR_AGENT_CLIENT_ID",
userflow_url="https://api.authsec.ai/uflow",
)
token_info = await client.pull_token()
if client.has_permission("users:read"):
users = await client.request_json("GET", "https://api.example.com/users")
Minimal Integration (your MCP server)
from authsec_sdk import mcp_tool, protected_by_AuthSec, run_mcp_server_with_oauth
@mcp_tool(
name="ping",
description="Health check",
inputSchema={"type": "object", "properties": {}, "required": []},
)
async def ping(arguments: dict) -> list:
return [{"type": "text", "text": "pong"}]
@protected_by_AuthSec(
tool_name="delete_invoice",
permissions=["tool:delete_invoice"], # optional; remove for auth-only
require_all=True,
description="Delete invoice",
inputSchema={
"type": "object",
"properties": {
"invoice_id": {"type": "string"},
"session_id": {"type": "string"},
},
"required": ["invoice_id"],
},
)
async def delete_invoice(arguments: dict) -> list:
user = (arguments.get("_user_info") or {}).get("email_id", "unknown")
return [{"type": "text", "text": f"Deleted {arguments.get('invoice_id')} by {user}"}]
if __name__ == "__main__":
import __main__
run_mcp_server_with_oauth(
user_module=__main__,
client_id="YOUR_CLIENT_ID",
app_name="my-mcp-server",
host="127.0.0.1",
port=3005,
)
Run
python3 server.py
Default endpoints (production):
- Auth API:
https://prod.api.authsec.ai/sdkmgr/mcp-auth - Services API:
https://prod.api.authsec.ai/sdkmgr/services
Optional endpoint overrides (self-hosted gateway):
export AUTHSEC_AUTH_SERVICE_URL="http://localhost:8000/sdkmgr/mcp-auth"
export AUTHSEC_SERVICES_URL="http://localhost:8000/sdkmgr/services"
python3 server.py
Verify
npx @modelcontextprotocol/inspector http://127.0.0.1:3005
Flow:
- Call
oauth_start - Complete login in browser
- Call your protected tool with
session_id
For browser auto-open from your local SDK server process:
export AUTHSEC_AUTO_OPEN_BROWSER=1
Troubleshooting
ModuleNotFoundError: No module named 'authsec_sdk'- You are using a different Python than the one where you installed the package. Use
python3 -m pip ...and run with the samepython3.
- You are using a different Python than the one where you installed the package. Use
ModuleNotFoundError: No module named 'AuthSec_SDK'- Upgrade to this release (
4.0.4+) or use canonical importauthsec_sdk.
- Upgrade to this release (
- Server exits with cleanup event-loop error on Ctrl+C
- Fixed in this release (
4.0.4+).
- Fixed in this release (
oauth_startreturnsbrowser_opened: false- Set
AUTHSEC_AUTO_OPEN_BROWSER=1or calloauth_startwith{"open_browser": true}.
- Set
- MCP Inspector shows
MCP error -32001: Request timed out- Reduce upstream wait with
AUTHSEC_OAUTH_TOOL_TIMEOUT_SECONDS(default8). - Example:
export AUTHSEC_OAUTH_TOOL_TIMEOUT_SECONDS=5
- Reduce upstream wait with
- OAuth completes in browser but tool calls still unauthorized
- Check
callback_urlinoauth_startresponse. - Recommended callback URI is
https://prod.api.authsec.ai/sdkmgr/mcp-auth/callback(SDK Manager-hosted callback). - Local fallback
http://localhost:3005/oauth/callbackis also supported by this SDK server.
- Check
Publishing (maintainer)
- Set credentials:
export TWINE_USERNAME="__token__"
export TWINE_PASSWORD="pypi-..."
- Build and upload:
cd /absolute/path/to/sdk-authsec/packages/python-sdk
python3 -m pip install --upgrade build twine
python3 -m build
python3 -m twine check dist/*
# Optional TestPyPI:
# python3 -m twine upload --repository testpypi dist/*
# Publish:
python3 -m twine upload dist/*
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
authsec_sdk-4.0.5.tar.gz
(33.8 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file authsec_sdk-4.0.5.tar.gz.
File metadata
- Download URL: authsec_sdk-4.0.5.tar.gz
- Upload date:
- Size: 33.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c8c3a67cc2e6f509b6ceed3b6f2aa793ba83d739948a2f1067895be09aa52bf2
|
|
| MD5 |
1d8d6c9d75349ad782b5b88cc2f00b11
|
|
| BLAKE2b-256 |
8f41733c01ad0305bf29679ab7c99e4e6233cc8fef3e2950077773e4f4c459da
|
File details
Details for the file authsec_sdk-4.0.5-py3-none-any.whl.
File metadata
- Download URL: authsec_sdk-4.0.5-py3-none-any.whl
- Upload date:
- Size: 37.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
349578f27eb5547ca801738f1bbec08f982da09b5a333eaf3b997eff23736c30
|
|
| MD5 |
0e848f4699247401d6ac6c8e8a791f6b
|
|
| BLAKE2b-256 |
9c70774898c40835f089fc9c749d341927a1ee9c055892da11a20e18c1bb932d
|
