Eunomia MCP authorization middleware

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for tommitt from gravatar.com tommitt

Unverified details

These details have not been verified by PyPI
Meta
Report project as malware

Project description

Eunomia MCP Authorization Middleware

Add policy-based authorization to your MCP servers built on FastMCP with minimal code changes.

Features

  • 🔒 Policy-Based Authorization: Control which agents can access which MCP resources and tools
  • 📊 Audit Logging: Track all authorization decisions and violations
  • FastMCP Integration: One-line middleware integration with FastMCP servers
  • 🔧 Flexible Configuration: JSON-based policies with support for complex rules
  • 🎯 MCP-Aware: Built-in understanding of MCP protocol (tools, resources, prompts)

Installation

pip install eunomia-mcp

Quick Start

Basic Integration

from fastmcp import FastMCP
from eunomia_mcp import create_eunomia_middleware

# Create your FastMCP server
mcp = FastMCP("Secure MCP Server 🔒")

@mcp.tool()
def add(a: int, b: int) -> int:
    """Add two numbers"""
    return a + b

# Add Eunomia authorization middleware
middleware = [create_eunomia_middleware()]

# Create ASGI app with authorization
app = mcp.http_app(middleware=middleware)

if __name__ == "__main__":
    import uvicorn
    uvicorn.run(app, host="0.0.0.0", port=8080)

[!IMPORTANT]

Eunomia is a standalone server that handles the policy decisions, you must have it running alongside the MCP server.

Install the eunomia-ai package and run it in the background with

eunomia server

Or refer to the Eunomia documentation for more options.

Advanced Integration

Configure the middleware with custom options for production deployments:

from fastmcp import FastMCP
from eunomia_mcp import create_eunomia_middleware

mcp = FastMCP("Secure MCP Server 🔒")

# Configure middleware with custom options
middleware = [
    create_eunomia_middleware(
        eunomia_endpoint="https://your-eunomia-server.com",
        eunomia_api_key="your-api-key",
        enable_audit_logging=True,
        bypass_methods=["initialize", "notifications/*"]
    )
]

app = mcp.http_app(middleware=middleware)

Policy Configuration

Use the eunomia-mcp CLI to manage your MCP authorization policies:

Initialize a New Project

# Create a default policy configuration file
eunomia-mcp init

# Create policy configuration file with custom name
eunomia-mcp init --policy-file my_policies.json

# Generate both policy configuration file and a sample MCP server
eunomia-mcp init --sample

You can now edit the policy configuration file to your liking.

Validate Policy Configuration

# Validate your policy file
eunomia-mcp validate mcp_policies.json

Push Policies to Eunomia

# Push your policy to Eunomia server
eunomia-mcp push mcp_policies.json

# Push your policy and overwrite existing ones
eunomia-mcp push mcp_policies.json --overwrite

[!IMPORTANT] You need the Eunomia server running for the push operation.

Workflow: Initialize → Customize policies → Validate → Run Eunomia server → Push to Eunomia → Run MCP server

How It Works

1. Request Interception

The middleware intercepts all JSON-RPC 2.0 requests to your MCP server:

{
  "jsonrpc": "2.0",
  "method": "tools/call",
  "params": {
    "name": "file_read",
    "arguments": { "path": "/private/secrets.txt" }
  },
  "id": 1
}

2. Authorization Check

Requests are mapped to Eunomia resources and checked against policies:

  • Principal: Extracted from request headers (X-Agent-ID, X-User-ID, Authorization)
  • Resource: Mapped from MCP method and parameters (e.g., mcp:tools:file_read)
  • Action: Derived from MCP method (e.g., execute for tools/call)

3. Response

  • Authorized: Request proceeds to MCP server
  • Denied: JSON-RPC error response returned

MCP Method Mappings

MCP Method Resource URI Action Notes
tools/list mcp:tools access List available tools
tools/call mcp:tools:{name} execute Execute specific tool
resources/list mcp:resources access List available resources
resources/read mcp:resource:{uri} read Read specific resource
prompts/list mcp:prompts access List available prompts
prompts/get mcp:prompt:{name} read Get specific prompt

Authentication

Agent Identification

Agents are identified through HTTP headers:

X-Agent-ID: claude
X-User-ID: user123
Authorization: Bearer api-key-here

Custom Principal Extraction

You can customize principal extraction by subclassing the middleware:

from eunomia_mcp import EunomiaMcpMiddleware

class CustomAuthMiddleware(EunomiaMcpMiddleware):
    def _extract_principal_info(self, request):
        # Custom logic to extract principal from JWT, etc.
        return {
            "uri": "user:john.doe",
            "attributes": {"role": "admin", "department": "engineering"}
        }

Error Responses

Authorization failures return standard JSON-RPC errors:

{
  "jsonrpc": "2.0",
  "error": {
    "code": -32603,
    "message": "Unauthorized",
    "data": "Access denied for tools/call"
  },
  "id": 1
}

Logging

Enable comprehensive audit logging:

import logging

# Configure logging
logging.basicConfig(level=logging.INFO)
logger = logging.getLogger("eunomia_mcp")

# Authorization success
# INFO: Authorized MCP request: tools/call | Client: 192.168.1.100

# Authorization violation
# WARNING: Authorization violation: Access denied for tools/call | Method: tools/call | Client: 192.168.1.100

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for tommitt from gravatar.com tommitt

Unverified details

These details have not been verified by PyPI
Meta

Release history Release notifications | RSS feed

0.3.10

0.3.9

0.3.8

0.3.7

0.3.6

0.3.5

0.3.4

This version

0.3.3

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

eunomia_mcp-0.3.3.tar.gz (7.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

eunomia_mcp-0.3.3-py3-none-any.whl (10.0 kB view details)

Uploaded Python 3

File details

Details for the file eunomia_mcp-0.3.3.tar.gz.

File metadata

  • Download URL: eunomia_mcp-0.3.3.tar.gz
  • Upload date:
  • Size: 7.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.6.3

File hashes

Hashes for eunomia_mcp-0.3.3.tar.gz
Algorithm Hash digest
SHA256 3d09f8eff3ab83f7907a902cdda50fd9a2f4ada97c46883630db6eccbf4ed283
MD5 d98d8894584c4680757d3f74a8a9f146
BLAKE2b-256 484dd5c168b7e3f2ade583dc7bc20d32a7796823d11d29d3049f6b10f6d50389

See more details on using hashes here.

File details

Details for the file eunomia_mcp-0.3.3-py3-none-any.whl.

File metadata

File hashes

Hashes for eunomia_mcp-0.3.3-py3-none-any.whl
Algorithm Hash digest
SHA256 523f9bab1913fe72863d2271bbe9beae76a464dda65baf48065e6605cce806e7
MD5 d1d7123bb701ea01e405768b58ca497b
BLAKE2b-256 8188345750868c977b79b6e3842a5c51d1cc65abc8c91028c654567004da18ea

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page