Eunomia MCP authorization middleware

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for tommitt from gravatar.com tommitt

Unverified details

These details have not been verified by PyPI
Meta
Report project as malware

Project description

Eunomia MCP Authorization Middleware

Add policy-based authorization to your MCP servers built on FastMCP with minimal code changes.

Overview

Features

  • 🔒 Policy-Based Authorization: Control which agents can access which MCP resources and tools
  • 📊 Audit Logging: Track all authorization decisions and violations
  • FastMCP Integration: One-line middleware integration with FastMCP servers
  • 🔧 Flexible Configuration: JSON-based policies with support for complex rules
  • 🎯 MCP-Aware: Built-in understanding of MCP protocol (tools, resources, prompts)

Architecture

sequenceDiagram
    participant MCPClient as MCP Client
    participant EunomiaMiddleware as Eunomia Middleware
    participant MCPServer as MCP Server
    participant EunomiaServer as Eunomia Server

    MCPClient->>EunomiaMiddleware: MCP Request
    Note over MCPClient, EunomiaMiddleware: Middleware intercepts request to server
    EunomiaMiddleware->>EunomiaServer: Authorization Check
    EunomiaServer->>EunomiaMiddleware: Authorization Decision (allow/deny)
    EunomiaMiddleware-->>MCPClient: MCP Unauthorized Error (if denied)
    EunomiaMiddleware->>MCPServer: MCP Request (if allowed)
    MCPServer-->>MCPClient: MCP Response (if allowed)

Installation

pip install eunomia-mcp

Quick Start

Create a MCP Server with Middleware

Basic Integration

from fastmcp import FastMCP
from eunomia_mcp import create_eunomia_middleware

# Create your FastMCP server
mcp = FastMCP("Secure MCP Server 🔒")

@mcp.tool()
def add(a: int, b: int) -> int:
    """Add two numbers"""
    return a + b

# Add Eunomia authorization middleware
middleware = [create_eunomia_middleware()]

# Create ASGI app with authorization
app = mcp.http_app(middleware=middleware)

if __name__ == "__main__":
    import uvicorn
    uvicorn.run(app, host="0.0.0.0", port=8080)

[!IMPORTANT]

Eunomia is a standalone server that handles the policy decisions, you must have it running alongside the MCP server.

Run it in the background with Docker:

docker run -d -p 8000:8000 --name eunomia ttommitt/eunomia-server:latest

Or refer to the Eunomia documentation for more options.

Advanced Integration

Configure the middleware with custom options for production deployments:

from fastmcp import FastMCP
from eunomia_mcp import create_eunomia_middleware

mcp = FastMCP("Secure MCP Server 🔒")

# Configure middleware with custom options
middleware = [
    create_eunomia_middleware(
        eunomia_endpoint="https://your-eunomia-server.com",
        eunomia_api_key="your-api-key",
        enable_audit_logging=True,
        bypass_methods=["initialize", "notifications/*"]
    )
]

app = mcp.http_app(middleware=middleware)

Policy Configuration

Use the eunomia-mcp CLI to manage your MCP authorization policies:

Initialize a New Project

# Create a default policy configuration file
eunomia-mcp init

# Create policy configuration file with custom name
eunomia-mcp init --policy-file my_policies.json

# Generate both policy configuration file and a sample MCP server
eunomia-mcp init --sample

You can now edit the policy configuration file to your liking.

Validate Policy Configuration

# Validate your policy file
eunomia-mcp validate mcp_policies.json

Push Policies to Eunomia

# Push your policy to Eunomia server
eunomia-mcp push mcp_policies.json

# Push your policy and overwrite existing ones
eunomia-mcp push mcp_policies.json --overwrite

[!IMPORTANT] You need the Eunomia server running for the push operation.

Workflow: Initialize → Customize policies → Validate → Run Eunomia server → Push to Eunomia → Run MCP server

Further Reading

How It Works

1. Request Interception

The middleware intercepts all JSON-RPC 2.0 requests to your MCP server:

{
  "jsonrpc": "2.0",
  "method": "tools/call",
  "params": {
    "name": "file_read",
    "arguments": { "path": "/private/secrets.txt" }
  },
  "id": 1
}

2. Authorization Check

Requests are mapped to Eunomia resources and checked against policies:

  • Principal: Extracted from request headers (X-Agent-ID, X-User-ID, Authorization)
  • Resource: Mapped from MCP method and parameters (e.g., mcp:tools:file_read)
  • Action: Derived from MCP method (e.g., execute for tools/call)

3. Response

  • Authorized: Request proceeds to MCP server
  • Denied: JSON-RPC error response returned

MCP Method Mappings

MCP Method Resource URI Action Notes
tools/list mcp:tools access List available tools
tools/call mcp:tools:{name} execute Execute specific tool
resources/list mcp:resources access List available resources
resources/read mcp:resource:{uri} read Read specific resource
prompts/list mcp:prompts access List available prompts
prompts/get mcp:prompt:{name} read Get specific prompt

Authentication

Agent Identification

Agents are identified through HTTP headers:

X-Agent-ID: claude
X-User-ID: user123
Authorization: Bearer api-key-here

Custom Principal Extraction

You can customize principal extraction by subclassing the middleware:

from eunomia_mcp import EunomiaMcpMiddleware

class CustomAuthMiddleware(EunomiaMcpMiddleware):
    def _extract_principal_info(self, request):
        # Custom logic to extract principal from JWT, etc.
        return {
            "uri": "user:john.doe",
            "attributes": {"role": "admin", "department": "engineering"}
        }

Error Responses

Authorization failures return standard JSON-RPC errors:

{
  "jsonrpc": "2.0",
  "error": {
    "code": -32603,
    "message": "Unauthorized",
    "data": "Access denied for tools/call"
  },
  "id": 1
}

Logging

Enable comprehensive audit logging:

import logging

# Configure logging
logging.basicConfig(level=logging.INFO)
logger = logging.getLogger("eunomia_mcp")

# Authorization success
# INFO: Authorized MCP request: tools/call | Client: 192.168.1.100

# Authorization violation
# WARNING: Authorization violation: Access denied for tools/call | Method: tools/call | Client: 192.168.1.100

Examples

WhatsApp MCP to Authorized Contacts

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for tommitt from gravatar.com tommitt

Unverified details

These details have not been verified by PyPI
Meta

Release history Release notifications | RSS feed

0.3.10

0.3.9

0.3.8

0.3.7

This version

0.3.6

0.3.5

0.3.4

0.3.3

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

eunomia_mcp-0.3.6.tar.gz (7.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

eunomia_mcp-0.3.6-py3-none-any.whl (10.3 kB view details)

Uploaded Python 3

File details

Details for the file eunomia_mcp-0.3.6.tar.gz.

File metadata

  • Download URL: eunomia_mcp-0.3.6.tar.gz
  • Upload date:
  • Size: 7.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.6.3

File hashes

Hashes for eunomia_mcp-0.3.6.tar.gz
Algorithm Hash digest
SHA256 714cbb63505958d5cc05063a173d9d6521865d56f10845cd4c6ce1252f4b8c21
MD5 98a381833a52434e93c04a67d514d9d2
BLAKE2b-256 7b5fa1ba47d99b668bbfbc89377a90a831476dc3d175c80389e5916997cc8393

See more details on using hashes here.

File details

Details for the file eunomia_mcp-0.3.6-py3-none-any.whl.

File metadata

File hashes

Hashes for eunomia_mcp-0.3.6-py3-none-any.whl
Algorithm Hash digest
SHA256 4ecab28d24318b3fd074c8acac8ec987d0a6ebb2edc6499b5d7a46c9bad29938
MD5 32e38291aa184a5650b1e558e84ffe53
BLAKE2b-256 839594106ddde1a0682b69017ad0736700c6c306079e9233f994af361c064a02

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page