A constraint-driven API framework for Python. One endpoint. Typed intents. Zero boilerplate.
Project description
Intent API
One endpoint. Typed intents. Zero boilerplate.
Intent API is a constraint-driven API framework for Python. Instead of writing dozens of REST endpoints, you declare intents — structured requests that describe what the caller wants to do. The framework dispatches them to the right handler automatically.
POST /api/intent
{
"model": "Todo",
"action": "create",
"payload": { "title": "Ship Intent API", "done": false },
"context": { "type": "user", "team_id": "abc-123" }
}
Install
pip install intent-api
Quickstart
from fastapi import FastAPI
from intent_api import IntentRouter, IntentService, MutationResponse
app = FastAPI()
# 1. Define a service
class TodoService(IntentService):
async def create(self, *, db, user, context, payload):
# Your create logic here
return MutationResponse(success=True, id="1", message="Todo created")
async def list(self, *, db, user, context, skip, limit):
return {"items": [], "total": 0}
# 2. Create router and register services
router = IntentRouter()
router.register("Todo", TodoService())
# 3. Build and include the FastAPI router
app.include_router(router.build(
get_user=my_auth_dependency, # Your auth function
get_db=my_db_dependency, # Your DB session function
))
That's it. One endpoint handles all CRUD + custom commands for every model.
Core Concepts
IntentRequest
Every API call is an IntentRequest:
| Field | Type | Description |
|---|---|---|
model |
str |
Target resource (e.g., "Todo", "User") |
action |
str |
"create", "read", "update", "delete", "list", "custom" |
id |
any? |
Resource ID for read/update/delete |
payload |
dict? |
Data for create/update/custom |
command |
str? |
Named command when action is "custom" |
context |
IntentContext? |
Caller context (role, team, org) |
skip |
int? |
Pagination offset (default: 0) |
limit |
int? |
Pagination limit (default: 10) |
IntentContext
Context tells the backend who is calling and what scope they're in:
{
"type": "member", # Role/surface type
"team_id": "uuid-123", # Team scope
"organization_id": null, # Org scope (optional)
}
IntentService
Subclass IntentService for each model. Override the methods you need:
class UserService(IntentService):
async def create(self, *, db, user, context, payload):
...
async def read(self, *, db, user, id, context):
...
async def update(self, *, db, user, id, context, payload):
...
async def delete(self, *, db, user, id, context):
...
async def list(self, *, db, user, context, skip, limit):
...
async def custom_action(self, *, db, user, context, command, id, payload):
if command == "archive":
return await self._archive(db=db, id=id)
raise ValueError(f"Unknown command: {command}")
Custom Commands
Custom commands let you go beyond CRUD:
{
"model": "Report",
"action": "custom",
"command": "export_csv",
"payload": { "date_from": "2024-01-01", "date_to": "2024-12-31" }
}
@custom_action decorator (recommended)
Replaces manual if/elif dispatch. Each decorated method is auto-registered, auto-discoverable via the MCP surface, and gets its own click-to-source line in the debug registry.
from intent_api import IntentService, custom_action
from pydantic import BaseModel
class GenerateBlogPostPayload(BaseModel):
keywords: list[str]
tone: str = "professional"
class BlogPostService(IntentService):
async def create(self, *, db, user, context, payload):
...
@custom_action(schema=GenerateBlogPostPayload)
async def generate(self, *, db, user, context, id, payload):
# Dispatched when {model: "BlogPost", action: "custom", command: "generate"}
return {"generated": True}
@custom_action(name="export_mdx")
async def export(self, *, db, user, context, id, payload):
# Dispatched as command "export_mdx" (not "export")
return {"exported": True}
The decorator is fully backward compatible — services using the legacy custom_action() override continue to work. You may NOT mix both patterns on the same class (raises TypeError at class definition time).
Multiple Surfaces
Intent API supports multiple access levels from the same registry:
router = IntentRouter()
router.register("Todo", TodoService())
router.register("User", UserService())
# Standard: authenticated users
app.include_router(router.build(
get_user=my_auth_dependency,
get_db=get_db,
))
# Admin: requires additional authorization
app.include_router(router.build_admin(
get_user=my_auth_dependency,
get_db=get_db,
authorize=lambda user, ctx: user.email.endswith("@mycompany.com"),
))
# Guest: unauthenticated, restricted actions
app.include_router(router.build_guest(
get_db=get_db,
))
Guest Access Control
Mark services as guest-accessible:
class PublicFeedService(IntentService):
is_guest_allowed = True
allowed_guest_actions = ["list", "read"]
async def list(self, *, db, user, context, skip, limit):
# user will be None for guest requests
return {"items": [...], "total": 10}
Auth Integration
Intent API is auth-agnostic. Provide your own get_user dependency:
# Example with Clerk
async def get_user(credentials, context, db):
clerk_user_id = verify_clerk_token(credentials.credentials)
return db.query(User).filter(User.clerk_id == clerk_user_id).first()
# Example with Auth0
async def get_user(credentials, context, db):
payload = decode_auth0_token(credentials.credentials)
return db.query(User).filter(User.auth0_id == payload["sub"]).first()
# Wire it up
app.include_router(router.build(get_user=get_user, get_db=get_db))
MCP Surface
Intent API ships with a built-in Model Context Protocol server. One line exposes your entire registered service catalog to MCP-compatible AI hosts (Claude Desktop, Cursor, Claude Code, ChatGPT, etc.) — with OAuth 2.1 auth, dynamic discovery, and zero per-service configuration.
Why one tool, not many?
Intent API exposes a single MCP tool named intent_api, plus three discovery Resources. This is a deliberate design choice:
- Avoids context bloat — token cost stays under ~1.5k regardless of model count. Compare to per-tool MCP servers that hit the 40-tool Cursor cap and 128-tool Copilot cap at scale.
- Smaller attack surface — Tool Description Injection has a 94% success rate per Trail of Bits; one tool means one description, one schema, one audit chokepoint.
- Dynamic discovery — The
intent://schema,intent://models, andintent://models/{model}Resources are read-only and only cost tokens when the LLM explicitly fetches them.
Setup
from fastapi import FastAPI
from intent_api import IntentRouter, IntentService
from intent_api.mcp_auth import clerk_mcp_auth
router = IntentRouter()
router.register("Brand", BrandService())
router.register("BlogPost", BlogPostService())
router.register("Internal", InternalService(), expose_mcp=False) # hidden from MCP
# Build the MCP app once
mcp_app = router.build_mcp(
get_user=clerk_mcp_auth(
secret_key=settings.CLERK_SECRET_KEY,
authorization_server=settings.CLERK_FRONTEND_API,
),
get_db=get_db,
resource_metadata_url="https://api.example.com/.well-known/oauth-protected-resource",
)
# Wire it into FastAPI — lifespan is REQUIRED
app = FastAPI(lifespan=mcp_app.lifespan)
app.mount("/mcp", mcp_app)
# OAuth metadata MUST be at app root (RFC 9728)
app.include_router(router.build_mcp_well_known(
resource_url="https://api.example.com/mcp",
authorization_server="https://example.clerk.accounts.dev",
))
Auth options
Clerk OAuth 2.1 — install clerk-backend-api and use clerk_mcp_auth().
Custom JWT / API key — bring your own bearer-token verifier:
from intent_api.mcp_auth import bearer_token_auth
def verify(token: str):
return decode_my_jwt(token) # raise on invalid
async def resolve(decoded, db):
return db.query(User).filter(User.sub == decoded["sub"]).first()
get_user = bearer_token_auth(verify_fn=verify, resolve_user=resolve)
API key (machine surface reuse) — your existing build_machine get_user works as-is, provided it has the (credentials, context, db) signature.
mount vs include_router
The four REST surfaces use app.include_router(...). The MCP surface uses app.mount("/mcp", ...). The difference is real and intentional: MCP speaks JSON-RPC 2.0 over Streamable HTTP — it is a mounted protocol, not a REST router. Don't try to wrap it in a Router.
get_user contract
get_user functions used with build_mcp() MUST accept exactly (credentials, context, db) as keyword args. Functions that use FastAPI Depends() parameters in their signature are not compatible — refactor or wrap them.
# ✅ Works with MCP
async def get_user(credentials, context, db):
...
# ❌ Does NOT work with MCP — Depends() in signature
async def get_user(creds=Depends(security), db=Depends(get_db)):
...
Security: context is server-derived
The MCP intent_api tool input schema deliberately omits the context field. IntentContext is built server-side from the authenticated session inside the tool handler. The LLM cannot pass, forge, or influence team_id, role, or any context field through the MCP surface — closing a multi-tenancy bypass that would otherwise be trivial to exploit.
Resources
| URI | Returns |
|---|---|
intent://schema |
Full registry document — every MCP-visible model with actions, commands, and payload schemas |
intent://models |
Lightweight list of all MCP-visible models with one-line descriptions |
intent://models/{model} |
Full schema for a single model: actions, commands, per-command payload schemas |
All Resources are JSON Schema 2020-12 compliant.
Why Intent API?
| Traditional REST | Intent API |
|---|---|
GET /users, POST /users, GET /users/:id, PUT /users/:id, DELETE /users/:id, POST /users/:id/archive, GET /reports/export ... |
POST /api/intent |
| 40+ endpoints to maintain | 1 endpoint, N services |
| Auth middleware on every route | Auth once at the intent surface |
| No standard request format | Every request is an IntentRequest |
| Hard to audit ("which endpoints access sensitive data?") | One place to log all access |
License
Copyright 2026 Chris Bora. All rights reserved.
Free for any use, including commercial. The only restriction is you can't use it to build a competing framework or hosted service. See the INTENT API LICENSE (IACL) for details.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file intent_api-0.2.0.tar.gz.
File metadata
- Download URL: intent_api-0.2.0.tar.gz
- Upload date:
- Size: 33.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c8b0f795d7269a61ff8e7bb123f6ebad8521838e2636a30179da86af03a4e45d
|
|
| MD5 |
2575ca826721b93cb8ceb04dcff252a6
|
|
| BLAKE2b-256 |
804a663812bbc6006b471ae5444d1e9bac6b5087d744ca68466cb0d623fdf6e8
|
File details
Details for the file intent_api-0.2.0-py3-none-any.whl.
File metadata
- Download URL: intent_api-0.2.0-py3-none-any.whl
- Upload date:
- Size: 29.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d21a267f83fe6ecc0b78ffe68f247033a118d7bb9c3042ab3db2f92294e2458a
|
|
| MD5 |
675651190461c780542415e9f1334428
|
|
| BLAKE2b-256 |
dc13190c2bbd852c7d8c9ab39ffbb7fedb90e05d7a7f69abdef63109fe415056
|
