Skip to main content

JWT verification for LIME MCP resource servers

Project description

lime-mcp-server-sdk

JWT verification for LIME MCP resource servers (ADR 0081).

Install:

pip install lime-mcp-server-sdk

Quick start

from lime_mcp_server import TokenVerifier, McpAccessTokenClaims

verifier = TokenVerifier()  # defaults: https://lime.pics, aud=mcp
result = verifier.verify(bearer_token)
if result.is_valid:
    claims: McpAccessTokenClaims = result.valid_claims  # sub, iss, aud, iat, exp, jti
    agent_uuid = result.agent_id  # alias for claims["sub"]

MCP OAuth JWT identity is claim sub (UUID). There is no separate agent_id claim.

Async verify (FastMCP / ASGI)

result = await verifier.verify_async(bearer_token)

Warmup (ASGI lifespan)

verifier = TokenVerifier()
if not verifier.warmup(raise_on_failure=True):
    raise RuntimeError("JWKS warmup failed")

JwksCache.fetch_count tracks successful metadata+JWKS network fetches (ops/debug).

FastMCP snippet (not shipped in wheel)

from lime_mcp_server import TokenVerifier
from fastmcp import FastMCP

verifier = TokenVerifier()

async def verify_token(bearer: str) -> str | None:
    token = bearer.removeprefix("Bearer ").strip()
    result = await verifier.verify_async(token)
    return result.agent_id if result.is_valid else None

Monorepo reference adapter: scripts/verify/lime_mcp_rs_auth.py.

Environment variables

Variable Default Description
LIME_BASE_URL https://lime.pics LIME origin for OAuth metadata + JWKS
LIME_OAUTH_AUDIENCE mcp Expected JWT aud
LIME_JWKS_CACHE_TTL_SECONDS 3600 Metadata + JWKS cache TTL
LIME_JWT_VERIFY_LEEWAY_SECONDS 120 Clock skew leeway
LIME_JWKS_MIN_REFRESH_SECONDS 60 Min interval between forced JWKS refresh

Development

Monorepo workspace: sdk/lime-mcp-server-sdk/ (gitignored). Standalone repo: github.com/Mawyxx/lime-mcp-server-sdk.

cd sdk/lime-mcp-server-sdk
pip install -e ".[dev]"
ruff check src tests
mypy src/lime_mcp_server
pytest --cov=lime_mcp_server --cov-fail-under=100

Live integration (optional):

LIME_MCP_SERVER_INTEGRATION=1 LIME_AGENT_TOKEN=at_... pytest tests/integration/ -v

Publish (standalone repo)

cd sdk/lime-mcp-server-sdk
git push -u origin main
git tag v0.3.0
git push origin v0.3.0

GitHub Actions on tag v* publishes to PyPI via trusted publishing (publish.yml, environment pypi).

Changelog

0.3.0

  • McpAccessTokenClaims TypedDict; TokenValidationResult.valid_claims
  • verify_async() for non-blocking RS verify
  • Public TokenVerifier.warmup(); JwksCache.fetch_count observability

0.2.0

  • Remove framework adapters (LimeMcpTokenVerifier, [mcp] extra). Core-only wheel.

0.1.0

  • Initial release: TokenVerifier, TokenValidationResult, JWKS cache.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

lime_mcp_server_sdk-0.3.0.tar.gz (11.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

lime_mcp_server_sdk-0.3.0-py3-none-any.whl (10.3 kB view details)

Uploaded Python 3

File details

Details for the file lime_mcp_server_sdk-0.3.0.tar.gz.

File metadata

  • Download URL: lime_mcp_server_sdk-0.3.0.tar.gz
  • Upload date:
  • Size: 11.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for lime_mcp_server_sdk-0.3.0.tar.gz
Algorithm Hash digest
SHA256 c463600e2c3a8b040af4a68c9be7434678249459964a3f5324f51541610f60f4
MD5 3cc2f41b4130662371b6be470dd43478
BLAKE2b-256 ee481bb450fbca4c2463c30cb2c169c2f5ea6d3ce4895ac60e7154e298295c09

See more details on using hashes here.

Provenance

The following attestation bundles were made for lime_mcp_server_sdk-0.3.0.tar.gz:

Publisher: publish.yml on Mawyxx/lime-mcp-server-sdk

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file lime_mcp_server_sdk-0.3.0-py3-none-any.whl.

File metadata

File hashes

Hashes for lime_mcp_server_sdk-0.3.0-py3-none-any.whl
Algorithm Hash digest
SHA256 80572c3992c6f8d0a1ee751c0805f64d067f0e3591b9dc243c439d6681afbec6
MD5 ba349b01689a2f535b4a58277cfda4e4
BLAKE2b-256 239b03a23946691e951c84d8d164230cda6abb54e56e992789f32d085322e98c

See more details on using hashes here.

Provenance

The following attestation bundles were made for lime_mcp_server_sdk-0.3.0-py3-none-any.whl:

Publisher: publish.yml on Mawyxx/lime-mcp-server-sdk

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page