Skip to main content

Auth, billing, and logging infrastructure for MCP-first servers.

Project description

mcp-core

Release License: MIT Python

Auth, billing, and logging infrastructure for MCP-first servers. Sits between your product code and fastapi-mcp, with provider-aware auth for Logto and Supabase.

Your MCP Server  (product-specific tool handlers)
     mcp-core    (auth, billing, logging, health)
    fastapi-mcp  (MCP protocol: JSON-RPC, SSE, tool discovery)
      FastAPI

Install

pip install mcp-core-auth

The package is published as mcp-core-auth on PyPI (the bare mcp-core name is held by an unrelated project), but the import path is unchanged:

from mcp_core import MCPCore

Quick Start

from contextlib import asynccontextmanager
from fastapi import FastAPI, Request
from mcp_core import MCPCore

core = MCPCore(
    product_name="my-product",
    auth_provider="logto",
    logto_endpoint="https://your-tenant.logto.app",
    logto_api_resource="https://api.my-product.app",
    mongodb_uri="mongodb+srv://...",
    stripe_secret_key="sk_test_...",
    stripe_price_id="price_...",
    free_credits=30,
    tool_costs={"browse": 0, "generate": 5},
    read_only_tools={"browse"},
)

@asynccontextmanager
async def lifespan(app: FastAPI):
    await core.connect_db()
    yield

app = FastAPI(lifespan=lifespan)
core.install_routes(app)  # /health, /api/billing/credits, webhook, OAuth metadata

@app.post("/api/mcp/generate")
async def generate(request: Request):
    user = await core.auth_and_bill(request, "generate")
    result = do_generation()
    await core.log_tool_call(request, "generate", user=user, duration_ms=1200)
    return result

All config can also come from MCP_CORE_* environment variables.

To use Supabase Auth instead, switch the provider and pass your Supabase URL and anon key:

core = MCPCore(
    product_name="my-product",
    auth_provider="supabase",
    supabase_url="https://your-project.supabase.co",
    supabase_anon_key="sb_publishable_...",
    supabase_api_resource="https://api.my-product.app",
    mongodb_uri="mongodb+srv://...",
    free_credits=30,
    tool_costs={"browse": 0, "generate": 5},
    read_only_tools={"browse"},
)

If auth_provider is omitted, mcp-core infers Supabase when both MCP_CORE_SUPABASE_URL and MCP_CORE_SUPABASE_ANON_KEY are present; otherwise it preserves the existing Logto default.

Modules

Auth (mcp_core.auth)

Provider-aware bearer-token auth. Creates MongoDB user records on first auth using a neutral auth_user_id while preserving legacy logto_user_id fields for existing Logto apps.

  • Logto JWT validation via JWKS
  • Supabase access-token validation through Supabase Auth
  • Cloud or self-hosted provider URLs
  • 30s clock skew tolerance
  • Race-condition-safe user upsert
  • Dev bypass (Bearer dev-bypass) for local development
  • M2M token rejection for paid tools

Billing (mcp_core.billing.StripeBilling)

Stripe metered billing with free credit fallback.

  • Free credits deducted first
  • Stripe metered subscription as fallback
  • 402 with Checkout URL when no credits and no subscription
  • Webhook handler for checkout.session.completed and customer.subscription.created

Tool Logging (mcp_core.tool_logging.ToolLogger)

Audit trail for every MCP tool call. Writes to MongoDB tool_logs collection.

Health (mcp_core.health.HealthCheck)

Composable health check builder. Supports sync and async checks with timeouts.

Readiness (mcp_core.readiness)

Provider-aware MCP OAuth onboarding diagnostics. The bundled CLI follows the same discovery path as RFC 9728 clients:

mcp-core-check-readiness https://your-app.example.com/mcp/v2/

It checks protected-resource metadata, authorization-server discovery, Dynamic Client Registration, unauthenticated MCP bearer challenges, and provider-specific behavior for Logto and Supabase. For Supabase, it also verifies that the authorize endpoint redirects back to your app's consent UI with an authorization_id.

Testing

# Mock tests (no external services)
pip install -e ".[dev]"
pytest tests/ -v

# Live tests (requires .env.live with real credentials)
RUN_LIVE_TESTS=1 pytest tests/live/ -v

Contributing

Bug reports and PRs welcome. See CONTRIBUTING.md for the workflow and SECURITY.md for vulnerability reporting.

The multi-provider auth design reference lives in docs/multi-provider-auth-plan.md.

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

mcp_core_auth-0.3.1.tar.gz (537.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

mcp_core_auth-0.3.1-py3-none-any.whl (35.6 kB view details)

Uploaded Python 3

File details

Details for the file mcp_core_auth-0.3.1.tar.gz.

File metadata

  • Download URL: mcp_core_auth-0.3.1.tar.gz
  • Upload date:
  • Size: 537.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.10

File hashes

Hashes for mcp_core_auth-0.3.1.tar.gz
Algorithm Hash digest
SHA256 151b7c819397ff2ced0797fb7c9e160f3592c849d1d27d2999719058028191cf
MD5 bc3dc9fb21a1760b7fc5434d0ffa5735
BLAKE2b-256 cf419f35922d22b9a64f38a80216fd5a31e5de8cf5c5096a8898a7bf1ca6e875

See more details on using hashes here.

File details

Details for the file mcp_core_auth-0.3.1-py3-none-any.whl.

File metadata

  • Download URL: mcp_core_auth-0.3.1-py3-none-any.whl
  • Upload date:
  • Size: 35.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.10

File hashes

Hashes for mcp_core_auth-0.3.1-py3-none-any.whl
Algorithm Hash digest
SHA256 b136a3e349d2ce7b8a1567519e4179d7d6b9ffd255a5d2281e901e40782efe7f
MD5 0ae40772e8889d4c427e4353c19e8d5a
BLAKE2b-256 e557f3bb69a34c7635adb367864320923b4c20fc6d22052f14f7d850f86bec71

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page