Auth, billing, and logging infrastructure for MCP-first servers.
Project description
mcp-core
Auth, billing, and logging infrastructure for MCP-first servers. Sits between your product code and fastapi-mcp, with provider-aware auth for Logto and Supabase.
Your MCP Server (product-specific tool handlers)
mcp-core (auth, billing, logging, health)
fastapi-mcp (MCP protocol: JSON-RPC, SSE, tool discovery)
FastAPI
Install
pip install mcp-core-auth
The package is published as mcp-core-auth on PyPI (the bare mcp-core name is held by an unrelated project), but the import path is unchanged:
from mcp_core import MCPCore
Quick Start
from contextlib import asynccontextmanager
from fastapi import FastAPI, Request
from mcp_core import MCPCore
core = MCPCore(
product_name="my-product",
auth_provider="logto",
logto_endpoint="https://your-tenant.logto.app",
logto_api_resource="https://api.my-product.app",
mongodb_uri="mongodb+srv://...",
stripe_secret_key="sk_test_...",
stripe_price_id="price_...",
free_credits=30,
tool_costs={"browse": 0, "generate": 5},
read_only_tools={"browse"},
)
@asynccontextmanager
async def lifespan(app: FastAPI):
await core.connect_db()
yield
app = FastAPI(lifespan=lifespan)
core.install_routes(app) # /health, /api/billing/credits, webhook, OAuth metadata
@app.post("/api/mcp/generate")
async def generate(request: Request):
user = await core.auth_and_bill(request, "generate")
result = do_generation()
await core.log_tool_call(request, "generate", user=user, duration_ms=1200)
return result
All config can also come from MCP_CORE_* environment variables.
To use Supabase Auth instead, switch the provider and pass your Supabase URL and anon key:
core = MCPCore(
product_name="my-product",
auth_provider="supabase",
supabase_url="https://your-project.supabase.co",
supabase_anon_key="sb_publishable_...",
supabase_api_resource="https://api.my-product.app",
mongodb_uri="mongodb+srv://...",
free_credits=30,
tool_costs={"browse": 0, "generate": 5},
read_only_tools={"browse"},
)
If auth_provider is omitted, mcp-core infers Supabase when both
MCP_CORE_SUPABASE_URL and MCP_CORE_SUPABASE_ANON_KEY are present;
otherwise it preserves the existing Logto default.
Modules
Auth (mcp_core.auth)
Provider-aware bearer-token auth. Creates MongoDB user records on first auth
using a neutral auth_user_id while preserving legacy logto_user_id fields
for existing Logto apps.
- Logto JWT validation via JWKS
- Supabase access-token validation through Supabase Auth
- Cloud or self-hosted provider URLs
- 30s clock skew tolerance
- Race-condition-safe user upsert
- Dev bypass (
Bearer dev-bypass) for local development - M2M token rejection for paid tools
Billing (mcp_core.billing.StripeBilling)
Stripe billing for credit-based products and all-access subscription products.
- Credit mode deducts free credits first, then falls back to Stripe metered billing.
- Subscription mode (
BILLING_MODE=subscription) requires an active subscription for paid tools and never consumes credits. - Standard billing routes include
/api/billing/credits,/api/billing/checkout-subscription,/api/billing/sync,/api/billing/portal, and/api/stripe/webhook. - Subscription webhooks track
checkout.session.completed,customer.subscription.created,customer.subscription.updated,customer.subscription.paused,customer.subscription.resumed,customer.subscription.deleted,invoice.payment_failed,invoice.payment_action_required, andinvoice.paid. - Access defaults to
active,trialing, andpast_due;unpaid,paused,incomplete,incomplete_expired, andcanceleddo not grant subscription access. - Stripe Customer Portal should handle payment methods, invoices, receipts, and cancellation self-service. Stripe Billing customer-email settings should handle invoice, receipt, failed-payment, and renewal emails; auth providers such as Supabase should remain responsible for auth and security emails.
Useful subscription env vars:
BILLING_MODE=subscription
STRIPE_SECRET_KEY=sk_live_or_test_...
STRIPE_PRICE_ID=price_...
STRIPE_WEBHOOK_SECRET=whsec_...
STRIPE_PORTAL_CONFIGURATION_ID=bpc_...
SUBSCRIPTION_PLAN_NAME="Pro"
SUBSCRIPTION_PRICE_LABEL="$20/month"
Tool Logging (mcp_core.tool_logging.ToolLogger)
Audit trail for every MCP tool call. Writes to MongoDB tool_logs collection.
Health (mcp_core.health.HealthCheck)
Composable health check builder. Supports sync and async checks with timeouts.
Readiness (mcp_core.readiness)
Provider-aware MCP OAuth onboarding diagnostics. The bundled CLI follows the same discovery path as RFC 9728 clients:
mcp-core-check-readiness https://your-app.example.com/mcp/v2/
It checks protected-resource metadata, authorization-server discovery, Dynamic
Client Registration, unauthenticated MCP bearer challenges, and provider-specific
behavior for Logto and Supabase. For Supabase, it also verifies that the
authorize endpoint redirects back to your app's consent UI with an
authorization_id.
Testing
# Mock tests (no external services)
pip install -e ".[dev]"
pytest tests/ -v
# Live tests (requires .env.live with real credentials)
RUN_LIVE_TESTS=1 pytest tests/live/ -v
Contributing
Bug reports and PRs welcome. See CONTRIBUTING.md for the workflow and SECURITY.md for vulnerability reporting.
The multi-provider auth design reference lives in docs/multi-provider-auth-plan.md.
License
MIT
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file mcp_core_auth-0.3.7.tar.gz.
File metadata
- Download URL: mcp_core_auth-0.3.7.tar.gz
- Upload date:
- Size: 547.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
85e0da14424a2cb20360a4fcfc3f27356e68e7195d370090dbc863af98ca0389
|
|
| MD5 |
960526ddbd78445b7c83b608d8f4a49e
|
|
| BLAKE2b-256 |
6211b45461d4ae9e0c77d2a37db2e20604a80e87f3a6c382b72addcfa009cca1
|
File details
Details for the file mcp_core_auth-0.3.7-py3-none-any.whl.
File metadata
- Download URL: mcp_core_auth-0.3.7-py3-none-any.whl
- Upload date:
- Size: 42.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
13b6b5309441b89a2adf605483cd15dde1e1cdc5d839a85ca63664c4618e765d
|
|
| MD5 |
b1ac620e0bdf9f72692f1c2d1bd824b5
|
|
| BLAKE2b-256 |
c9781357b5831c4da25085284d801a32be6e324c3e68dacfe54524e88685f7b8
|