> ## Documentation Index > Fetch the complete documentation index at: https://gofastmcp.com/llms.txt > Use this file to discover all available pages before exploring further. # authorization # `fastmcp.server.auth.authorization` Authorization checks for FastMCP components. This module provides callable-based authorization for tools, resources, and prompts. Auth checks are functions that receive an AuthContext and return True to allow access or False to deny. Auth checks can also raise exceptions: * AuthorizationError: Propagates with the custom message for explicit denial * Other exceptions: Masked for security (logged, treated as auth failure) Example: ```python theme={"theme":{"light":"snazzy-light","dark":"dark-plus"}} from fastmcp import FastMCP from fastmcp.server.auth import require_scopes mcp = FastMCP() @mcp.tool(auth=require_scopes("write")) def protected_tool(): ... @mcp.resource("data://secret", auth=require_scopes("read")) def secret_data(): ... @mcp.prompt(auth=require_scopes("admin")) def admin_prompt(): ... ``` ## Functions ### `require_scopes` ```python theme={"theme":{"light":"snazzy-light","dark":"dark-plus"}} require_scopes(*scopes: str) -> AuthCheck ``` Require specific OAuth scopes. Returns an auth check that requires ALL specified scopes to be present in the token (AND logic). **Args:** * `*scopes`: One or more scope strings that must all be present. ### `restrict_tag` ```python theme={"theme":{"light":"snazzy-light","dark":"dark-plus"}} restrict_tag(tag: str) -> AuthCheck ``` Restrict components with a specific tag to require certain scopes. If the component has the specified tag, the token must have ALL the required scopes. If the component doesn't have the tag, access is allowed. **Args:** * `tag`: The tag that triggers the scope requirement. * `scopes`: List of scopes required when the tag is present. ### `run_auth_checks` ```python theme={"theme":{"light":"snazzy-light","dark":"dark-plus"}} run_auth_checks(checks: AuthCheck | list[AuthCheck], ctx: AuthContext) -> bool ``` Run auth checks with AND logic. All checks must pass for authorization to succeed. Checks can be synchronous or asynchronous functions. Auth checks can: * Return True to allow access * Return False to deny access * Raise AuthorizationError to deny with a custom message (propagates) * Raise other exceptions (masked for security, treated as denial) **Args:** * `checks`: A single check function or list of check functions. Each check can be sync (returns bool) or async (returns Awaitable\[bool]). * `ctx`: The auth context to pass to each check. **Returns:** * True if all checks pass, False if any check fails. **Raises:** * `AuthorizationError`: If an auth check explicitly raises it. ## Classes ### `AuthContext` Context passed to auth check callables. This object is passed to each auth check function and provides access to the current authentication token and the component being accessed. **Attributes:** * `token`: The current access token, or None if unauthenticated. * `component`: The component (tool, resource, or prompt) being accessed. * `tool`: Backwards-compatible alias for component when it's a Tool. **Methods:** #### `tool` ```python theme={"theme":{"light":"snazzy-light","dark":"dark-plus"}} tool(self) -> Tool | None ``` Backwards-compatible access to the component as a Tool. Returns the component if it's a Tool, None otherwise.