How to secure your FastMCP server with permission management

What is FastMCP?

FastMCP is a Python framework for building production-ready Model Context Protocol (MCP) servers. It provides a high-level, Pythonic interface that handles the complex details of the MCP specification, letting you focus on your application's logic. Decorating a Python function is often all it takes to expose it as a tool or resource.

So, what is the difference between MCP and FastMCP? Think of MCP as the specification, like USB-C, a standard for connecting LLMs to tools and data. FastMCP is a framework for building the servers that implement that specification. It delivers the features needed for production environments, such as advanced server patterns, enterprise authentication integrations, and testing frameworks.

I believe that many developers choose FastMCP because it significantly accelerates development. It simplifies building MCP servers with minimal boilerplate code, feels natural to Python developers, and includes a complete toolkit for production systems. This makes it the shortest path from an idea to a deployed MCP server ready to connect to your AI systems. FastMCP has received a lot of support from the development community, with 18k+ stars on GitHub, and it’s well-deserved.

At its core, FastMCP works by exposing data and functionality to LLM applications in a secure and standardized way. It allows you to define resources, which are like GET endpoints for loading information into the LLM's context, and tools, which are like POST endpoints for executing code. FastMCP manages the protocol-level interactions, so you can build powerful AI applications with just a few lines of Python.

Security blind spots of MCP servers

The power of MCP is also its primary security challenge. A server announces its available tools and resources to any connected client, and a naive implementation exposes every single tool to every single user. This creates a massive security risk, as tools that can delete data or trigger sensitive operations become available to anyone, regardless of their role or permissions. These tools can often bypass the rigorous security models built around traditional APIs.

This is why you need fine-grained authorization for any production FastMCP server. When an AI agent acts on a user's behalf, it must be subject to that user's permissions. Without it, low-privilege users could instruct an agent to use highly sensitive tools, leading to a significant security vulnerability. When an agent inevitably tries to use a tool it doesn't have access to, the action fails, making the agent appear broken and eroding user trust.

The security risks are not just theoretical. What I have observed from speaking with engineering teams is that they often hardcode authorization logic using complex if/else statements within the MCP server itself. This approach is brittle, error-prone, and makes adding new tools or changing business rules a slow and expensive engineering task. Research from security firms highlights the real-world dangers, as one report from TrendMicro stated, "We found 492 MCP servers with no client authentication or traffic encryption...Successful attacks against these servers lead to data breaches, leaking sensitive information such as company proprietary information and customer details."

See it in action

To make these concepts more tangible, here is a walkthrough demonstrating how to secure a FastMCP server using the new cerbos-fastmcp middleware, which utilizes Cerbos, an enterprise-grade authorization solution to bring policy-based access control to MCP tools, resources and prompts:

Key Features: permission management for FastMCP

The cerbos-fastmcp middleware provides a robust solution for securing your servers by integrating Cerbos for policy-driven authorization. Here are the key components:

• Policy-driven authorization via Cerbos PDP.
  Your authorization rules are defined in human-readable YAML policies, completely decoupled from your server's application code. This makes them easy to manage, audit, and update without requiring a full redeployment.
• Fine-grained rules for tools, prompts, and resources.
  You can create detailed rules that go far beyond simple role-based access. Policies can use attributes from the user, the resource they are acting on, and the context of the request to make dynamic authorization decisions.
• Flexible principal builder (sync/async).
  The middleware can extract user identity from various sources to match your authentication setup. Whether you use JWTs, API keys, or another method, you can configure how the user principal is constructed for authorization checks.

Now, let me walk you through the installation guide 👇.

Quick start

Integrating cerbos-fastmcp into your project is straightforward and can be done in about five minutes.

First, install the package using your preferred package manager.

pip install fastmcp cerbos-fastmcp
# or uv add fastmcp cerbos-fastmcp

Next, add the middleware to your FastMCP server. The middleware intercepts incoming requests and checks them against your Cerbos policies before allowing them to proceed.

from cerbos.sdk.model import Principal
from fastmcp import FastMCP
from fastmcp.server.dependencies import AccessToken
from cerbos_fastmcp import CerbosAuthorizationMiddleware

mcp = FastMCP("Secure Server")

# Define your principal builder
def build_principal(token: AccessToken) -> Principal | None:
    # Parse token, lookups etc
    return {
        "id": accessToken.sub,
        "roles": accessToken.roles, # eg ["ADMIN"]
        "attr": {"department": accessToken.department}
    }

# Add Cerbos middleware
mcp.add_middleware(
    CerbosAuthorizationMiddleware(
        principal_builder=build_principal,
        # Your locally running Cerbos PDP
        cerbos_host="localhost:3593")
)


@mcp.tool
def fetch_records():
    # Your tool logic here
    return "Operation successful"

@mcp.tool
def admin_tool():
    # Your tool logic here
    return "Admin action successful"


if __name__ == "__main__":
    mcp.run(transport="http", port=8000)

Then the Cerbos policy would look like:

apiVersion: api.cerbos.dev/v1
description: Demo MCP Server
resourcePolicy:
  resource: mcp_server
  version: default

  rules:
    # Base access: Allow USER and ADMIN to see resource and prompt listings,
    # and to enumerate available tools. No tool execution is granted here.
    - actions:
        - resources/list
        - prompts/list
        - tools/list
      roles:
        - USER
        - ADMIN
      effect: EFFECT_ALLOW

    # Fetch Records tool: Both USER and ADMIN can list and call fetch_records.
    - actions:
        - tools/list::fetch_records
        - tools/call::fetch_records
      roles:
        - USER
        - ADMIN
      effect: EFFECT_ALLOW

    # Admin Tool: Only ADMIN can list and call admin_tool.
    - actions:
        - tools/list::admin_tool
        - tools/call::admin_tool
      roles:
        - ADMIN
      effect: EFFECT_ALLOW

How FastMCP authorization works

The cerbos-fastmcp integration works by decoupling authorization logic from your application code. The MCP server defines all possible tools, but the middleware dynamically enables only the ones a user has permission to use for a given request. It does this by querying the Cerbos Policy Decision Point (PDP) at the start of a session.

The policy model maps MCP actions to Cerbos resources and actions. For example, a tool call becomes an action on a resource representing the MCP server. You can define policies in YAML that grant or deny permissions based on user roles and attributes. For instance, a manager might be able to approve expenses, but only for their own team and only up to a certain amount.

Configuration is flexible, allowing you to specify the address of your Cerbos PDP and how user identity is determined. The middleware supports various testing approaches, enabling you to write unit and integration tests for your authorization logic without needing a live Cerbos instance. This ensures your security rules work as expected before deploying to production.

Production deployment

For local development, you can run the Cerbos PDP as a container on your machine, mounting your policies directory to make them live. This setup is perfect for writing and testing policies without needing any network dependencies. It is what I personally use for all my projects.

When moving to production, you have a few options. One common pattern is a sidecar deployment, where a Cerbos PDP container runs alongside your FastMCP server in the same pod or VM. This provides a low-latency, highly available authorization service that scales with your application.

For more advanced use cases, you can integrate with Cerbos Hub. Cerbos Hub provides a centralized control plane for managing and distributing your policies across a fleet of PDPs. This ensures consistent authorization decisions everywhere and simplifies policy management as your application grows. Many of our customers have found this to be the most effective way to manage authorization at scale.

Here are some resources to help you get started.

• Documentation: For detailed guides and API references, check out the official middleware documentation and the Cerbos documentation for writing policy..
• MCP use case: Learn more about authorization for the MCP server.
• Community: Join the community Slack to ask questions and share your experiences with other developers.
• GitHub Repository: The full source code for cerbos-fastmcp is available on GitHub.

Key takeaways

Securing your FastMCP server is not just a best practice; it is a necessity for any production application. A default implementation exposes all tools to all users, creating a significant security risk. By decoupling authorization with a policy-driven solution like cerbos-fastmcp, you gain fine-grained control over who can do what.

This approach allows you to manage permissions through declarative policies, which are easier to audit and update than hardcoded logic. You can confidently add powerful new tools to your server, knowing their access can be precisely controlled with a simple policy change, not a full release cycle. Ultimately, this leads to more secure, reliable, and trustworthy AI agents.