Secure FastMCP with Cerbos authorization

Control what AI agents and tools can access with policy-driven authorization powered by Cerbos.

MCP authorization

Control access to MCP tools and resources with fine-grained Cerbos policies

cerbos-fastmcp middleware

Drop-in middleware that enforces authorization on every tool call and resource access

Policy as code

Define who can use which AI tools using human-readable YAML policies

How Cerbos works with FastMCP

AI agents and tools introduce a new class of authorization challenges. They act on behalf of users, access sensitive data, and chain operations, all of which need fine-grained access control.

Cerbos provides policy-driven authorization that controls what AI systems can do, which data they can access, and on whose behalf. Policies are written in human-readable YAML and evaluated at request time.

With Cerbos and FastMCP, you get guardrails that scale with your AI adoption, centrally managed policies, full audit trails, and sub-millisecond decision times that don't slow down agent workflows.

Policy-as-codeHuman-readable YAML policies managed like source code Scalable PDPStateless policy decision point with sub-millisecond latency Centralized managementManage, test, and deploy policies from a single control plane

How Cerbos secures FastMCP agents

Define policies for AI agent actions and data access, Write YAML policies that specify which tools, data, and operations each agent or user can access.
Agent requests authorization from Cerbos, Before performing an action, the AI agent sends the user context, tool, and target resource to the PDP.
Cerbos evaluates context, tool, and resource, The PDP applies fine-grained policies considering the user's identity, the requested tool, and the target data.
Agent proceeds or is denied, Cerbos returns an allow or deny decision and the agent framework enforces it, with a full audit trail.

Security risks of unsecured AI agents

Without authorization at every tool call, AI agents introduce risks that traditional application security doesn't cover:

Privilege escalation through tools. An agent with unrestricted tool access can perform actions the delegating user isn't authorized for — reading sensitive data, modifying resources, or invoking admin operations.
Incomplete identity context. Agents often carry only a partial user reference. Without the full profile, policies can't enforce department-level, role-based, or attribute-based restrictions accurately.
No audit trail. Without authorization checks at each step, there's no record of what the agent did, on whose behalf, or why it was allowed — making incident investigation and compliance reporting impossible.
Transitive trust. When agents chain tool calls or delegate to other agents, permissions can expand silently if each step isn't individually authorized.

Richer agent decisions with Cerbos Synapse

When an AI agent makes an authorization call on behalf of a user, it often includes only an agent ID or partial user reference. Cerbos Synapse enriches these requests with the full user profile from your identity provider, resource metadata from your data stores, and the agent's own constraints — so the PDP receives complete context for every decision without the agent needing to assemble it.

FAQ

How does Cerbos secure FastMCP agents?

Cerbos evaluates fine-grained policies at every tool call and data access, ensuring AI agents only perform actions and access data they are authorized for, on behalf of the requesting user.

Can I audit what my AI agents are doing?

Yes. Every authorization decision is logged with full context, the principal, resource, action, and result. This gives you a complete audit trail of AI agent behavior.