Declarative auth wrapper and authenticator contract.
FastestMCP.Auth does two jobs:
- it is the value attached to a server definition when you call
FastestMCP.add_auth/3 - it is the behaviour that concrete authenticators implement
Every authenticator is normalized behind the same contract so the rest of the runtime can stay transport-agnostic:
authenticate/3verifies raw transport credentials and returns a normalized auth result
Runtime Shape
The runtime does not store provider-specific state directly on the context.
Instead it stores a normalized %FastestMCP.Auth.Result{} with:
principalauthcapabilities
That keeps the rest of the execution path independent from whether the source was a Phoenix assign, Plug middleware, static token, or application-owned authenticator.
Summary
Functions
Builds an authenticator from one Plug/Phoenix assign.
Builds a new value for this module from the supplied options.
Builds multiple normalized values.
Resolves the given input into the normalized runtime shape for this module.
Extracts the auth result stored on the context.
Builds the WWW-Authenticate header value for an auth error.
Types
Callbacks
@callback authenticate(input(), FastestMCP.Context.t(), map()) :: {:ok, Result.t() | map()} | {:error, FastestMCP.Error.t() | atom() | {atom(), String.t()}}
Functions
Builds an authenticator from one Plug/Phoenix assign.
The HTTP transport can copy selected conn.assigns into auth input under
"assigns". This helper turns one assign value into the normalized auth
result used by the runtime.
Builds a new value for this module from the supplied options.
Builds multiple normalized values.
Resolves the given input into the normalized runtime shape for this module.
Extracts the auth result stored on the context.
Builds the WWW-Authenticate header value for an auth error.