Getting Started with AuthSec SDK
This guide will help you set up AuthSec SDK in your MCP server in just 5 minutes.
Installation
Install the SDK using pip:
pip install git+https://github.com/authsec-ai/sdk-authsec.git
Setup Steps
1. Get Your Client Credentials
- Sign up at AuthSec Dashboard
- Create a new application (MCP)
- Copy your
client_id - Configure your authentication methods for users
- Configure RBAC rules (roles, scopes, resources)
2. Create Your Secure MCP Server
# server.py
from authsec_sdk import protected_by_AuthSec, run_mcp_server_with_oauth
# Tool 1: Accessible to all authenticated users
@protected_by_AuthSec("hello")
async def hello(arguments: dict) -> list:
return [{
"type": "text",
"text": f"Hello, {arguments['_user_info']['email']}!"
}]
# Tool 2: Admin only
@protected_by_AuthSec("admin_panel", roles=["admin"])
async def admin_panel(arguments: dict) -> list:
return [{"type": "text", "text": "Admin panel accessed"}]
# Tool 3: Requires write permission
@protected_by_AuthSec("create_resource", scopes=["write"])
async def create_resource(arguments: dict) -> list:
name = arguments.get("name", "Unnamed")
return [{
"type": "text",
"text": f"Resource '{name}' created successfully!"
}]
# Start the server
if __name__ == "__main__":
run_mcp_server_with_oauth(
client_id="your-client-id-here",
app_name="My Secure MCP Server"
)
3. Run Your Server
python server.py
4. Test It Out
From your MCP Clients (MCP Inspector, VS Code, Claude, Windows, etc.):
User: Show me available tools
> Only OAuth tools are visible
User: Call oauth_start
> Returns session_id and authorization URL
User: [Opens URL and authenticates]
> Receives JWT token
User: Call oauth_authenticate with token
> Authentication successful!
> Protected tools now visible
User: Call hello
> "Hello, john@company.com!"
User: Call admin_panel
> "Admin panel accessed" (only if admin role)
User: Call create_resource with name="Project Alpha"
> "Resource 'Project Alpha' created!" (only if write scope)
Before vs After AuthSec SDK
Before: Insecure and Messy
# server.py
async def admin_dashboard(arguments: dict) -> list:
# ❌ No authentication - anyone can call this!
# ❌ No authorization - can't restrict by role!
# ❌ Credentials hardcoded - major security risk!
github_token = "ghp_hardcoded_token_in_my_code"
# Call GitHub API...
return [{"type": "text", "text": "Dashboard"}]
Problems:
- ❌ No authentication
- ❌ No authorization/RBAC
- ❌ Credentials in source code
- ❌ All tools always visible to everyone
- ❌ No audit trail
- ❌ No multi-tenancy
After: Secure and Clean
# server.py
from authsec_sdk import protected_by_AuthSec, ServiceAccessSDK
@protected_by_AuthSec("admin_dashboard", roles=["admin"])
async def admin_dashboard(arguments: dict, session) -> list:
# ✅ Authenticated - only valid users
# ✅ Authorized - only admins can access
# ✅ Credentials from Vault - secure!
services_sdk = ServiceAccessSDK(session)
github_token = await services_sdk.get_service_token("GitHub API")
# Call GitHub API...
return [{"type": "text", "text": "Dashboard"}]
Benefits:
- ✅ OAuth 2.0 authentication
- ✅ RBAC authorization
- ✅ Link any External-Service PROVIDER
- ✅ Credentials in Vault
- ✅ Tools hidden until authenticated
- ✅ Full audit trail
- ✅ Multi-tenant ready