Prerequisites:
- Understanding of FrontMCP plugins (see Create a Plugin)
- A FrontMCP project with authentication configured
What You’ll Build
An authorization plugin that:- Extends tool metadata to include required roles
- Filters the tool list based on user roles
- Works with any authentication provider
Step 1: Define Types and Metadata Extension
First, extend the tool metadata to include authorization requirements:Step 2: Create the Authorization Plugin
Step 3: Apply to Your App
Register the plugin with your app:Step 4: Add Authorization to Tools
Mark tools with their required roles:How It Works
Plugin hook intercepts
The
ListToolsHook.Did('findTools') hook runs after tools are found but before the response is sent.Filter by roles
The plugin checks each tool’s
authorization.requiredRoles against the user’s roles from authInfo.Advanced: Multiple Roles
Require multiple roles for sensitive operations:Advanced: OR Logic for Roles
Modify the plugin to support OR logic:Testing Authorization
Best Practices
Hide vs. Deny
Hide vs. Deny
This plugin hides unauthorized tools from the list. Users won’t see tools they can’t use, providing a cleaner UX. For additional security, also validate roles during tool execution.
Role Naming Conventions
Role Naming Conventions
Use clear, consistent role names:
Default to Deny
Default to Deny
For sensitive applications, flip the default:
Combine with Execution Hooks
Combine with Execution Hooks
For defense in depth, also check roles during execution:
Next Steps
Site-Scoped Authorization
Multi-tenant authorization patterns
Authentication Modes
Configure authentication for your server
Plugin Development
Build more custom plugins
Testing Guide
Test authorization scenarios