RUNLOCALAIv38
->Will it run?Best GPUCompareTroubleshootStartLearnPulseModelsHardwareToolsBench
Run check
RUNLOCALAI

Independently operated catalog for local-AI hardware and software. Hand-written verdicts. Source-cited claims. Reproducible commands when we have them.

OP·Fredoline Eruo
DIR
  • Models
  • Hardware
  • Tools
  • Benchmarks
TOOLS
  • Will it run?
  • Compare hardware
  • Cost vs cloud
  • Choose my GPU
  • Prompting kits
  • Quick answers
REF
  • All buyer guides
  • Learn local AI
  • Methodology
  • Glossary
  • Errors KB
  • Trust
EDITOR
  • About
  • Author
  • How we make money
  • Editorial policy
  • Contact
LEGAL
  • Privacy
  • Terms
  • Sitemap
MAIL · MONTHLY DIGEST
Get monthly local AI changes
Monthly recap. No spam.
DISCLOSURE

Some links on this site are affiliate links (Amazon Associates and other first-class retailers). When you buy through them, we earn a small commission at no extra cost to you. Affiliate links do not influence our verdicts — there are cards we rate highly that we don't have affiliate relationships with, and cards that sell well that we refuse to recommend. Read more →

© 2026 runlocalai.coIndependently operated
RUNLOCALAI · v38
  1. >
  2. Home
  3. /Learn
  4. /Courses
  5. /MCP Server Implementation
  6. /Ch. 15
MCP Server Implementation

15. Authorization Scopes

Chapter 15 of 22 · 20 min
KEY INSIGHT

Authentication identifies who you are; authorization determines what you can do. Scope-based access control limits tool exposure based on verified identity. Define scopes that map to tool capabilities. Fine-grained scopes enable the principle of least privilege: ```python SCOPES = { "files:read": ["read_file", "list_directory", "search_files"], "files:write": ["write_file", "delete_file", "create_directory"], "files:admin": ["files:read", "files:write", "format_disk"], "database:query": ["execute_select", "list_tables"], "database:mutate": ["database:query", "execute_insert", "execute_update"], "admin": ["*"], # All scopes } def check_scope(token_scopes: list[str], required_tool: str) -> bool: for scope in token_scopes: allowed = SCOPES.get(scope, []) if required_tool in allowed or scope == "admin": return True return False ``` Enforce scopes at the tool level: ```python def require_scopes(*required): """Decorator to enforce authorization scopes.""" def decorator(func): @wraps(func) async def wrapper(request: Request, *args, **kwargs): token = request.state.token # Set by auth middleware if not token: raise HTTPException(401, "Authentication required") tool_name = func.__name__ if not check_scope(token.get("scopes", []), tool_name): raise HTTPException(403, f"Scope required for {tool_name}") return await func(request, *args, **kwargs) return wrapper return decorator @mcp.tool() @require_scopes("files:write") async def write_file(path: str, content: str) -> dict: # Implementation pass ``` Hierarchical scopes simplify management. A scope like `files:admin` implies `files:read` and `files:write`: ```python def expand_scopes(requested_scopes: list[str]) -> set[str]: """Expand scopes to include all implied scopes.""" expanded = set() to_process = list(requested_scopes) while to_process: scope = to_process.pop() if scope in expanded: continue expanded.add(scope) implied = SCOPES_IMPLICATIONS.get(scope, []) to_process.extend(implied) return expanded ``` Resource-level authorization adds another dimension. Beyond checking scope, verify the specific resource: ```python def check_resource_permission( user: dict, action: str, resource: str ) -> bool: # Check explicit grants if resource in user.get("allowed_resources", []): return True # Check pattern-based grants for pattern in user.get("resource_patterns", []): if re.match(pattern, resource): return True return False ```

Local verification checkpoint

Run the smallest example from this chapter in a local workspace and record the package version, runtime, data path, and observed output. If the result depends on model size, vector count, CPU/GPU backend, or available memory, note that constraint beside the exercise so the lesson remains reproducible.

EXERCISE

Design an authorization system with at least four scope levels. Implement a tool that behaves differently based on scopeΓÇöfor instance, returning summaries for limited users but full data for elevated users. Write tests verifying each scope level.

← Chapter 14
Authentication
Chapter 16 →
Claude Code Integration