Skip to content

Requirement

autogen.beta.mcp.security.Requirement dataclass #

Requirement(schemes, verifier, resource_url, required_scopes=(), resource_name=None, resource_documentation=None)

The OAuth 2.0 Resource Server security requirement for an MCP server.

Mirrors A2A's Requirement: it declares the auth a remote client must satisfy. Unlike A2A (which only advertises), an MCP server also enforces, so this carries the bring-your-own verifier and the required_scopes enforced on the MCP endpoint. :meth:to_metadata renders the raw RFC 9728 ProtectedResourceMetadata served at /.well-known/oauth-protected-resource (cf. A2A Requirement.to_proto).

The MCP server is purely an OAuth 2.1 Resource Server here: it advertises the trusted authorization server(s) and verifies tokens. Issuing tokens and serving authorization-server metadata stay with the external authorization server (out of scope per the MCP authorization spec).

Build via :func:require.

schemes instance-attribute #

schemes

verifier instance-attribute #

verifier

resource_url instance-attribute #

resource_url

required_scopes class-attribute instance-attribute #

required_scopes = ()

resource_name class-attribute instance-attribute #

resource_name = None

resource_documentation class-attribute instance-attribute #

resource_documentation = None

to_metadata #

to_metadata()

Render this requirement as RFC 9728 ProtectedResourceMetadata.

Source code in autogen/beta/mcp/security.py 
52
53
54
55
56
57
58
59
60
def to_metadata(self) -> ProtectedResourceMetadata:
    """Render this requirement as RFC 9728 ``ProtectedResourceMetadata``."""
    return ProtectedResourceMetadata(
        resource=AnyHttpUrl(self.resource_url),
        authorization_servers=[AnyHttpUrl(s.url) for s in self.schemes],
        scopes_supported=list(self.required_scopes) or None,
        resource_name=self.resource_name,
        resource_documentation=(AnyHttpUrl(self.resource_documentation) if self.resource_documentation else None),
    )