Dynamic Tool Filtering Based on User Authentication

[olarcherc24]

Dynamic Tool Filtering Based on User Authentication

Problem

I'm trying to restrict the exposed tools dynamically based on the requesting user.

For example, assume I have two exposed tools:

• get_user_data
• delete_user

Then if the client authenticates with API key xxx they should see both endpoints, but with API key yyy only get_user_data.

Current Limitation

From my understanding, the only way to limit the exposed operations is to use include_operations when setting up the MCP server:

mcp = FastApiMCP(app, include_operations=["get_user_data"])

However, this appears to be a static setting that applies to the entire server / all clients.

Question

Is there any way to control this behavior dynamically?

I need different API keys to see different sets of tools, but include_operations seems to be a server-wide configuration rather than a per-client setting.

Use Case

• API key ADMIN_KEY should see: get_user_data, delete_user
• API key USER_KEY should see: get_user_data only

Currently, I can authenticate at the FastAPI endpoint level, but I need similar filtering for which MCP tools are exposed to each authenticated client.

[villqrd]

@olarcherc24 have you found a way to do this?

[mukeshpanch14]

Can we implement a logic like this:

• There would be another parameters for role_map which will contain a dictionary of different roles and their allowed tools/api
• The role should be stored in the request.state using a middleware.
• The fastapi-mcp would filter using this request object and the tools.

I can start contributing on it if we agree on the approach.