Build an Authenticated MCP Server

Objective

Build a Python class that implements JWT-based authentication and authorization for MCP tool access.

Requirements

Create a class AuthenticatedMCPServer that:

Generates tokens with generate_token(user_id: str, permissions: list) -> str:
- Creates a JWT with user_id and permissions
- Token expires in 1 hour
- Uses HS256 algorithm
Verifies tokens with verify_token(token: str) -> dict:
- Returns payload dict with user_id and permissions
- Raises ValueError if token is invalid or expired
Checks authorization with check_permission(token: str, required_permission: str) -> bool:
- Returns True if user has the required permission
- Returns False if permission denied
Protects tool calls with call_tool(token: str, tool_name: str, arguments: dict) -> dict:
- Uses this permission mapping:
  - read_data: ["user", "admin"]
  - write_data: ["admin"]
  - delete_data: ["admin"]
- Returns {"error": "unauthorized"} if no valid token
- Returns {"error": "forbidden"} if permission denied
- Returns {"success": True, "result": ...} if authorized

Example Usage

server = AuthenticatedMCPServer(secret_key="my-secret")

# Generate token for regular user
user_token = server.generate_token("user123", ["user"])

# Generate token for admin
admin_token = server.generate_token("admin456", ["admin"])

# User can read
result = server.call_tool(user_token, "read_data", {"id": 1})
# {"success": True, "result": {"id": 1}}

# User cannot write
result = server.call_tool(user_token, "write_data", {"data": "new"})
# {"error": "forbidden"}

# Admin can write
result = server.call_tool(admin_token, "write_data", {"data": "new"})
# {"success": True, "result": "written"}

Hints

Use the jwt library: import jwt
For expiration, use datetime.utcnow() + timedelta(hours=1)
Store secret_key as an instance variable

Instructions

Objective

Requirements

Example Usage

Hints

Grading Rubric

Your Solution