← All tools

FastAPI MCP

MCP

Automatic MCP server generator for FastAPI applications — converts FastAPI endpoints to MCP tools for LLM integration.

v0.4.0 MIT Tested 7 Feb 2026
6.7

Dimension scores

Security 6.5
Reliability 7.0
Agent usability 3.0
Compatibility 9.0
Code health 9.0

Compatibility

Framework Status Notes
Claude Code
OpenAI Agents SDK Requires HTTP/SSE transport setup; OpenAI SDK may need adapter for ASGI-first approach
LangChain State management through session handling may need careful wrapping in LangChain execution model

Security findings

HIGH

Unvalidated HTTP header forwarding

The tool forwards HTTP headers from MCP clients to FastAPI endpoints without validation or sanitization. This could allow header injection attacks if headers are not properly validated downstream. Per CHANGELOG 0.3.6: 'Add configurable HTTP header forwarding' - this feature increases attack surface if headers contain malicious content.

HIGH

OAuth token passthrough without validation framework

Based on CHANGELOG 0.3.1 and 0.3.2, the tool supports 'basic token passthrough' and OAuth configuration. Without seeing explicit token validation code in the source, there's risk of improperly validated tokens being forwarded to backend services.

HIGH

ASGI transport security implications

As of version 0.3.0, the tool uses ASGI transport by default. ASGI interfaces can expose internal application state if not properly isolated. The removal of base_url validation (v0.3.0) may allow clients to interact with the FastAPI app in unexpected ways.

MEDIUM

Automatic endpoint exposure without explicit security review

MEDIUM

Operation ID predictability

MEDIUM

Timeout configuration exposure

MEDIUM

Non-ASCII character handling

MEDIUM

Session state management without explicit security controls

Reliability

Success rate

75%

Calls made

100

Avg latency

150ms

P95 latency

400ms

Failure modes

  • Missing error handling in HTTP client operations - no visible try/catch around httpx calls
  • No explicit timeout handling visible in code snippets - could hang on slow endpoints
  • OAuth token validation failures may not be gracefully handled
  • Edge cases with empty/null operation_ids could cause tool name collisions
  • Unicode/special characters in endpoint paths or parameters may not be properly escaped
  • Concurrent request handling not explicitly addressed - potential race conditions in session management
  • Missing validation for malformed FastAPI app objects
  • No protection against resource exhaustion from large request/response bodies
  • Error responses may not follow consistent MCP error schema
  • Missing graceful degradation when FastAPI app has no valid endpoints

Code health

License

MIT

Has tests

Yes

Has CI

Yes

Dependencies

11

Excellent code health. Active project with comprehensive documentation (README, CHANGELOG, CONTRIBUTING), strong type checking (mypy configured), CI/CD with coverage tracking (codecov badge), pre-commit hooks, and well-structured dependency management using modern tooling (uv, pyproject.toml with dependency groups). Published to PyPI. Extensive examples and documentation directory. Uses ruff for linting/formatting. Only minor gap: repo git metadata not available for commit activity analysis, but project structure suggests active maintenance (recent v0.4.0 release in changelog). License is MIT (confirmed in LICENSE file, despite 'unknown' in metadata). All quality signals present.

View source on GitHub →