mudraid-middleware is how a platform protects its API. It’s middleware for FastAPI and Starlette: you add it once, point it at your mudraid_scopes.yaml, and every request is checked for a valid token and the right scope before it reaches your handlers.
No decorators. No per-route auth code. No changes to your existing route files.
When to use it
Use the middleware on the platform side — in the API that agents call. If you’re building the agent that makes calls, you want the Python Agent SDK instead.What it does per request
- Matches the method and path against the rules in
mudraid_scopes.yaml. - Lets
publicroutes through untouched. - Returns 404 for
skiproutes and routes with no rule — they’re invisible to agents. - Reads the
Authorization: Bearertoken. - Verifies the token’s signature, issuer, audience, and timing against MudraID’s published keys — locally, with no per-request callback. Keys are cached and refreshed automatically when MudraID rotates them.
- Checks the route’s required scope is present in the token.
- Forwards to your handler, or returns a structured
{"error_code", "message"}error.
Install
pyjwt[crypto], cryptography, httpx, pyyaml, and starlette.
During the v0.1 alpha the package isn’t on PyPI yet. From the repo root:
pip install -e sdks/mudraid-middleware-python.Performance
The middleware verifies tokens locally, so the steady-state cost is small. Measured overhead over a bare FastAPI handler with a warm key cache:| Route type | p50 | p99 | Added vs bare app (p50) |
|---|---|---|---|
public: true | 527 µs | 811 µs | +130 µs |
| Scope-gated | 722 µs | 1403 µs | +310 µs |
Next
- Configuration — settings & defaults.
- Error responses — the stable error_code contract.
- Operator playbook — running it day to day.
- Quickstart — a guided first integration.