|Tutorial

FastAPI MCP Server: Turn OpenAPI into Hosted MCP

Turn a FastAPI OpenAPI schema into a hosted MCP server. Connect /openapi.json, configure API auth, restrict methods, and test the MCP link.

Andrei
Founder of datamcp

The short answer

You do not need to rewrite a FastAPI application as a custom MCP server just to expose its existing REST operations to an AI client.

FastAPI generates an OpenAPI schema for the application. By default, that schema is available at /openapi.json, while Swagger UI is served at /docs and ReDoc at /redoc. A hosted OpenAPI-to-MCP layer can read that contract, publish a remote MCP endpoint, and forward approved calls to the FastAPI API.

datamcp follows that approach. It is not a native FastAPI plugin and does not run inside your Python process. It connects to the public OpenAPI 3.x schema, exposes four discovery and execution tools through MCP, stores a supported upstream API credential on the connection, and applies the MCP link's HTTP-method policy before forwarding a call.

The resulting path is:

FastAPI application → OpenAPI schema → DataMCP link → Cursor, Claude, ChatGPT, or VS Code

This guide shows the complete setup and the FastAPI-specific problems to check before connecting a production API.

Why FastAPI and MCP fit together

FastAPI already describes paths, parameters, request bodies, response models, and security schemes with OpenAPI. The official FastAPI first-steps guide explains that this generated schema powers both Swagger UI and ReDoc.

MCP solves a different part of the stack. It gives an AI client a standard way to discover tools and call them. An OpenAPI-to-MCP gateway connects the two contracts:

LayerResponsibility
FastAPIImplements the API and enforces application authorization
OpenAPIDescribes the available HTTP operations and schemas
datamcpHosts the remote MCP endpoint, injects supported upstream credentials, and applies link policy
AI clientDiscovers the MCP tools and requests an approved operation

This conversion works best when the existing REST operations are already sensible AI actions. If the useful tool needs to combine several endpoints, perform domain-specific transformations, or execute a workflow that does not exist in the API, build a custom MCP server instead.

Before you connect FastAPI to MCP

Confirm four things first:

  1. The deployed FastAPI service is reachable from the public internet.
  2. Its OpenAPI 3.x schema is enabled and publicly fetchable.
  3. The schema points to the correct public API base URL.
  4. The API accepts a supported credential that datamcp can attach to upstream calls.

datamcp can store an API key, a pre-issued Bearer token, an HTTP Basic credential, optional custom headers, or no upstream credential. It does not currently sign in to a private documentation endpoint, run an upstream OAuth authorization flow, or refresh an expired upstream token.

Step 1: Find the FastAPI OpenAPI URL

For a default FastAPI application deployed at https://api.example.com, use:

https://api.example.com/openapi.json

You can verify it before opening datamcp:

curl -fsS https://api.example.com/openapi.json | jq '.openapi, .info.title, (.paths | length)'

The response should be JSON with an openapi version, an info object, and a paths object.

FastAPI lets an application change the default path:

from fastapi import FastAPI

app = FastAPI(openapi_url="/api/v1/openapi.json")

In that case, connect https://api.example.com/api/v1/openapi.json. The FastAPI metadata documentation also notes that setting openapi_url=None disables the OpenAPI schema and the documentation interfaces that depend on it.

datamcp can also attempt to extract the embedded schema from a public Swagger UI or ReDoc page. The raw JSON URL is preferable because it removes one discovery step and is easier to test independently.

Step 2: Check the public server URL

An OpenAPI schema can be valid while still pointing clients at the wrong host or path prefix.

This is common when FastAPI runs behind Nginx, Traefik, an API gateway, or a platform that mounts the application under /api/v1. FastAPI's proxy documentation explains how root_path and the OpenAPI servers list represent that public prefix.

Inspect the generated value:

curl -fsS https://api.example.com/openapi.json | jq '.servers'

Then test one harmless operation against the public URL. Do not assume a schema generated correctly on localhost will call the correct production host after deployment.

If the schema has no servers entry, confirm that the gateway can resolve the intended base URL from the schema location. If it has a relative server such as /api/v1, verify that the prefix is correct from outside your private network.

Step 3: Decide how upstream authentication works

FastAPI security dependencies can add API key, HTTP, OAuth2, and OpenID Connect declarations to OpenAPI. The official FastAPI security guide describes how those schemes become part of the generated schema.

That declaration does not automatically give an MCP gateway a valid credential. Configure the actual credential separately in datamcp:

FastAPI API expectsdatamcp connection option
Public endpointNone
Static application keyAPI key in a header, query parameter, or cookie
Existing access tokenBearer token
Username and passwordHTTP Basic
Additional fixed routing or tenant headerCustom header

Keep the two authentication boundaries separate:

  • the AI client authenticates to the datamcp MCP endpoint with a datamcp API key or supported OAuth flow
  • datamcp authenticates to FastAPI with the credential stored on the OpenAPI connection

If each end user must complete a FastAPI OAuth login and receive a different short-lived token, the current static upstream-credential model is not the right fit. datamcp can store a pre-issued Bearer token, but token issuance, refresh, and rotation remain external.

Step 4: Add FastAPI as an OpenAPI connection

In the datamcp dashboard, create a new connection and choose OpenAPI.

  1. Paste the public /openapi.json URL.
  2. Let datamcp validate the document and identify its operations.
  3. Choose the upstream authentication method.
  4. Add the API key, Bearer token, Basic credential, or custom headers required by FastAPI.
  5. Save the connection.

datamcp reads the API contract at runtime. It does not add a Python dependency, modify the FastAPI repository, or deploy code into the API process.

An OpenAPI connection currently supports two MCP link access modes:

  • Read Only permits GET and HEAD
  • Full Access permits visible operations across the configured HTTP methods, subject to FastAPI's own authorization

Start with Read Only unless the workflow genuinely needs writes. Endpoint visibility can further hide individual operations from MCP discovery and execution.

Read Only is a method gate, not a guarantee that every FastAPI GET route is safe. A poorly designed GET endpoint can mutate state, expose sensitive objects, or trigger expensive work. Keep object-level authorization, tenant checks, rate limits, and response bounds inside FastAPI.

Step 6: Connect an MCP client and test discovery

Open the MCP link's Setup Guide in datamcp and copy the configuration for the target client. The same FastAPI-backed remote endpoint can be configured in Cursor, Claude, ChatGPT, VS Code, or another client that supports the required remote MCP transport and authentication flow.

Test discovery before execution:

List the visible API operations. Do not call any endpoint.

Then inspect one operation:

Show the parameters, request body, response models, and security requirements for GET /orders/{order_id}. Do not call it.

Finally, call a bounded non-sensitive endpoint and verify the result against FastAPI's own access logs. OpenAPI endpoint calls are not currently included in the datamcp PostgreSQL activity log.

The four MCP tools exposed for FastAPI

datamcp does not generate one MCP tool per FastAPI route. The OpenAPI connection exposes four schema-aware tools:

MCP toolPurpose
list_api_endpointsList the operations visible to the MCP link
get_endpoint_detailsInspect parameters, request bodies, and responses for one operation
get_api_schemaRead OpenAPI component schemas
call_endpointCall one approved operation with the configured upstream credential

This keeps a large FastAPI application from flooding the client's tool list with hundreds of route-specific MCP tools. The client discovers an operation before requesting its details or calling it.

FastAPI MCP troubleshooting

ProblemWhat to check
/openapi.json returns 404Check whether openapi_url was changed or disabled
The schema works locally but not in datamcpA hosted service cannot fetch localhost or a private-only hostname
Swagger UI works but the raw URL is unknownOpen the browser network panel or inspect the configured openapi_url
Calls use the wrong path prefixReview FastAPI root_path, proxy configuration, and OpenAPI servers
Every protected call returns 401Verify the stored API key, Bearer token, Basic credential, and header name
A token worked and then expiredReplace the pre-issued Bearer token; automatic upstream OAuth refresh is not available
A POST route is missing or deniedConfirm the link is Full Access and the operation is visible
A GET route exposes too much dataFix FastAPI authorization and response design; MCP method filtering is not object authorization

Hosted conversion or custom FastAPI MCP code?

Use hosted OpenAPI conversion when:

  • the FastAPI routes already match the actions the AI client needs
  • the OpenAPI schema is accurate and publicly fetchable
  • one supported upstream credential can represent the gateway
  • Read Only or Full Access plus endpoint visibility provides enough control
  • you do not want to deploy another MCP runtime

Build custom MCP code when:

  • one useful tool must orchestrate several FastAPI endpoints
  • the tool needs Python-only business logic that is not exposed as REST
  • each user needs a separate upstream OAuth flow
  • the server must run inside a private network
  • you need MCP resources, prompts, or a deliberately redesigned tool surface

Production checklist

  • Use the deployed FastAPI OpenAPI URL, not localhost
  • Verify the public servers URL and proxy path prefix
  • Expose only the operations the AI client needs
  • Start the MCP link in Read Only mode
  • Use a least-privilege upstream credential
  • Keep authorization and tenant checks inside FastAPI
  • Bound response sizes and expensive operations
  • Review FastAPI or API-gateway logs for upstream calls
  • Test a denied write before granting Full Access
  • Document how to revoke the MCP link and rotate the upstream credential

FastAPI already gives you the OpenAPI contract. datamcp can turn that contract into a hosted MCP link without adding another service to the Python deployment. Review the OpenAPI to MCP product flow, confirm supported credentials in the OpenAPI authentication guide, and keep the OpenAPI connection documentation open during setup. The broader Swagger to MCP guide covers validation and client configuration.

FastAPIMCPOpenAPIPythonREST API

Already have an OpenAPI contract?

Connect the specification and publish a hosted MCP endpoint without maintaining custom server code.

Create OpenAPI MCP link

Explore OpenAPI to MCP · Questions? Read the docs or view pricing.