FastAPI MCP Server: Turn OpenAPI into Hosted MCP
Turn a FastAPI OpenAPI schema into a hosted MCP server. Connect /openapi.json, configure API auth, restrict methods, and test the MCP link.
The short answer
You do not need to rewrite a FastAPI application as a custom MCP server just to expose its existing REST operations to an AI client.
FastAPI generates an OpenAPI schema for the application. By default, that schema is available at /openapi.json, while Swagger UI is served at /docs and ReDoc at /redoc. A hosted OpenAPI-to-MCP layer can read that contract, publish a remote MCP endpoint, and forward approved calls to the FastAPI API.
datamcp follows that approach. It is not a native FastAPI plugin and does not run inside your Python process. It connects to the public OpenAPI 3.x schema, exposes four discovery and execution tools through MCP, stores a supported upstream API credential on the connection, and applies the MCP link's HTTP-method policy before forwarding a call.
The resulting path is:
FastAPI application → OpenAPI schema → DataMCP link → Cursor, Claude, ChatGPT, or VS Code
This guide shows the complete setup and the FastAPI-specific problems to check before connecting a production API.
Why FastAPI and MCP fit together
FastAPI already describes paths, parameters, request bodies, response models, and security schemes with OpenAPI. The official FastAPI first-steps guide explains that this generated schema powers both Swagger UI and ReDoc.
MCP solves a different part of the stack. It gives an AI client a standard way to discover tools and call them. An OpenAPI-to-MCP gateway connects the two contracts:
| Layer | Responsibility |
|---|---|
| FastAPI | Implements the API and enforces application authorization |
| OpenAPI | Describes the available HTTP operations and schemas |
| datamcp | Hosts the remote MCP endpoint, injects supported upstream credentials, and applies link policy |
| AI client | Discovers the MCP tools and requests an approved operation |
This conversion works best when the existing REST operations are already sensible AI actions. If the useful tool needs to combine several endpoints, perform domain-specific transformations, or execute a workflow that does not exist in the API, build a custom MCP server instead.
Before you connect FastAPI to MCP
Confirm four things first:
- The deployed FastAPI service is reachable from the public internet.
- Its OpenAPI 3.x schema is enabled and publicly fetchable.
- The schema points to the correct public API base URL.
- The API accepts a supported credential that datamcp can attach to upstream calls.
datamcp can store an API key, a pre-issued Bearer token, an HTTP Basic credential, optional custom headers, or no upstream credential. It does not currently sign in to a private documentation endpoint, run an upstream OAuth authorization flow, or refresh an expired upstream token.
Step 1: Find the FastAPI OpenAPI URL
For a default FastAPI application deployed at https://api.example.com, use:
https://api.example.com/openapi.json
You can verify it before opening datamcp:
curl -fsS https://api.example.com/openapi.json | jq '.openapi, .info.title, (.paths | length)'
The response should be JSON with an openapi version, an info object, and a paths object.
FastAPI lets an application change the default path:
from fastapi import FastAPI
app = FastAPI(openapi_url="/api/v1/openapi.json")
In that case, connect https://api.example.com/api/v1/openapi.json. The FastAPI metadata documentation also notes that setting openapi_url=None disables the OpenAPI schema and the documentation interfaces that depend on it.
datamcp can also attempt to extract the embedded schema from a public Swagger UI or ReDoc page. The raw JSON URL is preferable because it removes one discovery step and is easier to test independently.
Step 2: Check the public server URL
An OpenAPI schema can be valid while still pointing clients at the wrong host or path prefix.
This is common when FastAPI runs behind Nginx, Traefik, an API gateway, or a platform that mounts the application under /api/v1. FastAPI's proxy documentation explains how root_path and the OpenAPI servers list represent that public prefix.
Inspect the generated value:
curl -fsS https://api.example.com/openapi.json | jq '.servers'
Then test one harmless operation against the public URL. Do not assume a schema generated correctly on localhost will call the correct production host after deployment.
If the schema has no servers entry, confirm that the gateway can resolve the intended base URL from the schema location. If it has a relative server such as /api/v1, verify that the prefix is correct from outside your private network.
Step 3: Decide how upstream authentication works
FastAPI security dependencies can add API key, HTTP, OAuth2, and OpenID Connect declarations to OpenAPI. The official FastAPI security guide describes how those schemes become part of the generated schema.
That declaration does not automatically give an MCP gateway a valid credential. Configure the actual credential separately in datamcp:
| FastAPI API expects | datamcp connection option |
|---|---|
| Public endpoint | None |
| Static application key | API key in a header, query parameter, or cookie |
| Existing access token | Bearer token |
| Username and password | HTTP Basic |
| Additional fixed routing or tenant header | Custom header |
Keep the two authentication boundaries separate:
- the AI client authenticates to the datamcp MCP endpoint with a datamcp API key or supported OAuth flow
- datamcp authenticates to FastAPI with the credential stored on the OpenAPI connection
If each end user must complete a FastAPI OAuth login and receive a different short-lived token, the current static upstream-credential model is not the right fit. datamcp can store a pre-issued Bearer token, but token issuance, refresh, and rotation remain external.
Step 4: Add FastAPI as an OpenAPI connection
In the datamcp dashboard, create a new connection and choose OpenAPI.
- Paste the public
/openapi.jsonURL. - Let datamcp validate the document and identify its operations.
- Choose the upstream authentication method.
- Add the API key, Bearer token, Basic credential, or custom headers required by FastAPI.
- Save the connection.
datamcp reads the API contract at runtime. It does not add a Python dependency, modify the FastAPI repository, or deploy code into the API process.
Step 5: Create a Read Only or Full Access MCP link
An OpenAPI connection currently supports two MCP link access modes:
- Read Only permits
GETandHEAD - Full Access permits visible operations across the configured HTTP methods, subject to FastAPI's own authorization
Start with Read Only unless the workflow genuinely needs writes. Endpoint visibility can further hide individual operations from MCP discovery and execution.
Read Only is a method gate, not a guarantee that every FastAPI GET route is safe. A poorly designed GET endpoint can mutate state, expose sensitive objects, or trigger expensive work. Keep object-level authorization, tenant checks, rate limits, and response bounds inside FastAPI.
Step 6: Connect an MCP client and test discovery
Open the MCP link's Setup Guide in datamcp and copy the configuration for the target client. The same FastAPI-backed remote endpoint can be configured in Cursor, Claude, ChatGPT, VS Code, or another client that supports the required remote MCP transport and authentication flow.
Test discovery before execution:
List the visible API operations. Do not call any endpoint.
Then inspect one operation:
Show the parameters, request body, response models, and security requirements for
GET /orders/{order_id}. Do not call it.
Finally, call a bounded non-sensitive endpoint and verify the result against FastAPI's own access logs. OpenAPI endpoint calls are not currently included in the datamcp PostgreSQL activity log.
The four MCP tools exposed for FastAPI
datamcp does not generate one MCP tool per FastAPI route. The OpenAPI connection exposes four schema-aware tools:
| MCP tool | Purpose |
|---|---|
list_api_endpoints | List the operations visible to the MCP link |
get_endpoint_details | Inspect parameters, request bodies, and responses for one operation |
get_api_schema | Read OpenAPI component schemas |
call_endpoint | Call one approved operation with the configured upstream credential |
This keeps a large FastAPI application from flooding the client's tool list with hundreds of route-specific MCP tools. The client discovers an operation before requesting its details or calling it.
FastAPI MCP troubleshooting
| Problem | What to check |
|---|---|
/openapi.json returns 404 | Check whether openapi_url was changed or disabled |
| The schema works locally but not in datamcp | A hosted service cannot fetch localhost or a private-only hostname |
| Swagger UI works but the raw URL is unknown | Open the browser network panel or inspect the configured openapi_url |
| Calls use the wrong path prefix | Review FastAPI root_path, proxy configuration, and OpenAPI servers |
| Every protected call returns 401 | Verify the stored API key, Bearer token, Basic credential, and header name |
| A token worked and then expired | Replace the pre-issued Bearer token; automatic upstream OAuth refresh is not available |
| A POST route is missing or denied | Confirm the link is Full Access and the operation is visible |
| A GET route exposes too much data | Fix FastAPI authorization and response design; MCP method filtering is not object authorization |
Hosted conversion or custom FastAPI MCP code?
Use hosted OpenAPI conversion when:
- the FastAPI routes already match the actions the AI client needs
- the OpenAPI schema is accurate and publicly fetchable
- one supported upstream credential can represent the gateway
- Read Only or Full Access plus endpoint visibility provides enough control
- you do not want to deploy another MCP runtime
Build custom MCP code when:
- one useful tool must orchestrate several FastAPI endpoints
- the tool needs Python-only business logic that is not exposed as REST
- each user needs a separate upstream OAuth flow
- the server must run inside a private network
- you need MCP resources, prompts, or a deliberately redesigned tool surface
Production checklist
- Use the deployed FastAPI OpenAPI URL, not localhost
- Verify the public
serversURL and proxy path prefix - Expose only the operations the AI client needs
- Start the MCP link in Read Only mode
- Use a least-privilege upstream credential
- Keep authorization and tenant checks inside FastAPI
- Bound response sizes and expensive operations
- Review FastAPI or API-gateway logs for upstream calls
- Test a denied write before granting Full Access
- Document how to revoke the MCP link and rotate the upstream credential
FastAPI already gives you the OpenAPI contract. datamcp can turn that contract into a hosted MCP link without adding another service to the Python deployment. Review the OpenAPI to MCP product flow, confirm supported credentials in the OpenAPI authentication guide, and keep the OpenAPI connection documentation open during setup. The broader Swagger to MCP guide covers validation and client configuration.
Related articles
How to Make a REST API Read-Only for AI Agents
Make a REST API read-only for AI agents with method filtering, endpoint visibility, least-privilege credentials, rate limits, approvals, and audit logs.
ComparisonOpenAPI to MCP vs Custom MCP Server: How to Choose
Compare OpenAPI-to-MCP conversion with a custom MCP server across tool design, authentication, workflows, hosting, maintenance, security, and cost.
Already have an OpenAPI contract?
Connect the specification and publish a hosted MCP endpoint without maintaining custom server code.
Create OpenAPI MCP linkExplore OpenAPI to MCP · Questions? Read the docs or view pricing.