feat(server): allow standard FastAPI Security in routes

ianchi · ianchi · commit 901746027e5a · 2026-03-07T10:32:20.000-06:00
diff --git a/src/a2a/server/apps/jsonrpc/fastapi_app.py b/src/a2a/server/apps/jsonrpc/fastapi_app.py
@@ -1,6 +1,6 @@
 import logging
 
-from collections.abc import Awaitable, Callable
+from collections.abc import Awaitable, Callable, Sequence
 from typing import TYPE_CHECKING, Any
 
 
@@ -121,6 +121,7 @@ def add_routes_to_app(
         agent_card_url: str = AGENT_CARD_WELL_KNOWN_PATH,
         rpc_url: str = DEFAULT_RPC_URL,
         extended_agent_card_url: str = EXTENDED_AGENT_CARD_PATH,
+        dependencies: Sequence[Any] | None = None,
     ) -> None:
         """Adds the routes to the FastAPI application.
 
@@ -129,7 +130,16 @@ def add_routes_to_app(
             agent_card_url: The URL for the agent card endpoint.
             rpc_url: The URL for the A2A JSON-RPC endpoint.
             extended_agent_card_url: The URL for the authenticated extended agent card endpoint.
+            dependencies: Optional sequence of FastAPI dependencies (e.g.
+                `[Security(get_current_active_user, scopes=["a2a"])]`)
+                applied to the RPC endpoint and the authenticated extended
+                agent card endpoint. The public agent card endpoint is left
+                unprotected.
         """
+        route_deps: dict[str, Any] = {}
+        if dependencies:
+            route_deps['dependencies'] = list(dependencies)
+
         app.post(
             rpc_url,
             openapi_extra={
@@ -145,6 +155,7 @@ def add_routes_to_app(
                     'description': 'A2ARequest',
                 }
             },
+            **route_deps,
         )(self._handle_requests)
         app.get(agent_card_url)(self._handle_get_agent_card)
 
@@ -156,7 +167,7 @@ def add_routes_to_app(
             )
 
         if self.agent_card.supports_authenticated_extended_card:
-            app.get(extended_agent_card_url)(
+            app.get(extended_agent_card_url, **route_deps)(
                 self._handle_get_authenticated_extended_agent_card
             )
 
@@ -165,6 +176,7 @@ def build(
         agent_card_url: str = AGENT_CARD_WELL_KNOWN_PATH,
         rpc_url: str = DEFAULT_RPC_URL,
         extended_agent_card_url: str = EXTENDED_AGENT_CARD_PATH,
+        dependencies: Sequence[Any] | None = None,
         **kwargs: Any,
     ) -> FastAPI:
         """Builds and returns the FastAPI application instance.
@@ -173,6 +185,10 @@ def build(
             agent_card_url: The URL for the agent card endpoint.
             rpc_url: The URL for the A2A JSON-RPC endpoint.
             extended_agent_card_url: The URL for the authenticated extended agent card endpoint.
+            dependencies: Optional sequence of FastAPI dependencies (e.g.
+                `[Security(get_current_active_user, scopes=["items"])]`)
+                applied to authenticated routes. See
+                :meth:`add_routes_to_app`.
             **kwargs: Additional keyword arguments to pass to the FastAPI constructor.
 
         Returns:
@@ -181,7 +197,7 @@ def build(
         app = A2AFastAPI(**kwargs)
 
         self.add_routes_to_app(
-            app, agent_card_url, rpc_url, extended_agent_card_url
+            app, agent_card_url, rpc_url, extended_agent_card_url, dependencies
         )
 
         return app
