Skip to main content
New in version 2.12.4 This guide shows you how to secure your FastMCP server using Auth0 OAuth. While Auth0 does have support for Dynamic Client Registration, it is not enabled by default so this integration uses the OIDC Proxy pattern to bridge Auth0’s dynamic OIDC configuration with MCP’s authentication requirements.

Configuration

Prerequisites

Before you begin, you will need:
  1. An Auth0 Account with access to create Applications
  2. Your FastMCP server’s URL (can be localhost for development, e.g., http://localhost:8000)

Step 1: Create an Auth0 Application

Create an Application in your Auth0 settings to get the credentials needed for authentication:
1

Navigate to Applications

Go to Applications β†’ Applications in your Auth0 account.Click ”+ Create Application” to create a new application.
2

Create Your Application

  • Name: Choose a name users will recognize (e.g., β€œMy FastMCP Server”)
  • Choose an application type: Choose β€œSingle Page Web Applications”
  • Click Create to create the application
3

Configure Your Application

Select the β€œSettings” tab for your application, then find the β€œApplication URIs” section.
  • Allowed Callback URLs: Your server URL + /auth/callback (e.g., http://localhost:8000/auth/callback)
  • Click Save to save your changes
The callback URL must match exactly. The default path is /auth/callback, but you can customize it using the redirect_path parameter.
If you want to use a custom callback path (e.g., /auth/auth0/callback), make sure to set the same path in both your Auth0 Application settings and the redirect_path parameter when configuring the Auth0Provider.
4

Save Your Credentials

After creating the app, in the β€œBasic Information” section you’ll see:
  • Client ID: A public identifier like tv2ObNgaZAWWhhycr7Bz1LU2mxlnsmsB
  • Client Secret: A private hidden value that should always be stored securely
Store these credentials securely. Never commit them to version control. Use environment variables or a secrets manager in production.
5

Select Your Audience

Go to Applications β†’ APIs in your Auth0 account.
  • Find the API that you want to use for your application
  • API Audience: A URL that uniquely identifies the API
Store this along with of the credentials above. Never commit this to version control. Use environment variables or a secrets manager in production.

Step 2: FastMCP Configuration

Create your FastMCP server using the Auth0Provider.
server.py

Testing

Running the Server

Start your FastMCP server with HTTP transport to enable OAuth flows:
Your server is now running and protected by Auth0 authentication.

Testing with a Client

Create a test client that authenticates with your Auth0-protected server:
test_client.py
When you run the client for the first time:
  1. Your browser will open to Auth0’s authorization page
  2. After you authorize the app, you’ll be redirected back
  3. The client receives the token and can make authenticated requests

Production Configuration

New in version 2.13.0 For production deployments with persistent token management across server restarts, configure jwt_signing_key, and client_storage:
server.py
Parameters (jwt_signing_key and client_storage) work together to ensure tokens and client registrations survive server restarts. Wrap your storage in FernetEncryptionWrapper to encrypt sensitive OAuth tokens at rest - without it, tokens are stored in plaintext. Store secrets in environment variables and use a persistent storage backend like Redis for distributed deployments.For complete details on these parameters, see the OAuth Proxy documentation.
The client caches tokens locally, so you won’t need to re-authenticate for subsequent runs unless the token expires or you explicitly clear the cache.