fastmcp.server.auth.providers.introspection
OAuth 2.0 Token Introspection (RFC 7662) provider for FastMCP.
This module provides token verification for opaque tokens using the OAuth 2.0
Token Introspection protocol defined in RFC 7662. It allows FastMCP servers to
validate tokens issued by authorization servers that don’t use JWT format.
Example:
Classes
IntrospectionTokenVerifierSettings
Settings for OAuth 2.0 Token Introspection verification.
IntrospectionTokenVerifier
OAuth 2.0 Token Introspection verifier (RFC 7662).
This verifier validates opaque tokens by calling an OAuth 2.0 token introspection
endpoint. Unlike JWT verification which is stateless, token introspection requires
a network call to the authorization server for each token validation.
The verifier authenticates to the introspection endpoint using HTTP Basic Auth
with the provided client_id and client_secret, as specified in RFC 7662.
Use this when:
- Your authorization server issues opaque (non-JWT) tokens
- You need to validate tokens from Auth0, Okta, Keycloak, or other OAuth servers
- Your tokens require real-time revocation checking
- Your authorization server supports RFC 7662 introspection
verify_token
token: The opaque token string to validate
- AccessToken object if valid and active, None if invalid, inactive, or expired