fastmcp.server.auth.providers.jwt

TokenVerifier implementations for FastMCP.

Classes

JWKData

JSON Web Key data structure.

JWKSData

JSON Web Key Set data structure.

RSAKeyPair

RSA key pair for JWT testing. Methods:

generate

generate(cls) -> RSAKeyPair
Generate an RSA key pair for testing. Returns:
  • Generated key pair

create_token

create_token(self, subject: str = 'fastmcp-user', issuer: str = 'https://fastmcp.example.com', audience: str | list[str] | None = None, scopes: list[str] | None = None, expires_in_seconds: int = 3600, additional_claims: dict[str, Any] | None = None, kid: str | None = None) -> str
Generate a test JWT token for testing purposes. Args:
  • subject: Subject claim (usually user ID)
  • issuer: Issuer claim
  • audience: Audience claim - can be a string or list of strings (optional)
  • scopes: List of scopes to include
  • expires_in_seconds: Token expiration time in seconds
  • additional_claims: Any additional claims to include
  • kid: Key ID to include in header

JWTVerifierSettings

Settings for JWT token verification.

JWTVerifier

JWT token verifier using public key or JWKS. This verifier validates JWT tokens signed by an external issuer. It’s ideal for scenarios where you have a centralized identity provider (like Auth0, Okta, or your own OAuth server) that issues JWTs, and your FastMCP server acts as a resource server validating those tokens. Use this when:
  • You have JWT tokens issued by an external service
  • You want asymmetric key verification (public/private key pairs)
  • You need JWKS support for automatic key rotation
  • Your tokens contain standard OAuth scopes and claims
Methods:

load_access_token

load_access_token(self, token: str) -> AccessToken | None
Validates the provided JWT bearer token. Args:
  • token: The JWT token string to validate
Returns:
  • AccessToken object if valid, None if invalid or expired

verify_token

verify_token(self, token: str) -> AccessToken | None
Verify a bearer token and return access info if valid. This method implements the TokenVerifier protocol by delegating to our existing load_access_token method. Args:
  • token: The JWT token string to validate
Returns:
  • AccessToken object if valid, None if invalid or expired

StaticTokenVerifier

Simple static token verifier for testing and development. This verifier validates tokens against a predefined dictionary of valid token strings and their associated claims. When a token string matches a key in the dictionary, the verifier returns the corresponding claims as if the token was validated by a real authorization server. Use this when:
  • You’re developing or testing locally without a real OAuth server
  • You need predictable tokens for automated testing
  • You want to simulate different users/scopes without complex setup
  • You’re prototyping and need simple API key-style authentication
WARNING: Never use this in production - tokens are stored in plain text! Methods:

verify_token

verify_token(self, token: str) -> AccessToken | None
Verify token against static token dictionary.