fastmcp.server.auth.providers.jwt

TokenVerifier implementations for FastMCP.

Classes

JWKData

JSON Web Key data structure.

JWKSData

JSON Web Key Set data structure.

RSAKeyPair

RSA key pair for JWT testing. Methods:

generate 

generate(cls) -> RSAKeyPair
Generate an RSA key pair for testing. Returns:
  • Generated key pair

create_token 

create_token(self, subject: str = 'fastmcp-user', issuer: str = 'https://fastmcp.example.com', audience: str | list[str] | None = None, scopes: list[str] | None = None, expires_in_seconds: int = 3600, additional_claims: dict[str, Any] | None = None, kid: str | None = None) -> str
Generate a test JWT token for testing purposes. Args:
  • subject: Subject claim (usually user ID)
  • issuer: Issuer claim
  • audience: Audience claim - can be a string or list of strings (optional)
  • scopes: List of scopes to include
  • expires_in_seconds: Token expiration time in seconds
  • additional_claims: Any additional claims to include
  • kid: Key ID to include in header

JWTVerifierSettings

Settings for JWT token verification.

JWTVerifier

JWT token verifier supporting both asymmetric (RSA/ECDSA) and symmetric (HMAC) algorithms. This verifier validates JWT tokens using various signing algorithms:
  • Asymmetric algorithms (RS256/384/512, ES256/384/512, PS256/384/512): Uses public/private key pairs. Ideal for external clients and services where only the authorization server has the private key.
  • Symmetric algorithms (HS256/384/512): Uses a shared secret for both signing and verification. Perfect for internal microservices and trusted environments where the secret can be securely shared.
Use this when:
  • You have JWT tokens issued by an external service (asymmetric)
  • You need JWKS support for automatic key rotation (asymmetric)
  • You have internal microservices sharing a secret key (symmetric)
  • Your tokens contain standard OAuth scopes and claims
Methods:

load_access_token 

load_access_token(self, token: str) -> AccessToken | None
Validates the provided JWT bearer token. Args:
  • token: The JWT token string to validate
Returns:
  • AccessToken object if valid, None if invalid or expired

verify_token 

verify_token(self, token: str) -> AccessToken | None
Verify a bearer token and return access info if valid. This method implements the TokenVerifier protocol by delegating to our existing load_access_token method. Args:
  • token: The JWT token string to validate
Returns:
  • AccessToken object if valid, None if invalid or expired

StaticTokenVerifier

Simple static token verifier for testing and development. This verifier validates tokens against a predefined dictionary of valid token strings and their associated claims. When a token string matches a key in the dictionary, the verifier returns the corresponding claims as if the token was validated by a real authorization server. Use this when:
  • You’re developing or testing locally without a real OAuth server
  • You need predictable tokens for automated testing
  • You want to simulate different users/scopes without complex setup
  • You’re prototyping and need simple API key-style authentication
WARNING: Never use this in production - tokens are stored in plain text! Methods:

verify_token 

verify_token(self, token: str) -> AccessToken | None
Verify token against static token dictionary.