Skip to main content

fastmcp.server.auth.providers.supabase

Supabase authentication provider for FastMCP. This module provides SupabaseProvider - a complete authentication solution that integrates with Supabase Auth’s JWT verification, supporting Dynamic Client Registration (DCR) for seamless MCP client authentication.

Classes

SupabaseProviderSettings

SupabaseProvider

Supabase metadata provider for DCR (Dynamic Client Registration). This provider implements Supabase Auth integration using metadata forwarding. This approach allows Supabase to handle the OAuth flow directly while FastMCP acts as a resource server, verifying JWTs issued by Supabase Auth. IMPORTANT SETUP REQUIREMENTS:
  1. Supabase Project Setup:
    • Create a Supabase project at https://supabase.com
    • Note your project URL (e.g., “https://abc123.supabase.co”)
    • Configure your JWT algorithm in Supabase Auth settings (HS256, RS256, or ES256)
    • Asymmetric keys (RS256/ES256) are recommended for production
  2. JWT Verification:
    • FastMCP verifies JWTs using the JWKS endpoint at /auth/v1/.well-known/jwks.json
    • JWTs are issued by /auth/v1
    • Tokens are cached for up to 10 minutes by Supabase’s edge servers
    • Algorithm must match your Supabase Auth configuration
  3. Authorization:
    • Supabase uses Row Level Security (RLS) policies for database authorization
    • OAuth-level scopes are an upcoming feature in Supabase Auth
    • Both approaches will be supported once scope handling is available
For detailed setup instructions, see: https://supabase.com/docs/guides/auth/jwts Methods:

get_routes 

get_routes(self, mcp_path: str | None = None) -> list[Route]
Get OAuth routes including Supabase authorization server metadata forwarding. This returns the standard protected resource routes plus an authorization server metadata endpoint that forwards Supabase’s OAuth metadata to clients. Args:
  • mcp_path: The path where the MCP endpoint is mounted (e.g., “/mcp”) This is used to advertise the resource URL in metadata.