Secure your FastMCP server with flexible authentication patterns, from simple API keys to full OAuth 2.1 integration with external identity providers.
New in version: 2.11.0
Authentication in MCP presents unique challenges that differ from traditional web applications. MCP clients need to discover authentication requirements automatically, negotiate OAuth flows without user intervention, and work seamlessly across different identity providers. FastMCP addresses these challenges by providing authentication patterns that integrate with the MCP protocol while remaining simple to implement and deploy.
http
and sse
). The STDIO transport inherits security from its local execution environment.TokenVerifier
provides pure token validation without OAuth metadata endpoints. This class focuses on the essential task of determining whether a token is valid and extracting authorization information from its claims.
The implementation handles JWT signature verification, expiration checking, and claim extraction. It validates tokens against known issuers and audiences, ensuring that tokens intended for your server are not accepted by other systems.
JWTVerifier
will fetch public keys from the JWKS endpoint and validate incoming tokens against those keys. Only tokens with the correct issuer and audience claims will be accepted.
TokenVerifier
works well when you control both the token issuer and your MCP server, or when integrating with existing JWT-based infrastructure.
→ Complete guide: Token Verification
RemoteAuthProvider
combines token validation with OAuth discovery metadata, enabling MCP clients to automatically discover and authenticate with external identity providers.
This class extends TokenVerifier
functionality by adding OAuth 2.0 protected resource endpoints that advertise your authentication requirements. MCP clients can examine these endpoints to understand which identity providers you trust and how to obtain valid tokens.
The implementation handles the OAuth metadata generation required by the MCP specification while delegating actual token validation to an underlying TokenVerifier
. This separation allows you to use different token validation strategies while maintaining consistent OAuth discovery behavior.
AuthKitProvider
automatically configures token validation against WorkOS and provides the OAuth metadata that MCP clients need for automatic authentication.
RemoteAuthProvider
excels for production applications that need professional identity management without implementation complexity.
→ Complete guide: Remote OAuth
OAuthProvider
implements a complete OAuth 2.0 authorization server within your MCP server. This class handles the full authentication lifecycle from user credential verification to token management.
The implementation provides all required OAuth endpoints including authorization, token, and discovery endpoints. It manages client registration, user consent, and token lifecycle while integrating with your user storage and authentication logic.
OAuthProvider
should be used only when you have specific requirements that external providers cannot meet and the expertise to implement OAuth securely.
→ Complete guide: Full OAuth Server
auth
parameter is provided. The configuration system supports all authentication providers and their various options.