New in version: 2.6.0

Authentication and authorization are only relevant for HTTP-based transports.

The MCP specification requires servers to implement full OAuth 2.1 authorization flows with dynamic client registration, server metadata discovery, and complete token endpoints. FastMCP’s Bearer Token authentication provides a simpler, more practical alternative by directly validating pre-issued JWT tokens—ideal for service-to-service communication and programmatic environments where full OAuth flows may be impractical, and in accordance with how the MCP ecosystem is pragmatically evolving. However, please note that since it doesn’t implement the full OAuth 2.1 flow, this implementation does not strictly comply with the MCP specification.

Bearer Token authentication is a common way to secure HTTP-based APIs. In this model, the client sends a token (usually a JSON Web Token or JWT) in the Authorization header with the “Bearer” scheme. The server then validates this token to grant or deny access.

FastMCP supports Bearer Token authentication for its HTTP-based transports (streamable-http and sse), allowing you to protect your server from unauthorized access.

Authentication Strategy

FastMCP uses asymmetric encryption for token validation, which provides a clean security separation between token issuers and FastMCP servers. This approach means:

  • No shared secrets: Your FastMCP server never needs access to private keys or client secrets
  • Public key verification: The server only needs a public key (or JWKS endpoint) to verify token signatures
  • Secure token issuance: Tokens are signed by an external service using a private key that never leaves the issuer
  • Scalable architecture: Multiple FastMCP servers can validate tokens without coordinating secrets

This design allows you to integrate FastMCP servers into existing authentication infrastructures without compromising security boundaries.

Configuration

To enable Bearer Token validation on your FastMCP server, use the BearerAuthProvider class. This provider validates incoming JWTs by verifying signatures, checking expiration, and optionally validating claims.

The BearerAuthProvider validates tokens; it does not issue them (or implement any part of an OAuth flow). You’ll need to generate tokens separately, either using FastMCP utilities or an external Identity Provider (IdP) or OAuth 2.1 Authorization Server.

Basic Setup

To configure bearer token authentication, instantiate a BearerAuthProvider instance and pass it to the auth parameter of the FastMCP instance.

The BearerAuthProvider requires either a static public key or a JWKS URI (but not both!) in order to verify the token’s signature. All other parameters are optional — if they are provided, they will be used as additional validation criteria.

from fastmcp import FastMCP
from fastmcp.server.auth import BearerAuthProvider

auth = BearerAuthProvider(
    jwks_uri="https://my-identity-provider.com/.well-known/jwks.json",
    issuer="https://my-identity-provider.com/",
    audience="my-mcp-server"
)

mcp = FastMCP(name="My MCP Server", auth=auth)

Configuration Parameters

ParameterTypeRequiredDescription
public_keystrIf jwks_uri is not providedRSA public key in PEM format for static key validation
jwks_uristrIf public_key is not providedURL for JSON Web Key Set endpoint
issuerstrNoExpected JWT iss claim value
audiencestrNoExpected JWT aud claim value
required_scopeslist[str]NoGlobal scopes required for all requests

Public Key

If you have a public key in PEM format, you can provide it to the BearerAuthProvider as a string.

from fastmcp.server.auth import BearerAuthProvider
import inspect

public_key_pem = inspect.cleandoc(
    """
    -----BEGIN PUBLIC KEY-----
    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy...
    -----END PUBLIC KEY-----
    """
)

auth = BearerAuthProvider(public_key=public_key_pem)

JWKS URI

provider = BearerAuthProvider(
    jwks_uri="https://idp.example.com/.well-known/jwks.json"
)

JWKS is recommended for production as it supports automatic key rotation and multiple signing keys.

Generating Tokens

For development and testing, FastMCP provides the RSAKeyPair utility class to generate tokens without needing an external OAuth provider.

The RSAKeyPair utility is intended for development and testing only. For production, use a proper OAuth 2.1 Authorization Server or Identity Provider.

Basic Token Generation

from fastmcp import FastMCP
from fastmcp.server.auth import BearerAuthProvider
from fastmcp.server.auth.providers.bearer import RSAKeyPair

# Generate a new key pair
key_pair = RSAKeyPair.generate()

# Configure the auth provider with the public key
auth = BearerAuthProvider(
    public_key=key_pair.public_key,
    issuer="https://dev.example.com",
    audience="my-dev-server"
)

mcp = FastMCP(name="Development Server", auth=auth)

# Generate a token for testing
token = key_pair.create_token(
    subject="dev-user",
    issuer="https://dev.example.com",
    audience="my-dev-server",
    scopes=["read", "write"]
)

print(f"Test token: {token}")

Token Creation Parameters

The create_token() method accepts these parameters:

ParameterTypeDefaultDescription
subjectstr"fastmcp-user"JWT subject claim (usually user ID)
issuerstr"https://fastmcp.example.com"JWT issuer claim
audiencestrNoneJWT audience claim
scopeslist[str]NoneOAuth scopes to include
expires_in_secondsint3600Token expiration time
additional_claimsdictNoneExtra claims to include
kidstrNoneKey ID for JWKS lookup

Accessing Token Claims

Once authenticated, your tools, resources, or prompts can access token information using the get_access_token() dependency function:

from fastmcp import FastMCP, Context, ToolError
from fastmcp.server.dependencies import get_access_token, AccessToken

@mcp.tool()
async def get_my_data(ctx: Context) -> dict:
    access_token: AccessToken = get_access_token()
    
    user_id = access_token.client_id  # From JWT 'sub' or 'client_id' claim
    user_scopes = access_token.scopes
    
    if "data:read_sensitive" not in user_scopes:
        raise ToolError("Insufficient permissions: 'data:read_sensitive' scope required.")
    
    return {
        "user": user_id,
        "sensitive_data": f"Private data for {user_id}",
        "granted_scopes": user_scopes
    }

AccessToken Properties

PropertyTypeDescription
tokenstrThe raw JWT string
client_idstrAuthenticated principal identifier
scopeslist[str]Granted scopes
expires_atdatetime | NoneToken expiration timestamp