New in version: 2.11.0
This is an extremely advanced pattern that most users should avoid. Building a secure OAuth 2.1 server requires deep expertise in authentication protocols, cryptography, and security best practices. The complexity extends far beyond initial implementation to include ongoing security monitoring, threat response, and compliance maintenance.Use Remote OAuth instead unless you have compelling requirements that external identity providers cannot meet, such as air-gapped environments or specialized compliance needs.
The Full OAuth Server pattern exists to support the MCP protocol specification’s requirements. Your FastMCP server becomes both an Authorization Server and Resource Server, handling the complete authentication lifecycle from user login to token validation. This documentation exists for completeness - the vast majority of applications should use external identity providers instead.

OAuthProvider

FastMCP provides the OAuthProvider abstract class that implements the OAuth 2.1 specification. To use this pattern, you must subclass OAuthProvider and implement all required abstract methods.
OAuthProvider handles OAuth endpoints, protocol flows, and security requirements, but delegates all storage, user management, and business logic to your implementation of the abstract methods.

Required Implementation

You must implement these abstract methods to create a functioning OAuth server:

Client Management

Client Management Methods

get_client
async method
Retrieve client information by ID from your database.
register_client
async method
Store new client registration information in your database.

Authorization Flow

Authorization Flow Methods

authorize
async method
Handle authorization request and return redirect URL. Must implement user authentication and consent collection.
load_authorization_code
async method
Load authorization code from storage by code string. Return None if code is invalid or expired.

Token Management

Token Management Methods

exchange_authorization_code
async method
Exchange authorization code for access and refresh tokens. Must validate code and create new tokens.
load_refresh_token
async method
Load refresh token from storage by token string. Return None if token is invalid or expired.
exchange_refresh_token
async method
Exchange refresh token for new access/refresh token pair. Must validate scopes and token.
load_access_token
async method
Load an access token by its token string.
revoke_token
async method
Revoke access or refresh token, marking it as invalid in storage.
verify_token
async method
Verify bearer token for incoming requests. Return AccessToken if valid, None if invalid.
Each method must handle storage, validation, security, and error cases according to the OAuth 2.1 specification. The implementation complexity is substantial and requires expertise in OAuth security considerations.
Security Notice: OAuth server implementation involves numerous security considerations including PKCE, state parameters, redirect URI validation, token binding, replay attack prevention, and secure storage requirements. Mistakes can lead to serious security vulnerabilities.