Integrate your FastMCP server with external identity providers like WorkOS, Auth0, and corporate SSO systems.
New in version: 2.11.0
Remote OAuth integration allows your FastMCP server to leverage external identity providers while maintaining the automated authentication flows that MCP clients require. This approach provides enterprise-grade authentication features without the complexity of implementing them yourself, making it the recommended pattern for most production applications.
/.well-known/oauth-protected-resource
, which tells clients that your server requires OAuth authentication and identifies the authorization servers you trust. This endpoint contains static metadata that points clients to your identity provider without requiring any dynamic lookups.
This flow separates concerns cleanly: your MCP server handles resource protection and token validation, while your identity provider handles user authentication and token issuance. The client coordinates between these systems using standardized OAuth discovery mechanisms.
New in version: 2.11.1
FastMCP provides RemoteAuthProvider
to handle the complexities of remote OAuth integration. This class combines token validation capabilities with the OAuth discovery metadata that MCP clients require.
RemoteAuthProvider
works by composing a TokenVerifier
with authorization server information. A TokenVerifier
is another FastMCP authentication class that focuses solely on token validation - signature verification, expiration checking, and claim extraction. The RemoteAuthProvider
takes that token validation capability and adds the OAuth discovery endpoints that enable MCP clients to automatically find and authenticate with your identity provider.
This composition pattern means you can use any token validation strategy (JWT verification, introspection endpoints, custom validation logic) while maintaining consistent OAuth discovery behavior. The separation allows you to change token validation approaches without affecting the client discovery experience.
The class automatically generates the required OAuth metadata endpoints using the MCP SDK’s standardized route creation functions. This ensures compatibility with MCP clients while reducing the implementation complexity for server developers.
RemoteAuthProvider
directly without subclassing. The implementation requires a TokenVerifier
instance, a list of trusted authorization servers, and your server’s URL for metadata generation.
auth.yourcompany.com
and provides the OAuth discovery metadata that MCP clients need. The JWTVerifier
handles token validation using your identity provider’s public keys, while the RemoteAuthProvider
generates the required OAuth endpoints.
The authorization_servers
list tells MCP clients which identity providers you trust. The resource_server_url
identifies your server in OAuth metadata, enabling proper token audience validation.
RemoteAuthProvider
to add additional endpoints beyond the standard OAuth protected resource metadata. These don’t have to be OAuth-specific - you can add any endpoints your authentication integration requires.
super().get_routes()
to get the standard protected resource routes, then adds additional endpoints as needed. A common use case is providing authorization server metadata forwarding, which allows MCP clients to discover your identity provider’s capabilities through your MCP server rather than contacting the identity provider directly.
AuthKitProvider
demonstrates how to implement both token validation and OAuth metadata forwarding in a production-ready package.
AuthKitProvider
automatically configures JWT validation against WorkOS’s public keys and provides both protected resource metadata and authorization server metadata forwarding. This implementation handles the complete remote OAuth integration with minimal configuration.
WorkOS’s support for Dynamic Client Registration makes it particularly well-suited for MCP applications. Clients can automatically register themselves with your WorkOS project and obtain the credentials needed for authentication without manual intervention.
→ Complete WorkOS tutorial: AuthKit Integration Guide