New in version: 2.11.0 In the Token Verification pattern, your FastMCP server acts as a pure Resource Server. It validates Bearer tokens on incoming requests and uses the token claims to authorize access to protected resources (tools, resources, and prompts). It does not participate in user login, token issuance, or consent flows - it trusts tokens issued by another system. This is equivalent to how a traditional web server validates API keys on incoming requests. This is the right pattern if you have another system responsible for generating tokens and you simply need your FastMCP server to trust them or use the information in the token to make decisions.

JWT Verification

JWT (JSON Web Token) verification is the recommended approach for production environments. The JWTVerifier class validates tokens using secure, asymmetric public key cryptography. This means your server only needs access to a public key to verify tokens, while the corresponding private key used for signing remains secure on your identity provider.

Using the JWTVerifier

The most common and flexible approach is to point the verifier at a JSON Web Key Set (JWKS) endpoint. This allows your identity provider to rotate signing keys automatically without requiring you to update your server’s configuration. 
from fastmcp import FastMCP
from fastmcp.server.auth.providers.jwt import JWTVerifier

# The verifier will periodically fetch keys from this URL 
# to validate incoming tokens.
verifier = JWTVerifier(
    jwks_uri="https://my-identity-provider.com/.well-known/jwks.json",
    issuer="https://my-identity-provider.com/",
    audience="my-mcp-server-identifier"
)

mcp = FastMCP(name="My Secure Server", auth=verifier)

JWTVerifier Constructor

JWTVerifier
class

Environment Variable Configuration

You can configure the JWTVerifier entirely through environment variables. Set FASTMCP_SERVER_AUTH=JWT to enable automatic configuration, then provide the verifier’s settings. Example configuration: 
export FASTMCP_SERVER_AUTH=JWT
export FASTMCP_SERVER_AUTH_JWT_JWKS_URI="https://your-idp.com/.well-known/jwks.json"
export FASTMCP_SERVER_AUTH_JWT_ISSUER="https://your-idp.com"
export FASTMCP_SERVER_AUTH_JWT_AUDIENCE="your-server-id"
Your FastMCP server will now be automatically configured with JWT verification: 
from fastmcp import FastMCP

# This server is automatically protected with JWT verification 
# based on the environment variables.
mcp = FastMCP(name="My Protected Server")

Development Tools

For local development and testing, managing JWTs can be cumbersome. FastMCP provides simpler tools for these scenarios.

Static Token Verification

The StaticTokenVerifier validates tokens against a hardcoded set of tokens and claims. It’s perfect for quickly getting a secure server running in your local environment for testing or prototyping without the complexity of a real identity provider.
Never use static token verification in production. Tokens are stored as plain text strings, which is highly insecure.
To use the static token verifier, you need to provide a dictionary of tokens and their claims. Each key of the dictionary is a token, and the value is a dictionary of token data. Note that the tokens will be stored as plain text strings and validated as-is. For example, the following configuration would recognize a token provided in the Authorization header as Bearer dev-token-for-alice and load alice@example.com as the client ID: 
from fastmcp import FastMCP
from fastmcp.server.auth.providers.jwt import StaticTokenVerifier

verifier = StaticTokenVerifier(
    tokens={
        "dev-token-for-alice": {
            "client_id": "alice@example.com",
            "scopes": ["read:data", "write:data"]
        },
        "readonly-token-for-guest": {
            "client_id": "guest-user",
            "scopes": ["read:data"]
        }
    },
    required_scopes=["read:data"] # Optionally enforce a base scope for all tokens.
)

mcp = FastMCP(name="Development Server", auth=verifier)

Generating Test Tokens

To help test a JWTVerifier-protected server, FastMCP includes a simple RSAKeyPair utility to generate a key pair and sign your own JWTs. This is for convenience in development and is not intended for production use. 
from fastmcp import FastMCP
from fastmcp.server.auth.providers.jwt import JWTVerifier, RSAKeyPair

# 1. In a secure part of your test setup, generate a key pair.
key_pair = RSAKeyPair.generate()

# 2. Configure your FastMCP server's verifier with the PUBLIC key.
auth_verifier = JWTVerifier(
    public_key=key_pair.public_key,
    issuer="https://dev.fastmcp.com",
    audience="test-server"
)
mcp = FastMCP(name="Test Server", auth=auth_verifier)

# 3. Use the PRIVATE key to create a valid token for your client tests.
test_token = key_pair.create_token(
    subject="test-user-123",
    issuer="https://dev.fastmcp.com",
    audience="test-server",
    scopes=["read", "write"]
)

print(f"Generated Test Token:\n{test_token}")