New in version: 2.11.0 Token verification enables your FastMCP server to validate bearer tokens issued by external systems without participating in user authentication flows. Your server acts as a pure resource server, focusing on token validation and authorization decisions while delegating identity management to other systems in your infrastructure.
Token verification operates somewhat outside the formal MCP authentication flow, which expects OAuth-style discovery. It’s best suited for internal systems, microservices architectures, or when you have full control over token generation and distribution.

Understanding Token Verification

Token verification addresses scenarios where authentication responsibility is distributed across multiple systems. Your MCP server receives structured tokens containing identity and authorization information, validates their authenticity, and makes access control decisions based on their contents. This pattern emerges naturally in microservices architectures where a central authentication service issues tokens that multiple downstream services validate independently. It also works well when integrating MCP servers into existing systems that already have established token-based authentication mechanisms.

The Token Verification Model

Token verification treats your MCP server as a resource server in OAuth terminology. The key insight is that token validation and token issuance are separate concerns that can be handled by different systems. Token Issuance: Another system (API gateway, authentication service, or identity provider) handles user authentication and creates signed tokens containing identity and permission information. Token Validation: Your MCP server receives these tokens, verifies their authenticity using cryptographic signatures, and extracts authorization information from their claims. Access Control: Based on token contents, your server determines what resources, tools, and prompts the client can access. This separation allows your MCP server to focus on its core functionality while leveraging existing authentication infrastructure. The token acts as a portable proof of identity that travels with each request.

Token Security Considerations

Token-based authentication relies on cryptographic signatures to ensure token integrity. Your MCP server validates tokens using public keys corresponding to the private keys used for token creation. This asymmetric approach means your server never needs access to signing secrets. Token validation must address several security requirements: signature verification ensures tokens haven’t been tampered with, expiration checking prevents use of stale tokens, and audience validation ensures tokens intended for your server aren’t accepted by other systems. The challenge in MCP environments is that clients need to obtain valid tokens before making requests, but the MCP protocol doesn’t provide built-in discovery mechanisms for token endpoints. Clients must obtain tokens through separate channels or prior configuration.

FastMCP Token Verification

FastMCP provides the TokenVerifier class to handle token validation complexity while remaining flexible about token sources and validation strategies.

TokenVerifier Design

TokenVerifier focuses exclusively on token validation without providing OAuth discovery metadata. This makes it ideal for internal systems where clients already know how to obtain tokens, or for microservices that trust tokens from known issuers. The class validates token signatures, checks expiration timestamps, and extracts authorization information from token claims. It supports various token formats and validation strategies while maintaining a consistent interface for authorization decisions. You can subclass TokenVerifier to implement custom validation logic for specialized token formats or validation requirements. The base class handles common patterns while allowing extension for unique use cases.

JWT Token Verification

JSON Web Tokens (JWTs) represent the most common token format for modern applications. FastMCP’s JWTVerifier validates JWTs using industry-standard cryptographic techniques and claim validation.

JWKS Endpoint Integration

JWKS endpoint integration provides the most flexible approach for production systems. The verifier automatically fetches public keys from a JSON Web Key Set endpoint, enabling automatic key rotation without server configuration changes. 
from fastmcp import FastMCP
from fastmcp.server.auth.providers.jwt import JWTVerifier

# Configure JWT verification against your identity provider
verifier = JWTVerifier(
    jwks_uri="https://auth.yourcompany.com/.well-known/jwks.json",
    issuer="https://auth.yourcompany.com",
    audience="mcp-production-api"
)

mcp = FastMCP(name="Protected API", auth=verifier)
This configuration creates a server that validates JWTs issued by auth.yourcompany.com. The verifier periodically fetches public keys from the JWKS endpoint and validates incoming tokens against those keys. Only tokens with the correct issuer and audience claims will be accepted. The issuer parameter ensures tokens come from your trusted authentication system, while audience validation prevents tokens intended for other services from being accepted by your MCP server.

Static Public Key Verification

Static public key verification works when you have a fixed signing key and don’t need automatic key rotation. This approach simplifies deployment in environments where JWKS endpoints aren’t available. 
from fastmcp import FastMCP
from fastmcp.server.auth.providers.jwt import JWTVerifier

# Use a static public key for token verification
public_key_pem = """-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
-----END PUBLIC KEY-----"""

verifier = JWTVerifier(
    public_key=public_key_pem,
    issuer="https://auth.yourcompany.com",
    audience="mcp-production-api"
)

mcp = FastMCP(name="Protected API", auth=verifier)
This configuration validates tokens using a specific public key. The key must correspond to the private key used by your token issuer. While less flexible than JWKS endpoints, this approach works well for controlled environments or when using dedicated signing keys.

Development and Testing

Development environments often need simpler token management without the complexity of full JWT infrastructure. FastMCP provides tools specifically designed for these scenarios.

Static Token Verification

Static token verification enables rapid development by accepting predefined tokens with associated claims. This approach eliminates the need for token generation infrastructure during development and testing. 
from fastmcp import FastMCP
from fastmcp.server.auth.providers.jwt import StaticTokenVerifier

# Define development tokens and their associated claims
verifier = StaticTokenVerifier(
    tokens={
        "dev-alice-token": {
            "client_id": "alice@company.com",
            "scopes": ["read:data", "write:data", "admin:users"]
        },
        "dev-guest-token": {
            "client_id": "guest-user",
            "scopes": ["read:data"]
        }
    },
    required_scopes=["read:data"]
)

mcp = FastMCP(name="Development Server", auth=verifier)
Clients can now authenticate using Authorization: Bearer dev-alice-token headers. The server will recognize the token and load the associated claims for authorization decisions. This approach enables immediate development without external dependencies.
Static token verification stores tokens as plain text and should never be used in production environments. It’s designed exclusively for development and testing scenarios.

Test Token Generation

Test token generation helps when you need to test JWT verification without setting up complete identity infrastructure. FastMCP includes utilities for generating test key pairs and signed tokens. 
from fastmcp.server.auth.providers.jwt import JWTVerifier, RSAKeyPair

# Generate a key pair for testing
key_pair = RSAKeyPair.generate()

# Configure your server with the public key
verifier = JWTVerifier(
    public_key=key_pair.public_key,
    issuer="https://test.yourcompany.com",
    audience="test-mcp-server"
)

# Generate a test token using the private key
test_token = key_pair.create_token(
    subject="test-user-123",
    issuer="https://test.yourcompany.com", 
    audience="test-mcp-server",
    scopes=["read", "write", "admin"]
)

print(f"Test token: {test_token}")
This pattern enables comprehensive testing of JWT validation logic without depending on external token issuers. The generated tokens are cryptographically valid and will pass all standard JWT validation checks.

Environment Configuration

FastMCP supports both programmatic and environment-based configuration for token verification, enabling flexible deployment across different environments. Environment-based configuration separates authentication settings from application code, following twelve-factor app principles and simplifying deployment pipelines. 
# Enable JWT verification
export FASTMCP_SERVER_AUTH=JWT

# Configure JWT verification parameters  
export FASTMCP_SERVER_AUTH_JWT_JWKS_URI="https://auth.company.com/.well-known/jwks.json"
export FASTMCP_SERVER_AUTH_JWT_ISSUER="https://auth.company.com"
export FASTMCP_SERVER_AUTH_JWT_AUDIENCE="mcp-production-api"
export FASTMCP_SERVER_AUTH_JWT_REQUIRED_SCOPES="read:data,write:data"
With these environment variables configured, your FastMCP server automatically enables JWT verification: 
from fastmcp import FastMCP

# Authentication automatically configured from environment
mcp = FastMCP(name="Production API")
This approach enables the same codebase to run across development, staging, and production environments with different authentication requirements. Development might use static tokens while production uses JWT verification, all controlled through environment configuration.