Secure your FastMCP server in two lines of Python
A production-grade framework built on top of FastMCP — authentication, observability, and sessions activate with a single config file.
the change
Two lines. That's it.
Point FastAuthMCP at your FastMCP app. Every tool call is now authenticated and observed.
# Your existing FastMCP server from fastmcp import FastMCP app = FastMCP("Weather") @app.tool() def forecast(city: str) -> str: return get_weather(city)
# Same server, enterprise-grade from fastauthmcp import FastMCP app = FastMCP("Weather", config="fastauthmcp.yaml") @app.tool() def forecast(city: str) -> str: return get_weather(city)
configuration
One file controls everything
Toggle capabilities on and off. The middleware pipeline reconfigures in real time.
Toggle switches to see the pipeline change
capabilities
Everything your MCP deployment needs
Authentication
Standards-based identity for every tool call. OAuth2 + OIDC + PKCE, automatic token refresh, platform-native storage.
Observability
Full-stack visibility out of the box. OpenTelemetry traces, Prometheus metrics, structured JSON logs.
Built on FastMCP
FastAuthMCP doesn't fork — it wraps via composition. Your existing tools, prompts, and resources remain untouched. Remove FastAuthMCP and your app still works. It's a layer on top, never a lock-in.
Enterprise Ready
Hardened security defaults, log redaction, durable sessions, hot reload, and battle-tested middleware patterns.
Resilience Built In
Circuit breaker for all IDP calls, JWKS stale-while-revalidate caching, exponential backoff, and request coalescing.
Token Exchange
RFC 8693 token exchange for cloud deployments. Built-in adapters for Google STS, Microsoft Entra OBO, and any OIDC provider.
comparison
Why FastAuthMCP over alternatives?
How FastAuthMCP compares to rolling your own auth or using an API gateway.
| FastAuthMCP | DIY Middleware | API Gateway | |
|---|---|---|---|
| Setup time | 5 minutes | Days to weeks | Hours + infra |
| Code changes | 0 (one import) | Extensive | 0 (external) |
| MCP-aware | ✓ | ✗ | ✗ |
| OAuth2/OIDC built-in | ✓ | Build it | ✓ |
| Token forwarding | ✓ access_token() | Build it | Depends |
| Identity in tools | ✓ identity() | Manual | ✗ |
| Per-tool authorization | ✓ decorators | Build it | Route-level only |
| OpenTelemetry | ✓ automatic | Integrate | Varies |
| Lock-in | None | N/A | Vendor |
| Resilience | ✓ circuit breaker | Build it | ✓ |
| Cost | Free (Apache 2.0) | Engineering time | $ to $$$$ |
compatibility
Security & Interoperability Lab
34 automated scenarios validating FastAuthMCP against every major identity provider. Run it locally in 300ms.
Authentication ✓ ZITADEL Auth Code + PKCE → identity ✓ Keycloak Client Credentials → service identity ✓ Auth0 Auth Code + PKCE → identity ✓ Azure Entra ID + PKCE → identity ✓ Okta Client Credentials → service identity Authorization ✓ Admin role → tool allowed ✓ Viewer role → tool rejected Security ✓ Expired token → rejected ✓ Wrong issuer → rejected ✓ Wrong audience → rejected Result: 34 passed, 0 failed (300ms)
OIDC Provider Matrix
Interactive Lab UI
Chat with an LLM through FastAuthMCP-protected tools. See auth, authorization, and identity propagation in real time.
$ make lab-ui
┌──────────┬───────────────────────────┐
│ Config │ 👤 Who am I? │
│ │ 🤖 Checking identity... │
│ Scenario │ 🔧 whoami() │
│ [Zitadel]│ → sub: user-001 │
│ │ │
│ LLM: │ 👤 Am I an admin? │
│ [OpenAI] │ 🤖 Let me try... │
│ │ 🔧 admin_action() │
│ │ → ❌ forbidden │
├──────────┴───────────────────────────┤
│ 🔍 Logs │
└──────────────────────────────────────┘
documentation
Integration Guides
Step-by-step guides for every platform and identity provider. Complete with config files and client setup.
Claude Desktop
Local stdio + browser login
Google Gemini
Cloud SSE + token exchange
Cursor IDE
Dev server with SSE transport
Zitadel
PKCE, M2M, RFC 8693
Keycloak
PKCE, M2M, RBAC
Azure Entra ID
PKCE, M2M, On-Behalf-Of
Auth0
PKCE, M2M, Actions
Okta
PKCE, M2M, Auth Servers
Google Cloud
OAuth2, Workload Identity
deployment scenarios
One codebase. Two deployment modes.
Your MCP tools call downstream APIs on behalf of the user. FastAuthMCP handles authentication for both local and cloud — same tool code, different config.
Local via stdio
Claude Desktop · Cursor · VS Code
WITHOUT FASTAUTHMCP
Hand-roll OAuth PKCE, build a local callback server, manage token refresh, store credentials securely, wire the token into every HTTP call. Days of work before your first tool.
WITH FASTAUTHMCP
fastauthmcp login → browser opens → token stored in Keychain → every tool call authenticated. 30 seconds.
auth: provider: oidc issuer: https://your-idp.example.com client_id: my-dev-app grant_type: authorization_code
access_token() in your tool → user-scoped, auto-refreshed, zero boilerplate
Cloud via HTTP/SSE
Claude · Gemini · Remote MCP
WITHOUT FASTAUTHMCP
Implement RFC 8693 token exchange, parse upstream tokens, POST to IDP, handle errors, add retry logic, build a circuit breaker. Weeks of security-sensitive code.
WITH FASTAUTHMCP
Platform passes user token → FastAuthMCP exchanges it at IDP → your tool gets a downstream-scoped token. Same tool code as local.
auth: provider: oidc issuer: https://your-idp.example.com client_id: my-cloud-mcp grant_type: token_exchange upstream_token_header: x-user-token token_exchange_audience: https://api.internal.com token_exchange_provider: rfc8693
Circuit breaker, exponential backoff, JWKS validation — all built in. No extra infrastructure.
Same tool code. Same access_token() call. Only the YAML changes.
Deploy locally during development with interactive login. Push to production with token exchange. Your tools never know the difference.
architecture
How a request flows
Each layer is independent. Enable or disable by config section.
MCP Client
Tool call arrives
FastAuthMCP Middleware
Auth → Observability → Sessions
FastMCP
Your tool executes
Response
After-hooks in reverse, result returned
identity providers
Works with the stack you already have
command line
Zero to authenticated in 3 commands
🚀 We just launched
FastAuthMCP is brand new and looking for early adopters and contributors. Try it with your MCP server, integrate your identity provider, write a plugin — we'd love your help building the future of secure MCP.