Secure your FastMCP server in two lines of Python
A production-grade framework built on top of FastMCP — authentication, observability, and sessions activate with a single config file.
the change
Two lines. That's it.
Point FastAuthMCP at your FastMCP app. Every tool call is now authenticated and observed.
# Your existing FastMCP server from fastmcp import FastMCP app = FastMCP("Weather") @app.tool() def forecast(city: str) -> str: return get_weather(city)
# Same server, enterprise-grade from fastauthmcp import FastMCP app = FastMCP("Weather", config="fastauthmcp.yaml") @app.tool() def forecast(city: str) -> str: return get_weather(city)
configuration
One file controls everything
Toggle capabilities on and off. The middleware pipeline reconfigures in real time.
Toggle switches to see the pipeline change
capabilities
Everything your MCP deployment needs
Authentication
Standards-based identity for every tool call. OAuth2 + OIDC + PKCE, automatic token refresh, platform-native storage.
Observability
Full-stack visibility out of the box. OpenTelemetry traces, Prometheus metrics, structured JSON logs.
Built on FastMCP
FastAuthMCP doesn't fork — it wraps via composition. Your existing tools, prompts, and resources remain untouched. Remove FastAuthMCP and your app still works. It's a layer on top, never a lock-in.
Enterprise Ready
Hardened security defaults, log redaction, durable sessions, hot reload, and battle-tested middleware patterns.
Resilience Built In
Circuit breaker for all IDP calls, JWKS stale-while-revalidate caching, exponential backoff, and request coalescing.
Token Exchange
RFC 8693 token exchange for cloud deployments. Built-in adapters for Google STS, Microsoft Entra OBO, and any OIDC provider.
comparison
Why FastAuthMCP over alternatives?
How FastAuthMCP compares to rolling your own auth or using an API gateway.
| FastAuthMCP | DIY Middleware | API Gateway | |
|---|---|---|---|
| Setup time | 5 minutes | Days to weeks | Hours + infra |
| Code changes | 0 (one import) | Extensive | 0 (external) |
| MCP-aware | ✓ | ✗ | ✗ |
| OAuth2/OIDC built-in | ✓ | Build it | ✓ |
| Token forwarding | ✓ access_token() | Build it | Depends |
| Identity in tools | ✓ identity() | Manual | ✗ |
| Per-tool authorization | ✓ decorators | Build it | Route-level only |
| OpenTelemetry | ✓ automatic | Integrate | Varies |
| Lock-in | None | N/A | Vendor |
| Resilience | ✓ circuit breaker | Build it | ✓ |
| Cost | Free (Apache 2.0) | Engineering time | $ to $$$$ |
deployment scenarios
One codebase. Two deployment modes.
Your MCP tools call downstream APIs on behalf of the user. FastAuthMCP handles authentication for both local and cloud — same tool code, different config.
Local via stdio
Claude Desktop · Cursor · VS Code
WITHOUT CERAMIC
Hand-roll OAuth PKCE, build a local callback server, manage token refresh, store credentials securely, wire the token into every HTTP call. Days of work before your first tool.
WITH CERAMIC
fastauthmcp login → browser opens → token stored in Keychain → every tool call authenticated. 30 seconds.
auth: provider: oidc issuer: https://your-idp.example.com client_id: my-dev-app grant_type: authorization_code
access_token() in your tool → user-scoped, auto-refreshed, zero boilerplate
Cloud via HTTP/SSE
Claude · Gemini · Remote MCP
WITHOUT CERAMIC
Implement RFC 8693 token exchange, parse upstream tokens, POST to IDP, handle errors, add retry logic, build a circuit breaker. Weeks of security-sensitive code.
WITH CERAMIC
Platform passes user token → FastAuthMCP exchanges it at IDP → your tool gets a downstream-scoped token. Same tool code as local.
auth: provider: oidc issuer: https://your-idp.example.com client_id: my-cloud-mcp grant_type: token_exchange upstream_token_header: x-user-token token_exchange_audience: https://api.internal.com token_exchange_provider: rfc8693
Circuit breaker, exponential backoff, JWKS validation — all built in. No extra infrastructure.
Same tool code. Same access_token() call. Only the YAML changes.
Deploy locally during development with interactive login. Push to production with token exchange. Your tools never know the difference.
architecture
How a request flows
Each layer is independent. Enable or disable by config section.
MCP Client
Tool call arrives
FastAuthMCP Middleware
Auth → Observability → Sessions
FastMCP
Your tool executes
Response
After-hooks in reverse, result returned
identity providers
Works with the stack you already have
command line
Zero to authenticated in 3 commands
🚀 We just launched
FastAuthMCP is brand new and looking for early adopters and contributors. Try it with your MCP server, integrate your identity provider, write a plugin — we'd love your help building the future of secure MCP.