Authentication & Authorization
FastAPI-MCP provides robust support for securing your MCP tools, leveraging FastAPI's native dependency injection system. This allows you to reuse your existing authentication logic. It also supports the full OAuth 2.0 flow compliant with the MCP 2025-03-26 Specification.
Basic Token Passthrough
If your API uses a simple token in the Authorization header (e.g., Bearer <token>), you can enforce this on your MCP endpoint.
1. Configure the MCP Server
First, define a FastAPI dependency that validates the token. Then, pass this dependency to the AuthConfig when creating your FastApiMCP instance.
# 08_auth_example_token_passthrough.py
from fastapi import Depends, FastAPI, HTTPException
from fastapi.security import HTTPBearer
from fastapi_mcp import AuthConfig, FastApiMCP
app = FastAPI()
token_auth_scheme = HTTPBearer()
# This dependency will run for every MCP request.
async def verify_token(token=Depends(token_auth_scheme)):
# Replace this with your actual token validation logic
if token.credentials != "your-secret-token":
raise HTTPException(status_code=401, detail="Invalid credentials")
return token.credentials
@app.get("/private", operation_id="get_private_data")
async def private_data(user_id: str = Depends(verify_token)):
return {"message": f"Welcome user {user_id}, you have access."}
# Create the MCP server with the token auth dependency
mcp = FastApiMCP(
app,
name="Protected MCP",
auth_config=AuthConfig(
dependencies=[Depends(verify_token)],
),
)
mcp.mount_http()2. Configure the MCP Client
Your MCP client must be configured to send the Authorization header. If using a tool like mcp-remote, you can pass the header via an environment variable.
Example claude_desktop_config.json:
{
"mcpServers": {
"my-protected-server": {
"command": "npx",
"args": [
"mcp-remote",
"http://localhost:8000/mcp",
"--header",
"Authorization:${AUTH_HEADER}"
],
"env": {
"AUTH_HEADER": "Bearer your-secret-token"
}
}
}
}Full OAuth 2.0 Flow
FastAPI-MCP can manage a full OAuth 2.0 Authorization Code Flow with PKCE, making it compatible with providers like Auth0, Okta, or your own custom server.
Because many OAuth providers are not fully compliant with the MCP specification (e.g., they may lack a dynamic client registration endpoint), FastApiMCP can set up proxy endpoints to bridge these gaps.
Example with Auth0
This example demonstrates configuring an MCP server to use Auth0 for authentication.
# 09_auth_example_auth0.py
from fastapi import Depends
from fastapi_mcp import FastApiMCP, AuthConfig
# Assume 'app' is your FastAPI instance and 'verify_auth' is your
# dependency that validates the JWT from Auth0.
# See the full example file for implementation details.
mcp = FastApiMCP(
app,
name="MCP With Auth0",
auth_config=AuthConfig(
# --- OAuth Provider Details ---
issuer="https://your-tenant.auth0.com/",
authorize_url="https://your-tenant.auth0.com/authorize",
oauth_metadata_url="https://your-tenant.auth0.com/.well-known/openid-configuration",
audience="https://your-api-audience/",
# --- Your Application's Credentials ---
client_id="YOUR_AUTH0_CLIENT_ID",
client_secret="YOUR_AUTH0_CLIENT_SECRET",
# --- FastAPI Security ---
dependencies=[Depends(verify_auth)],
# --- MCP Compatibility Proxies ---
setup_proxies=True,
),
)
mcp.mount_http()Key AuthConfig Parameters for OAuth:
issuer,authorize_url,oauth_metadata_url: URLs provided by your OAuth provider.audience: The API identifier for your application in the OAuth provider.client_id,client_secret: Credentials for your application registered with the OAuth provider.dependencies: Your FastAPI dependency that validates the final access token (JWT).setup_proxies: Set toTrueto enable the compatibility layer. This creates proxy endpoints that adapt your OAuth provider's flow to what MCP clients expect.