Skip to main content
New in version 3.0.0 The fastmcp auth commands help with CIMD (Client ID Metadata Document) management — part of MCP’s OAuth authentication flow. A CIMD is a JSON document you host at an HTTPS URL to identify your client application to MCP servers.

Creating a CIMD

fastmcp auth cimd create generates a CIMD document: 
fastmcp auth cimd create \
  --name "My App" \
  --redirect-uri "http://localhost:*/callback"

{
  "client_id": "https://your-domain.com/oauth/client.json",
  "client_name": "My App",
  "redirect_uris": ["http://localhost:*/callback"],
  "token_endpoint_auth_method": "none"
}
The generated document includes a placeholder client_id — update it to match the URL where you’ll host the document before deploying.

Options

OptionFlagDescription
Name--nameRequired. Human-readable client name
Redirect URI--redirect-uriRequired. Allowed redirect URIs (repeatable)
Client URI--client-uriClient’s home page URL
Logo URI--logo-uriClient’s logo URL
Scope--scopeSpace-separated list of scopes
Output--output, -oSave to file (default: stdout)
Pretty--prettyPretty-print JSON (default: true)

Example

fastmcp auth cimd create \
  --name "My Production App" \
  --redirect-uri "http://localhost:*/callback" \
  --redirect-uri "https://myapp.example.com/callback" \
  --client-uri "https://myapp.example.com" \
  --scope "read write" \
  --output client.json

Validating a CIMD

fastmcp auth cimd validate fetches a hosted CIMD and verifies it conforms to the spec: 
fastmcp auth cimd validate https://myapp.example.com/oauth/client.json
The validator checks that the URL is valid (HTTPS, non-root path), the document is valid JSON, the client_id matches the URL, and no shared-secret auth methods are used. On success: 
→ Fetching https://myapp.example.com/oauth/client.json...
✓ Valid CIMD document

Document details:
  client_id: https://myapp.example.com/oauth/client.json
  client_name: My App
  token_endpoint_auth_method: none
  redirect_uris:
    • http://localhost:*/callback
OptionFlagDescription
Timeout--timeout, -tHTTP request timeout in seconds (default: 10)