Skip to main content
This guide provides migration instructions for breaking changes and major updates when upgrading between FastMCP versions.

v2.13.0

OAuth Token Key Management

The OAuth proxy now issues its own JWT tokens to clients instead of forwarding upstream provider tokens. This improves security by maintaining proper token audience boundaries. What changed: The OAuth proxy now implements a token factory pattern - it receives tokens from your OAuth provider (GitHub, Google, etc.), encrypts and stores them, then issues its own FastMCP JWT tokens to clients. This requires cryptographic keys for JWT signing and token encryption. Default behavior (development): By default, FastMCP automatically manages keys based on your platform:
  • Mac/Windows: Keys are auto-managed via system keyring, surviving server restarts with zero configuration. Suitable only for development and local testing.
  • Linux: Keys are ephemeral (random salt at startup, regenerated on each restart).
This works fine for development and testing where re-authentication after restart is acceptable. For production: Production deployments must provide explicit keys and use persistent storage. Add these three things: 
auth = GitHubProvider(
    client_id=os.environ["GITHUB_CLIENT_ID"],
    client_secret=os.environ["GITHUB_CLIENT_SECRET"],
    base_url="https://your-server.com",

    # Explicit keys (required for production)
    jwt_signing_key=os.environ["JWT_SIGNING_KEY"],

    # Persistent network storage (required for production)
    client_storage=RedisStore(host="redis.example.com", port=6379)
)
More information: