aud claim is bound to your serverâs resource URL, and FastMCP validates that claim automatically.
Configuration
Prerequisites
Before you begin, you will need:- A WorkOS Account and a new Project.
- An AuthKit instance configured within your WorkOS project.
- Your FastMCP serverâs URL (can be localhost for development, e.g.,
http://127.0.0.1:8000).
Step 1: WorkOS Dashboard
In the WorkOS Dashboard, go to Connect â Configuration and configure:1
MCP Auth
Enable Dynamic Client Registration (DCR) so MCP clients can register themselves. Alternatively, enable Client ID Metadata Document (CIMD) if your clients support it.
2
MCP resource indicators
Add your FastMCP serverâs resource URL (e.g.,
http://127.0.0.1:8000/mcp) as a valid resource indicator.This must exactly match what FastMCP advertises in its protected resource metadata. Start your server first and it will log the correct URL on startup â copy that value.Without this step, AuthKit falls back to a default environment-scoped audience and audience validation will fail with a 401.3
Note Your AuthKit Domain
Find your AuthKit Domain on the configuration page. It will look like
https://your-project-12345.authkit.app. Youâll need this for your FastMCP server configuration.Step 2: FastMCP Configuration
Create your FastMCP server file and use theAuthKitProvider to handle all the OAuth integration automatically:
server.py
Testing
To test your server, you can use thefastmcp CLI to run it locally. Assuming youâve saved the above code to server.py (after replacing the authkit_domain and base_url with your actual values!), you can run the following command:
client_secret_basic for token exchange, which conflicts with how some MCP clients send credentials. To avoid token exchange errors, register as a public client by setting token_endpoint_auth_method to "none":
client.py
Production Configuration
For production deployments, load sensitive configuration from environment variables:server.py

