2.11.0
The Full OAuth Server pattern exists to support the MCP protocol specification’s requirements. Your FastMCP server becomes both an Authorization Server and Resource Server, handling the complete authentication lifecycle from user login to token validation.
This documentation exists for completeness - the vast majority of applications should use external identity providers instead.
OAuthProvider
FastMCP provides theOAuthProvider abstract class that implements the OAuth 2.1 specification. To use this pattern, you must subclass OAuthProvider and implement all required abstract methods.
OAuthProvider handles OAuth endpoints, protocol flows, and security requirements, but delegates all storage, user management, and business logic to your implementation of the abstract methods.Required Implementation
You must implement these abstract methods to create a functioning OAuth server:Client Management
Authorization Flow
Token Management
Token Management Methods
Exchange authorization code for access and refresh tokens. Must validate code and create new tokens.
Load refresh token from storage by token string. Return
None if token is invalid or expired.Exchange refresh token for new access/refresh token pair. Must validate scopes and token.
Load an access token by its token string.
Revoke access or refresh token, marking it as invalid in storage.
Verify bearer token for incoming requests. Return
AccessToken if valid, None if invalid.
