--- title: AuthKit 🤝 FastMCP sidebarTitle: AuthKit description: Secure your FastMCP server with AuthKit by WorkOS icon: shield-check --- import { VersionBadge } from "/snippets/version-badge.mdx" This guide shows you how to secure your FastMCP server using WorkOS's **AuthKit**, a complete authentication and user management solution. This integration uses the [**Remote OAuth**](/servers/auth/remote-oauth) pattern with [RFC 8707](https://www.rfc-editor.org/rfc/rfc8707.html) resource indicators: AuthKit issues tokens whose `aud` claim is bound to your server's resource URL, and FastMCP validates that claim automatically. ## Configuration ### Prerequisites Before you begin, you will need: 1. A **[WorkOS Account](https://workos.com/)** and a new **Project**. 2. An **[AuthKit](https://www.authkit.com/)** instance configured within your WorkOS project. 3. Your FastMCP server's URL (can be localhost for development, e.g., `http://127.0.0.1:8000`). ### Step 1: WorkOS Dashboard In the WorkOS Dashboard, go to **Connect → Configuration** and configure: Enable **Dynamic Client Registration** (DCR) so MCP clients can register themselves. Alternatively, enable **Client ID Metadata Document** (CIMD) if your clients support it. Add your FastMCP server's resource URL (e.g., `http://127.0.0.1:8000/mcp`) as a valid resource indicator. This must exactly match what FastMCP advertises in its protected resource metadata. Start your server first and it will log the correct URL on startup — copy that value. Without this step, AuthKit falls back to a default environment-scoped audience and audience validation will fail with a 401. Find your **AuthKit Domain** on the configuration page. It will look like `https://your-project-12345.authkit.app`. You'll need this for your FastMCP server configuration. ### Step 2: FastMCP Configuration Create your FastMCP server file and use the `AuthKitProvider` to handle all the OAuth integration automatically: ```python server.py from fastmcp import FastMCP from fastmcp.server.auth.providers.workos import AuthKitProvider # AuthKitProvider automatically discovers WorkOS endpoints, configures JWT # validation, and binds the token audience to this server's resource URL. auth_provider = AuthKitProvider( authkit_domain="https://your-project-12345.authkit.app", base_url="http://127.0.0.1:8000", # Use your actual server URL ) mcp = FastMCP(name="AuthKit Secured App", auth=auth_provider) ``` When the server starts, it logs the resource URL it is validating against. Paste that URL into your Dashboard's **MCP resource indicators** list. ## Testing To test your server, you can use the `fastmcp` CLI to run it locally. Assuming you've saved the above code to `server.py` (after replacing the `authkit_domain` and `base_url` with your actual values!), you can run the following command: ```bash fastmcp run server.py --transport http --port 8000 ``` AuthKit defaults DCR clients to `client_secret_basic` for token exchange, which conflicts with how some MCP clients send credentials. To avoid token exchange errors, register as a public client by setting `token_endpoint_auth_method` to `"none"`: ```python client.py from fastmcp import Client from fastmcp.client.auth import OAuth import asyncio auth = OAuth(additional_client_metadata={"token_endpoint_auth_method": "none"}) async def main(): async with Client("http://127.0.0.1:8000/mcp", auth=auth) as client: assert await client.ping() if __name__ == "__main__": asyncio.run(main()) ``` ## Production Configuration For production deployments, load sensitive configuration from environment variables: ```python server.py import os from fastmcp import FastMCP from fastmcp.server.auth.providers.workos import AuthKitProvider # Load configuration from environment variables auth = AuthKitProvider( authkit_domain=os.environ.get("AUTHKIT_DOMAIN"), base_url=os.environ.get("BASE_URL", "https://your-server.com"), ) mcp = FastMCP(name="AuthKit Secured App", auth=auth) ```