--- title: GitHub OAuth 🤝 FastMCP sidebarTitle: GitHub description: Secure your FastMCP server with GitHub OAuth icon: github --- import { VersionBadge } from "/snippets/version-badge.mdx" This guide shows you how to secure your FastMCP server using **GitHub OAuth**. Since GitHub doesn't support Dynamic Client Registration, this integration uses the [**OAuth Proxy**](/servers/auth/oauth-proxy) pattern to bridge GitHub's traditional OAuth with MCP's authentication requirements. ## Configuration ### Prerequisites Before you begin, you will need: 1. A **[GitHub Account](https://github.com/)** with access to create OAuth Apps 2. Your FastMCP server's URL (can be localhost for development, e.g., `http://localhost:8000`) ### Step 1: Create a GitHub OAuth App Create an OAuth App in your GitHub settings to get the credentials needed for authentication: Go to **Settings → Developer settings → OAuth Apps** in your GitHub account, or visit [github.com/settings/developers](https://github.com/settings/developers). Click **"New OAuth App"** to create a new application. Fill in the application details: - **Application name**: Choose a name users will recognize (e.g., "My FastMCP Server") - **Homepage URL**: Your application's homepage or documentation URL - **Authorization callback URL**: Your server URL + `/auth/callback` (e.g., `http://localhost:8000/auth/callback`) The callback URL must match exactly. The default path is `/auth/callback`, but you can customize it using the `redirect_path` parameter. For local development, GitHub allows `http://localhost` URLs. For production, you must use HTTPS. If you want to use a custom callback path (e.g., `/auth/github/callback`), make sure to set the same path in both your GitHub OAuth App settings and the `redirect_path` parameter when configuring the GitHubProvider. After creating the app, you'll see: - **Client ID**: A public identifier like `Ov23liAbcDefGhiJkLmN` - **Client Secret**: Click "Generate a new client secret" and save the value securely Store these credentials securely. Never commit them to version control. Use environment variables or a secrets manager in production. ### Step 2: FastMCP Configuration Create your FastMCP server using the `GitHubProvider`, which handles GitHub's OAuth quirks automatically: ```python server.py from fastmcp import FastMCP from fastmcp.server.auth.providers.github import GitHubProvider # The GitHubProvider handles GitHub's token format and validation auth_provider = GitHubProvider( client_id="Ov23liAbcDefGhiJkLmN", # Your GitHub OAuth App Client ID client_secret="github_pat_...", # Your GitHub OAuth App Client Secret base_url="http://localhost:8000", # Must match your OAuth App configuration # redirect_path="/auth/callback" # Default value, customize if needed ) mcp = FastMCP(name="GitHub Secured App", auth=auth_provider) # Add a protected tool to test authentication @mcp.tool async def get_user_info() -> dict: """Returns information about the authenticated GitHub user.""" from fastmcp.server.dependencies import get_access_token token = get_access_token() # The GitHubProvider stores user data in token claims return { "github_user": token.claims.get("login"), "name": token.claims.get("name"), "email": token.claims.get("email") } ``` ## Testing ### Running the Server Start your FastMCP server with HTTP transport to enable OAuth flows: ```bash fastmcp run server.py --transport http --port 8000 ``` Your server is now running and protected by GitHub OAuth authentication. ### Testing with a Client Create a test client that authenticates with your GitHub-protected server: ```python test_client.py from fastmcp import Client import asyncio async def main(): # The client will automatically handle GitHub OAuth async with Client("http://localhost:8000/mcp", auth="oauth") as client: # First-time connection will open GitHub login in your browser print("✓ Authenticated with GitHub!") # Test the protected tool result = await client.call_tool("get_user_info") print(f"GitHub user: {result.data['github_user']}") if __name__ == "__main__": asyncio.run(main()) ``` When you run the client for the first time: 1. Your browser will open to GitHub's authorization page 2. After you authorize the app, you'll be redirected back 3. The client receives the token and can make authenticated requests The client caches tokens locally, so you won't need to re-authenticate for subsequent runs unless the token expires or you explicitly clear the cache. ## Production Configuration For production deployments with persistent token management across server restarts, configure `jwt_signing_key` and `client_storage`: ```python server.py import os from fastmcp import FastMCP from fastmcp.server.auth.providers.github import GitHubProvider from key_value.aio.stores.redis import RedisStore from key_value.aio.wrappers.encryption import FernetEncryptionWrapper from cryptography.fernet import Fernet # Production setup with encrypted persistent token storage auth_provider = GitHubProvider( client_id="Ov23liAbcDefGhiJkLmN", client_secret="github_pat_...", base_url="https://your-production-domain.com", # Production token management jwt_signing_key=os.environ["JWT_SIGNING_KEY"], client_storage=FernetEncryptionWrapper( key_value=RedisStore( host=os.environ["REDIS_HOST"], port=int(os.environ["REDIS_PORT"]) ), fernet=Fernet(os.environ["STORAGE_ENCRYPTION_KEY"]) ) ) mcp = FastMCP(name="Production GitHub App", auth=auth_provider) ``` Parameters (`jwt_signing_key` and `client_storage`) work together to ensure tokens and client registrations survive server restarts. **Wrap your storage in `FernetEncryptionWrapper` to encrypt sensitive OAuth tokens at rest** - without it, tokens are stored in plaintext. Store secrets in environment variables and use a persistent storage backend like Redis for distributed deployments. For complete details on these parameters, see the [OAuth Proxy documentation](/servers/auth/oauth-proxy#configuration-parameters).