--- title: WorkOS 🤝 FastMCP sidebarTitle: WorkOS description: Authenticate FastMCP servers with WorkOS Connect icon: shield-check --- import { VersionBadge } from "/snippets/version-badge.mdx" Secure your FastMCP server with WorkOS Connect authentication. This integration uses the OAuth Proxy pattern to handle authentication through WorkOS Connect while maintaining compatibility with MCP clients. This guide covers WorkOS Connect applications. For Dynamic Client Registration (DCR) with AuthKit, see the [AuthKit integration](/integrations/authkit) instead. ## Configuration ### Prerequisites Before you begin, you will need: 1. A **[WorkOS Account](https://workos.com/)** with access to create OAuth Apps 2. Your FastMCP server's URL (can be localhost for development, e.g., `http://localhost:8000`) ### Step 1: Create a WorkOS OAuth App Create an OAuth App in your WorkOS dashboard to get the credentials needed for authentication: In your WorkOS dashboard: 1. Navigate to **Applications** 2. Click **Create Application** 3. Select **OAuth Application** 4. Name your application In your OAuth application settings: 1. Copy your **Client ID** (starts with `client_`) 2. Click **Generate Client Secret** and save it securely 3. Copy your **AuthKit Domain** (e.g., `https://your-app.authkit.app`) In the **Redirect URIs** section: - Add: `http://localhost:8000/auth/callback` (for development) - For production, add your server's public URL + `/auth/callback` The callback URL must match exactly. The default path is `/auth/callback`, but you can customize it using the `redirect_path` parameter. ### Step 2: FastMCP Configuration Create your FastMCP server using the `WorkOSProvider`: ```python server.py from fastmcp import FastMCP from fastmcp.server.auth.providers.workos import WorkOSProvider # Configure WorkOS OAuth auth = WorkOSProvider( client_id="client_YOUR_CLIENT_ID", client_secret="YOUR_CLIENT_SECRET", authkit_domain="https://your-app.authkit.app", base_url="http://localhost:8000", required_scopes=["openid", "profile", "email"] ) mcp = FastMCP("WorkOS Protected Server", auth=auth) @mcp.tool def protected_tool(message: str) -> str: """This tool requires authentication.""" return f"Authenticated user says: {message}" if __name__ == "__main__": mcp.run(transport="http", port=8000) ``` ## Testing ### Running the Server Start your FastMCP server with HTTP transport to enable OAuth flows: ```bash fastmcp run server.py --transport http --port 8000 ``` Your server is now running and protected by WorkOS OAuth authentication. ### Testing with a Client Create a test client that authenticates with your WorkOS-protected server: ```python client.py from fastmcp import Client import asyncio async def main(): # The client will automatically handle WorkOS OAuth async with Client("http://localhost:8000/mcp", auth="oauth") as client: # First-time connection will open WorkOS login in your browser print("✓ Authenticated with WorkOS!") # Test the protected tool result = await client.call_tool("protected_tool", {"message": "Hello!"}) print(result) if __name__ == "__main__": asyncio.run(main()) ``` When you run the client for the first time: 1. Your browser will open to WorkOS's authorization page 2. After you authorize the app, you'll be redirected back 3. The client receives the token and can make authenticated requests The client caches tokens locally, so you won't need to re-authenticate for subsequent runs unless the token expires or you explicitly clear the cache. ## Production Configuration For production deployments with persistent token management across server restarts, configure `jwt_signing_key`, and `client_storage`: ```python server.py import os from fastmcp import FastMCP from fastmcp.server.auth.providers.workos import WorkOSProvider from key_value.aio.stores.redis import RedisStore from key_value.aio.wrappers.encryption import FernetEncryptionWrapper from cryptography.fernet import Fernet # Production setup with encrypted persistent token storage auth = WorkOSProvider( client_id="client_YOUR_CLIENT_ID", client_secret="YOUR_CLIENT_SECRET", authkit_domain="https://your-app.authkit.app", base_url="https://your-production-domain.com", required_scopes=["openid", "profile", "email"], # Production token management jwt_signing_key=os.environ["JWT_SIGNING_KEY"], client_storage=FernetEncryptionWrapper( key_value=RedisStore( host=os.environ["REDIS_HOST"], port=int(os.environ["REDIS_PORT"]) ), fernet=Fernet(os.environ["STORAGE_ENCRYPTION_KEY"]) ) ) mcp = FastMCP(name="Production WorkOS App", auth=auth) ``` Parameters (`jwt_signing_key` and `client_storage`) work together to ensure tokens and client registrations survive server restarts. **Wrap your storage in `FernetEncryptionWrapper` to encrypt sensitive OAuth tokens at rest** - without it, tokens are stored in plaintext. Store secrets in environment variables and use a persistent storage backend like Redis for distributed deployments. For complete details on these parameters, see the [OAuth Proxy documentation](/servers/auth/oauth-proxy#configuration-parameters). ## Configuration Options WorkOS OAuth application client ID WorkOS OAuth application client secret Your WorkOS AuthKit domain URL (e.g., `https://your-app.authkit.app`) Your FastMCP server's public URL OAuth scopes to request OAuth callback path API request timeout