60e0ffc959
Upgrade checks / Notify on failure (push) Has been cancelled
Upgrade checks / Close issue on success (push) Has been cancelled
Schema Crash Test / Real-world schema crash test (232K schemas) (push) Has been cancelled
Run static analysis / static_analysis (push) Has been cancelled
Tests / Tests: Python 3.10 on ubuntu-latest (push) Has been cancelled
Tests / Tests: Python 3.13 on ubuntu-latest (push) Has been cancelled
Tests / Tests: Python 3.10 on windows-latest (push) Has been cancelled
Tests / Tests with lowest-direct dependencies (push) Has been cancelled
Tests / MCP conformance tests (push) Has been cancelled
Tests / Integration tests (push) Has been cancelled
Tests / Package install smoke (push) Has been cancelled
Upgrade checks / Static analysis (push) Has been cancelled
Upgrade checks / Tests: Python 3.10 on ubuntu-latest (push) Has been cancelled
Upgrade checks / Tests: Python 3.13 on ubuntu-latest (push) Has been cancelled
Upgrade checks / Tests: Python 3.10 on windows-latest (push) Has been cancelled
Upgrade checks / Integration tests (push) Has been cancelled
Update MCPServerConfig Schema / update-config-schema (push) Has been cancelled
Update SDK Documentation / update-sdk-docs (push) Has been cancelled
925 lines
37 KiB
Plaintext
925 lines
37 KiB
Plaintext
---
|
|
title: HTTP Deployment
|
|
sidebarTitle: HTTP Deployment
|
|
description: Deploy your FastMCP server over HTTP for remote access
|
|
icon: server
|
|
---
|
|
|
|
import { VersionBadge } from "/snippets/version-badge.mdx";
|
|
|
|
<Tip>
|
|
STDIO transport is perfect for local development and desktop applications. But to unlock the full potential of MCP—centralized services, multi-client access, and network availability—you need remote HTTP deployment.
|
|
</Tip>
|
|
|
|
This guide walks you through deploying your FastMCP server as a remote MCP service that's accessible via a URL. Once deployed, your MCP server will be available over the network, allowing multiple clients to connect simultaneously and enabling integration with cloud-based LLM applications. This guide focuses specifically on remote MCP deployment, not local STDIO servers.
|
|
|
|
## Choosing Your Approach
|
|
|
|
FastMCP provides two ways to deploy your server as an HTTP service. Understanding the trade-offs helps you choose the right approach for your needs.
|
|
|
|
The **direct HTTP server** approach is simpler and perfect for getting started quickly. You modify your server's `run()` method to use HTTP transport, and FastMCP handles all the web server configuration. This approach works well for standalone deployments where you want your MCP server to be the only service running on a port.
|
|
|
|
The **ASGI application** approach gives you more control and flexibility. Instead of running the server directly, you create an ASGI application that can be served by Uvicorn. This approach is better when you need advanced server features like multiple workers, custom middleware, or when you're integrating with existing web applications.
|
|
|
|
### Direct HTTP Server
|
|
|
|
The simplest way to get your MCP server online is to use the built-in `run()` method with HTTP transport. This approach handles all the server configuration for you and is ideal when you want a standalone MCP server without additional complexity.
|
|
|
|
```python server.py
|
|
from fastmcp import FastMCP
|
|
|
|
mcp = FastMCP("My Server")
|
|
|
|
@mcp.tool
|
|
def process_data(input: str) -> str:
|
|
"""Process data on the server"""
|
|
return f"Processed: {input}"
|
|
|
|
if __name__ == "__main__":
|
|
mcp.run(transport="http", host="0.0.0.0", port=8000)
|
|
```
|
|
|
|
Run your server with a simple Python command:
|
|
```bash
|
|
python server.py
|
|
```
|
|
|
|
Your server is now accessible at `http://localhost:8000/mcp` (or use your server's actual IP address for remote access).
|
|
|
|
This approach is ideal when you want to get online quickly with minimal configuration. It's perfect for internal tools, development environments, or simple deployments where you don't need advanced server features. The built-in server handles all the HTTP details, letting you focus on your MCP implementation.
|
|
|
|
### ASGI Application
|
|
|
|
For production deployments, you'll often want more control over how your server runs. FastMCP can create a standard ASGI application that works with any ASGI server like Uvicorn, Gunicorn, or Hypercorn. This approach is particularly useful when you need to configure advanced server options, run multiple workers, or integrate with existing infrastructure.
|
|
|
|
```python app.py
|
|
from fastmcp import FastMCP
|
|
|
|
mcp = FastMCP("My Server")
|
|
|
|
@mcp.tool
|
|
def process_data(input: str) -> str:
|
|
"""Process data on the server"""
|
|
return f"Processed: {input}"
|
|
|
|
# Create ASGI application
|
|
app = mcp.http_app()
|
|
```
|
|
|
|
Run with any ASGI server - here's an example with Uvicorn:
|
|
```bash
|
|
uvicorn app:app --host 0.0.0.0 --port 8000
|
|
```
|
|
|
|
Your server is accessible at the same URL: `http://localhost:8000/mcp` (or use your server's actual IP address for remote access).
|
|
|
|
The ASGI approach shines in production environments where you need reliability and performance. You can run multiple worker processes to handle concurrent requests, add custom middleware for logging or monitoring, integrate with existing deployment pipelines, or mount your MCP server as part of a larger application.
|
|
|
|
## Configuring Your Server
|
|
|
|
### Custom Path
|
|
|
|
By default, your MCP server is accessible at `/mcp/` on your domain. You can customize this path to fit your URL structure or avoid conflicts with existing endpoints. This is particularly useful when integrating MCP into an existing application or following specific API conventions.
|
|
|
|
```python
|
|
# Option 1: With mcp.run()
|
|
mcp.run(transport="http", host="0.0.0.0", port=8000, path="/api/mcp/")
|
|
|
|
# Option 2: With ASGI app
|
|
app = mcp.http_app(path="/api/mcp/")
|
|
```
|
|
|
|
Now your server is accessible at `http://localhost:8000/api/mcp/`.
|
|
|
|
### Authentication
|
|
|
|
<Warning>
|
|
Authentication is **highly recommended** for remote MCP servers. Some LLM clients require authentication for remote servers and will refuse to connect without it.
|
|
</Warning>
|
|
|
|
FastMCP supports multiple authentication methods to secure your remote server. See the [Authentication Overview](/servers/auth/authentication) for complete configuration options including Bearer tokens, JWT, and OAuth.
|
|
|
|
If you're mounting an authenticated server under a path prefix, see [Mounting Authenticated Servers](#mounting-authenticated-servers) below for important routing considerations.
|
|
|
|
### Host and Origin Protection
|
|
|
|
FastMCP can validate `Host` and browser `Origin` headers for Streamable HTTP requests before they reach MCP session handling. This request guard protects localhost-bound servers from DNS rebinding attacks, and it remains opt-in in FastMCP 3.x to preserve compatibility with existing ASGI, serverless, and reverse-proxy deployments.
|
|
|
|
Think of this as a request guard rather than CORS middleware. It decides whether a request can reach MCP session handling. CORS remains a separate browser response-header policy; configure CORS middleware separately when browser JavaScript must read cross-origin responses.
|
|
|
|
Enable strict validation with `host_origin_protection=True`. When you deploy behind a public hostname, add the hostname clients use to reach your MCP endpoint. If a browser-based MCP client runs on a separate origin, add that origin as well:
|
|
|
|
```python
|
|
from fastmcp import FastMCP
|
|
|
|
mcp = FastMCP("My Server")
|
|
|
|
app = mcp.http_app(
|
|
host_origin_protection=True,
|
|
allowed_hosts=["mcp.example.com"],
|
|
allowed_origins=["https://app.example.com"],
|
|
)
|
|
```
|
|
|
|
For the direct server approach, pass the same values to `run()`:
|
|
|
|
```python
|
|
from fastmcp import FastMCP
|
|
|
|
mcp = FastMCP("My Server")
|
|
|
|
if __name__ == "__main__":
|
|
mcp.run(
|
|
transport="http",
|
|
host="0.0.0.0",
|
|
port=8000,
|
|
host_origin_protection=True,
|
|
allowed_hosts=["mcp.example.com"],
|
|
allowed_origins=["https://app.example.com"],
|
|
)
|
|
```
|
|
|
|
You can also configure these values with environment variables:
|
|
|
|
```bash
|
|
export FASTMCP_HTTP_HOST_ORIGIN_PROTECTION=true
|
|
export FASTMCP_HTTP_ALLOWED_HOSTS='["mcp.example.com"]'
|
|
export FASTMCP_HTTP_ALLOWED_ORIGINS='["https://app.example.com"]'
|
|
```
|
|
|
|
Use `host_origin_protection="auto"` to protect localhost-bound direct servers while allowing ASGI, serverless, and reverse-proxy deployments to keep their existing Host handling unless they configure explicit trust rules. Use `host_origin_protection=False` to keep the request guard disabled.
|
|
|
|
### Health Checks
|
|
|
|
Health check endpoints are essential for monitoring your deployed server and ensuring it's responding correctly. FastMCP allows you to add custom routes alongside your MCP endpoints, making it easy to implement health checks that work with both deployment approaches.
|
|
|
|
```python
|
|
from starlette.responses import JSONResponse
|
|
|
|
@mcp.custom_route("/health", methods=["GET"])
|
|
async def health_check(request):
|
|
return JSONResponse({"status": "healthy", "service": "mcp-server"})
|
|
```
|
|
|
|
This health endpoint will be available at `http://localhost:8000/health` and can be used by load balancers, monitoring systems, or deployment platforms to verify your server is running.
|
|
|
|
<Note>
|
|
Custom routes are never protected by the server's authentication middleware, even when an `AuthProvider` is configured. This is by design — the primary use case for custom routes is unauthenticated operational endpoints like health checks and readiness probes. If you need authenticated HTTP endpoints alongside your MCP server, [mount it in a FastAPI app](/integrations/fastapi) and use FastAPI's `Depends()` for auth on your routes.
|
|
</Note>
|
|
|
|
### Custom Middleware
|
|
|
|
|
|
<VersionBadge version="2.3.2" />
|
|
|
|
Add custom Starlette middleware to your FastMCP ASGI apps:
|
|
|
|
```python
|
|
from fastmcp import FastMCP
|
|
from starlette.middleware import Middleware
|
|
from starlette.middleware.cors import CORSMiddleware
|
|
|
|
# Create your FastMCP server
|
|
mcp = FastMCP("MyServer")
|
|
|
|
# Define middleware
|
|
middleware = [
|
|
Middleware(
|
|
CORSMiddleware,
|
|
allow_origins=["*"],
|
|
allow_methods=["*"],
|
|
allow_headers=["*"],
|
|
)
|
|
]
|
|
|
|
# Create ASGI app with middleware
|
|
http_app = mcp.http_app(middleware=middleware)
|
|
```
|
|
|
|
### CORS for Browser-Based Clients
|
|
|
|
<Tip>
|
|
Most MCP clients, including those that you access through a browser like ChatGPT or Claude, don't need CORS configuration. Only enable CORS if you're working with an MCP client that connects directly from a browser, such as debugging tools or inspectors.
|
|
</Tip>
|
|
|
|
CORS (Cross-Origin Resource Sharing) is needed when JavaScript running in a web browser connects directly to your MCP server. This is different from using an LLM through a browser—in that case, the browser connects to the LLM service, and the LLM service connects to your MCP server (no CORS needed).
|
|
|
|
Host and Origin protection runs before CORS when it is active for a request. Add browser client origins to `allowed_origins` so trusted browser requests reach the CORS middleware, then configure CORS to let browser JavaScript read the MCP response headers it needs. Setting `allowed_origins` trusts the request; it does not emit `Access-Control-Allow-Origin` or other CORS response headers.
|
|
|
|
Browser-based MCP clients that need CORS include:
|
|
|
|
- **MCP Inspector** - Browser-based debugging tool for testing MCP servers
|
|
- **Custom browser-based MCP clients** - If you're building a web app that directly connects to MCP servers
|
|
|
|
For these scenarios, add CORS middleware with the specific headers required for MCP protocol:
|
|
|
|
```python
|
|
from fastmcp import FastMCP
|
|
from starlette.middleware import Middleware
|
|
from starlette.middleware.cors import CORSMiddleware
|
|
|
|
mcp = FastMCP("MyServer")
|
|
|
|
# Configure CORS for browser-based clients
|
|
middleware = [
|
|
Middleware(
|
|
CORSMiddleware,
|
|
allow_origins=["*"], # Allow all origins; use specific origins for security
|
|
allow_methods=["GET", "POST", "DELETE", "OPTIONS"],
|
|
allow_headers=[
|
|
"mcp-protocol-version",
|
|
"mcp-session-id",
|
|
"Authorization",
|
|
"Content-Type",
|
|
],
|
|
expose_headers=["mcp-session-id"],
|
|
)
|
|
]
|
|
|
|
app = mcp.http_app(middleware=middleware)
|
|
```
|
|
|
|
**Key configuration details:**
|
|
|
|
- **`allow_origins`**: Specify exact origins (e.g., `["http://localhost:3000"]`) rather than `["*"]` for production deployments
|
|
- **`allow_headers`**: Must include `mcp-protocol-version`, `mcp-session-id`, and `Authorization` (for authenticated servers)
|
|
- **`expose_headers`**: Must include `mcp-session-id` so JavaScript can read the session ID from responses and send it in subsequent requests
|
|
|
|
Without `expose_headers=["mcp-session-id"]`, browsers will receive the session ID but JavaScript won't be able to access it, causing session management to fail.
|
|
|
|
<Warning>
|
|
**Production Security**: Never use `allow_origins=["*"]` in production. Specify the exact origins of your browser-based clients. Using wildcards exposes your server to unauthorized access from any website.
|
|
</Warning>
|
|
|
|
### SSE Polling for Long-Running Operations
|
|
|
|
<VersionBadge version="2.14.0" />
|
|
|
|
<Note>
|
|
This feature only applies to the **StreamableHTTP transport** (the default for `http_app()`). It does not apply to the legacy SSE transport (`transport="sse"`).
|
|
</Note>
|
|
|
|
When running tools that take a long time to complete, you may encounter issues with load balancers or proxies terminating connections that stay idle too long. [SEP-1699](https://github.com/modelcontextprotocol/modelcontextprotocol/issues/1699) introduces SSE polling to solve this by allowing the server to gracefully close connections and have clients automatically reconnect.
|
|
|
|
To enable SSE polling, configure an `EventStore` when creating your HTTP application:
|
|
|
|
```python
|
|
from fastmcp import FastMCP, Context
|
|
from fastmcp.server.event_store import EventStore
|
|
|
|
mcp = FastMCP("My Server")
|
|
|
|
@mcp.tool
|
|
async def long_running_task(ctx: Context) -> str:
|
|
"""A task that takes several minutes to complete."""
|
|
for i in range(100):
|
|
await ctx.report_progress(i, 100)
|
|
|
|
# Periodically close the connection to avoid load balancer timeouts
|
|
# Client will automatically reconnect and resume receiving progress
|
|
if i % 30 == 0 and i > 0:
|
|
await ctx.close_sse_stream()
|
|
|
|
await do_expensive_work()
|
|
|
|
return "Done!"
|
|
|
|
# Configure with EventStore for resumability
|
|
event_store = EventStore()
|
|
app = mcp.http_app(
|
|
event_store=event_store,
|
|
retry_interval=2000, # Client reconnects after 2 seconds
|
|
)
|
|
```
|
|
|
|
**How it works:**
|
|
|
|
1. When `event_store` is configured, the server stores all events (progress updates, results) with unique IDs
|
|
2. Calling `ctx.close_sse_stream()` gracefully closes the HTTP connection
|
|
3. The client automatically reconnects with a `Last-Event-ID` header
|
|
4. The server replays any events the client missed during the disconnection
|
|
|
|
The `retry_interval` parameter (in milliseconds) controls how long clients wait before reconnecting. Choose a value that balances responsiveness with server load.
|
|
|
|
<Note>
|
|
`close_sse_stream()` is a no-op if called without an `EventStore` configured, so you can safely include it in tools that may run in different deployment configurations.
|
|
</Note>
|
|
|
|
#### Custom Storage Backends
|
|
|
|
By default, `EventStore` uses in-memory storage. For production deployments with multiple server instances, you can provide a custom storage backend using the `key_value` package:
|
|
|
|
```python
|
|
from fastmcp.server.event_store import EventStore
|
|
from key_value.aio.stores.redis import RedisStore
|
|
|
|
# Use Redis for distributed deployments
|
|
redis_store = RedisStore(url="redis://localhost:6379")
|
|
event_store = EventStore(
|
|
storage=redis_store,
|
|
max_events_per_stream=100, # Keep last 100 events per stream
|
|
ttl=3600, # Events expire after 1 hour
|
|
)
|
|
|
|
app = mcp.http_app(event_store=event_store)
|
|
```
|
|
|
|
## Integration with Web Frameworks
|
|
|
|
If you already have a web application running, you can add MCP capabilities by mounting a FastMCP server as a sub-application. This allows you to expose MCP tools alongside your existing API endpoints, sharing the same domain and infrastructure. The MCP server becomes just another route in your application, making it easy to manage and deploy.
|
|
|
|
### Mounting in Starlette
|
|
|
|
Mount your FastMCP server in a Starlette application:
|
|
|
|
```python
|
|
from fastmcp import FastMCP
|
|
from starlette.applications import Starlette
|
|
from starlette.routing import Mount
|
|
|
|
# Create your FastMCP server
|
|
mcp = FastMCP("MyServer")
|
|
|
|
@mcp.tool
|
|
def analyze(data: str) -> dict:
|
|
return {"result": f"Analyzed: {data}"}
|
|
|
|
# Create the ASGI app
|
|
mcp_app = mcp.http_app(path='/mcp')
|
|
|
|
# Create a Starlette app and mount the MCP server
|
|
app = Starlette(
|
|
routes=[
|
|
Mount("/mcp-server", app=mcp_app),
|
|
# Add other routes as needed
|
|
],
|
|
lifespan=mcp_app.lifespan,
|
|
)
|
|
```
|
|
|
|
The MCP endpoint will be available at `/mcp-server/mcp/` of the resulting Starlette app.
|
|
|
|
<Warning>
|
|
For Streamable HTTP transport, you **must** pass the lifespan context from the FastMCP app to the resulting Starlette app, as nested lifespans are not recognized. Otherwise, the FastMCP server's session manager will not be properly initialized.
|
|
</Warning>
|
|
|
|
#### Nested Mounts
|
|
|
|
You can create complex routing structures by nesting mounts:
|
|
|
|
```python
|
|
from fastmcp import FastMCP
|
|
from starlette.applications import Starlette
|
|
from starlette.routing import Mount
|
|
|
|
# Create your FastMCP server
|
|
mcp = FastMCP("MyServer")
|
|
|
|
# Create the ASGI app
|
|
mcp_app = mcp.http_app(path='/mcp')
|
|
|
|
# Create nested application structure
|
|
inner_app = Starlette(routes=[Mount("/inner", app=mcp_app)])
|
|
app = Starlette(
|
|
routes=[Mount("/outer", app=inner_app)],
|
|
lifespan=mcp_app.lifespan,
|
|
)
|
|
```
|
|
|
|
In this setup, the MCP server is accessible at the `/outer/inner/mcp/` path.
|
|
|
|
### FastAPI Integration
|
|
|
|
For FastAPI-specific integration patterns including both mounting MCP servers into FastAPI apps and generating MCP servers from FastAPI apps, see the [FastAPI Integration guide](/integrations/fastapi).
|
|
|
|
Here's a quick example showing how to add MCP to an existing FastAPI application:
|
|
|
|
```python
|
|
from fastapi import FastAPI
|
|
from fastmcp import FastMCP
|
|
|
|
# Create your MCP server
|
|
mcp = FastMCP("API Tools")
|
|
|
|
@mcp.tool
|
|
def query_database(query: str) -> dict:
|
|
"""Run a database query"""
|
|
return {"result": "data"}
|
|
|
|
# Create the MCP ASGI app with path="/" since we'll mount at /mcp
|
|
mcp_app = mcp.http_app(path="/")
|
|
|
|
# Create FastAPI app with MCP lifespan (required for session management)
|
|
api = FastAPI(lifespan=mcp_app.lifespan)
|
|
|
|
@api.get("/api/status")
|
|
def status():
|
|
return {"status": "ok"}
|
|
|
|
# Mount MCP at /mcp
|
|
api.mount("/mcp", mcp_app)
|
|
|
|
# Run with: uvicorn app:api --host 0.0.0.0 --port 8000
|
|
```
|
|
|
|
Your existing API remains at `http://localhost:8000/api` while MCP is available at `http://localhost:8000/mcp`.
|
|
|
|
<Warning>
|
|
Just like with Starlette, you **must** pass the lifespan from the MCP app to FastAPI. Without this, the session manager won't initialize properly and requests will fail.
|
|
</Warning>
|
|
|
|
## Mounting Authenticated Servers
|
|
|
|
<VersionBadge version="2.13.0" />
|
|
|
|
<Tip>
|
|
This section only applies if you're **mounting an OAuth-protected FastMCP server under a path prefix** (like `/api`) inside another application using `Mount()`.
|
|
|
|
If you're deploying your FastMCP server at root level without any `Mount()` prefix, the well-known routes are automatically included in `mcp.http_app()` and you don't need to do anything special.
|
|
</Tip>
|
|
|
|
OAuth specifications (RFC 8414 and RFC 9728) require discovery metadata to be accessible at well-known paths under the root level of your domain. When you mount an OAuth-protected FastMCP server under a path prefix like `/api`, this creates a routing challenge: your operational OAuth endpoints move under the prefix, but discovery endpoints must remain at the root.
|
|
|
|
<Warning>
|
|
**Common Mistakes to Avoid:**
|
|
|
|
1. **Forgetting to mount `.well-known` routes at root** - FastMCP cannot do this automatically when your server is mounted under a path prefix. You must explicitly mount well-known routes at the root level.
|
|
|
|
2. **Including mount prefix in both base_url AND mcp_path** - The mount prefix (like `/api`) should only be in `base_url`, not in `mcp_path`. Otherwise you'll get double paths.
|
|
|
|
✅ **Correct:**
|
|
```python
|
|
base_url = "http://localhost:8000/api"
|
|
mcp_path = "/mcp"
|
|
# Result: /api/mcp
|
|
```
|
|
|
|
❌ **Wrong:**
|
|
```python
|
|
base_url = "http://localhost:8000/api"
|
|
mcp_path = "/api/mcp"
|
|
# Result: /api/api/mcp (double prefix!)
|
|
```
|
|
|
|
Follow the configuration instructions below to set up mounting correctly.
|
|
</Warning>
|
|
|
|
<Warning>
|
|
**CORS Middleware Conflicts:**
|
|
|
|
If you're integrating FastMCP into an existing application with its own CORS middleware, be aware that layering CORS middleware can cause conflicts (such as 404 errors on `.well-known` routes or OPTIONS requests).
|
|
|
|
FastMCP and the MCP SDK already handle CORS for OAuth routes. If you need CORS on your own application routes, consider using the sub-app pattern: mount FastMCP and your routes as separate apps, each with their own middleware, rather than adding application-wide CORS middleware.
|
|
</Warning>
|
|
|
|
### Route Types
|
|
|
|
OAuth-protected MCP servers expose two categories of routes:
|
|
|
|
**Operational routes** handle the OAuth flow and MCP protocol:
|
|
- `/authorize` - OAuth authorization endpoint
|
|
- `/token` - Token exchange endpoint
|
|
- `/auth/callback` - OAuth callback handler
|
|
- `/mcp` - MCP protocol endpoint
|
|
|
|
**Discovery routes** provide metadata for OAuth clients:
|
|
- `/.well-known/oauth-authorization-server` - Authorization server metadata
|
|
- `/.well-known/oauth-protected-resource/*` - Protected resource metadata
|
|
|
|
When you mount your MCP app under a prefix, operational routes move with it, but discovery routes must stay at root level for RFC compliance.
|
|
|
|
### Configuration Parameters
|
|
|
|
Three parameters control where routes are located and how they combine:
|
|
|
|
**`base_url`** tells clients where to find operational endpoints. This includes any Starlette `Mount()` path prefix (e.g., `/api`):
|
|
|
|
```python
|
|
base_url="http://localhost:8000/api" # Includes mount prefix
|
|
```
|
|
|
|
**`mcp_path`** is the internal FastMCP endpoint path, which gets appended to `base_url`:
|
|
|
|
```python
|
|
mcp_path="/mcp" # Internal MCP path, NOT the mount prefix
|
|
```
|
|
|
|
**`issuer_url`** (optional) controls the authorization server identity for OAuth discovery. Defaults to `base_url`.
|
|
|
|
```python
|
|
# Usually not needed - just set base_url and it works
|
|
issuer_url="http://localhost:8000" # Only if you want root-level discovery
|
|
```
|
|
|
|
When `issuer_url` has a path (either explicitly or by defaulting from `base_url`), FastMCP creates path-aware discovery routes per RFC 8414. For example, if `base_url` is `http://localhost:8000/api`, the authorization server metadata will be at `/.well-known/oauth-authorization-server/api`.
|
|
|
|
**Key Invariant:** `base_url + mcp_path = actual externally-accessible MCP URL`
|
|
|
|
Example:
|
|
- `base_url`: `http://localhost:8000/api` (mount prefix `/api`)
|
|
- `mcp_path`: `/mcp` (internal path)
|
|
- Result: `http://localhost:8000/api/mcp` (final MCP endpoint)
|
|
|
|
Note that the mount prefix (`/api` from `Mount("/api", ...)`) goes in `base_url`, while `mcp_path` is just the internal MCP route. Don't include the mount prefix in both places or you'll get `/api/api/mcp`.
|
|
|
|
### Mounting Strategy
|
|
|
|
When mounting an OAuth-protected server under a path prefix, declare your URLs upfront to make the relationships clear:
|
|
|
|
```python
|
|
from fastmcp import FastMCP
|
|
from fastmcp.server.auth.providers.github import GitHubProvider
|
|
from starlette.applications import Starlette
|
|
from starlette.routing import Mount
|
|
|
|
# Define the routing structure
|
|
ROOT_URL = "http://localhost:8000"
|
|
MOUNT_PREFIX = "/api"
|
|
MCP_PATH = "/mcp"
|
|
```
|
|
|
|
Create the auth provider with `base_url`:
|
|
|
|
```python
|
|
auth = GitHubProvider(
|
|
client_id="your-client-id",
|
|
client_secret="your-client-secret",
|
|
base_url=f"{ROOT_URL}{MOUNT_PREFIX}", # Operational endpoints under prefix
|
|
# issuer_url defaults to base_url - path-aware discovery works automatically
|
|
)
|
|
```
|
|
|
|
Create the MCP app, which generates operational routes at the specified path:
|
|
|
|
```python
|
|
mcp = FastMCP("Protected Server", auth=auth)
|
|
mcp_app = mcp.http_app(path=MCP_PATH)
|
|
```
|
|
|
|
Retrieve the discovery routes from the auth provider. The `mcp_path` argument should match the path used when creating the MCP app:
|
|
|
|
```python
|
|
well_known_routes = auth.get_well_known_routes(mcp_path=MCP_PATH)
|
|
```
|
|
|
|
Finally, mount everything in the Starlette app with discovery routes at root and the MCP app under the prefix:
|
|
|
|
```python
|
|
app = Starlette(
|
|
routes=[
|
|
*well_known_routes, # Discovery routes at root level
|
|
Mount(MOUNT_PREFIX, app=mcp_app), # Operational routes under prefix
|
|
],
|
|
lifespan=mcp_app.lifespan,
|
|
)
|
|
```
|
|
|
|
This configuration produces the following URL structure:
|
|
|
|
- MCP endpoint: `http://localhost:8000/api/mcp`
|
|
- OAuth authorization: `http://localhost:8000/api/authorize`
|
|
- OAuth callback: `http://localhost:8000/api/auth/callback`
|
|
- Authorization server metadata: `http://localhost:8000/.well-known/oauth-authorization-server/api`
|
|
- Protected resource metadata: `http://localhost:8000/.well-known/oauth-protected-resource/api/mcp`
|
|
|
|
Both discovery endpoints use path-aware URLs per RFC 8414 and RFC 9728, matching the `base_url` path.
|
|
|
|
### Complete Example
|
|
|
|
Here's a complete working example showing all the pieces together:
|
|
|
|
```python
|
|
from fastmcp import FastMCP
|
|
from fastmcp.server.auth.providers.github import GitHubProvider
|
|
from starlette.applications import Starlette
|
|
from starlette.routing import Mount
|
|
import uvicorn
|
|
|
|
# Define routing structure
|
|
ROOT_URL = "http://localhost:8000"
|
|
MOUNT_PREFIX = "/api"
|
|
MCP_PATH = "/mcp"
|
|
|
|
# Create OAuth provider
|
|
auth = GitHubProvider(
|
|
client_id="your-client-id",
|
|
client_secret="your-client-secret",
|
|
base_url=f"{ROOT_URL}{MOUNT_PREFIX}",
|
|
# issuer_url defaults to base_url - path-aware discovery works automatically
|
|
)
|
|
|
|
# Create MCP server
|
|
mcp = FastMCP("Protected Server", auth=auth)
|
|
|
|
@mcp.tool
|
|
def analyze(data: str) -> dict:
|
|
return {"result": f"Analyzed: {data}"}
|
|
|
|
# Create MCP app
|
|
mcp_app = mcp.http_app(path=MCP_PATH)
|
|
|
|
# Get discovery routes for root level
|
|
well_known_routes = auth.get_well_known_routes(mcp_path=MCP_PATH)
|
|
|
|
# Assemble the application
|
|
app = Starlette(
|
|
routes=[
|
|
*well_known_routes,
|
|
Mount(MOUNT_PREFIX, app=mcp_app),
|
|
],
|
|
lifespan=mcp_app.lifespan,
|
|
)
|
|
|
|
if __name__ == "__main__":
|
|
uvicorn.run(app, host="0.0.0.0", port=8000)
|
|
```
|
|
|
|
For more details on OAuth authentication, see the [Authentication guide](/servers/auth/authentication).
|
|
|
|
## Production Deployment
|
|
|
|
### Running with Uvicorn
|
|
|
|
When deploying to production, you'll want to optimize your server for performance and reliability. Uvicorn provides several options to improve your server's capabilities:
|
|
|
|
```bash
|
|
# Run with basic configuration
|
|
uvicorn app:app --host 0.0.0.0 --port 8000
|
|
|
|
# Run with multiple workers for production (requires stateless mode - see below)
|
|
uvicorn app:app --host 0.0.0.0 --port 8000 --workers 4
|
|
```
|
|
|
|
### Horizontal Scaling
|
|
|
|
<VersionBadge version="2.10.2" />
|
|
|
|
When deploying FastMCP behind a load balancer or running multiple server instances, you need to understand how the HTTP transport handles sessions and configure your server appropriately.
|
|
|
|
#### Understanding Sessions
|
|
|
|
By default, FastMCP's Streamable HTTP transport maintains server-side sessions. Sessions enable stateful MCP features like [elicitation](/servers/elicitation) and [sampling](/servers/sampling), where the server needs to maintain context across multiple requests from the same client.
|
|
|
|
This works perfectly for single-instance deployments. However, sessions are stored in memory on each server instance, which creates challenges when scaling horizontally.
|
|
|
|
#### Without Stateless Mode
|
|
|
|
When running multiple server instances behind a load balancer (Traefik, nginx, HAProxy, Kubernetes, etc.), requests from the same client may be routed to different instances:
|
|
|
|
1. Client connects to Instance A → session created on Instance A
|
|
2. Next request routes to Instance B → session doesn't exist → **request fails**
|
|
|
|
You might expect sticky sessions (session affinity) to solve this, but they don't work reliably with MCP clients.
|
|
|
|
<Warning>
|
|
**Why sticky sessions don't work:** Most MCP clients—including Cursor and Claude Code—use `fetch()` internally and don't properly forward `Set-Cookie` headers. Without cookies, load balancers can't identify which instance should handle subsequent requests. This is a limitation in how these clients implement HTTP, not something you can fix with load balancer configuration.
|
|
</Warning>
|
|
|
|
#### Enabling Stateless Mode
|
|
|
|
For horizontally scaled deployments, enable stateless HTTP mode. In stateless mode, each request creates a fresh transport context, eliminating the need for session affinity entirely.
|
|
|
|
**Option 1: Via `http_app()`**
|
|
|
|
```python
|
|
from fastmcp import FastMCP
|
|
|
|
mcp = FastMCP("My Server")
|
|
|
|
@mcp.tool
|
|
def process(data: str) -> str:
|
|
return f"Processed: {data}"
|
|
|
|
app = mcp.http_app(stateless_http=True)
|
|
```
|
|
|
|
**Option 2: Via `run()`**
|
|
|
|
```python
|
|
if __name__ == "__main__":
|
|
mcp.run(transport="http", stateless_http=True)
|
|
```
|
|
|
|
**Option 3: Via environment variable**
|
|
|
|
```bash
|
|
FASTMCP_STATELESS_HTTP=true uvicorn app:app --host 0.0.0.0 --port 8000 --workers 4
|
|
```
|
|
|
|
### Environment Variables
|
|
|
|
Production deployments should never hardcode sensitive information like API keys or authentication tokens. Instead, use environment variables to configure your server at runtime. This keeps your code secure and makes it easy to deploy the same code to different environments with different configurations.
|
|
|
|
Here's an example using static token authentication for development (OAuth is recommended for production):
|
|
|
|
```python
|
|
import os
|
|
from fastmcp import FastMCP
|
|
from fastmcp.server.auth import StaticTokenVerifier
|
|
|
|
# Read configuration from environment
|
|
auth_token = os.environ.get("MCP_AUTH_TOKEN")
|
|
if auth_token:
|
|
auth = StaticTokenVerifier(tokens={auth_token: {"sub": "admin", "client_id": "cli"}})
|
|
mcp = FastMCP("Production Server", auth=auth)
|
|
else:
|
|
mcp = FastMCP("Production Server")
|
|
|
|
app = mcp.http_app()
|
|
```
|
|
|
|
Deploy with your secrets safely stored in environment variables:
|
|
```bash
|
|
MCP_AUTH_TOKEN=secret uvicorn app:app --host 0.0.0.0 --port 8000
|
|
```
|
|
|
|
### OAuth Token Security
|
|
|
|
<VersionBadge version="2.13.0" />
|
|
|
|
If you're using the [OAuth Proxy](/servers/auth/oauth-proxy), FastMCP issues its own JWT tokens to clients instead of forwarding upstream provider tokens. This maintains proper OAuth 2.0 token boundaries.
|
|
|
|
**Default Behavior (Development Only):**
|
|
|
|
By default, FastMCP automatically manages cryptographic keys:
|
|
- **Mac/Windows**: Keys are generated and stored in your system keyring, surviving server restarts. Suitable **only** for development and local testing.
|
|
- **Linux**: Keys are ephemeral (random salt at startup), so tokens are invalidated on restart.
|
|
|
|
This automatic approach is convenient for development but not suitable for production deployments.
|
|
|
|
**For Production:**
|
|
|
|
Production requires explicit key management to ensure tokens survive restarts and can be shared across multiple server instances. This requires the following two things working together:
|
|
|
|
1. **Explicit JWT signing key** for signing tokens issued to clients
|
|
3. **Persistent network-accessible storage** for upstream tokens (wrapped in `FernetEncryptionWrapper` to encrypt sensitive data at rest)
|
|
|
|
**Configuration:**
|
|
|
|
Add two parameters to your auth provider:
|
|
|
|
```python {8-12}
|
|
from key_value.aio.stores.redis import RedisStore
|
|
from key_value.aio.wrappers.encryption import FernetEncryptionWrapper
|
|
from cryptography.fernet import Fernet
|
|
|
|
auth = GitHubProvider(
|
|
client_id=os.environ["GITHUB_CLIENT_ID"],
|
|
client_secret=os.environ["GITHUB_CLIENT_SECRET"],
|
|
jwt_signing_key=os.environ["JWT_SIGNING_KEY"],
|
|
client_storage=FernetEncryptionWrapper(
|
|
key_value=RedisStore(host="redis.example.com", port=6379),
|
|
fernet=Fernet(os.environ["STORAGE_ENCRYPTION_KEY"])
|
|
),
|
|
base_url="https://your-server.com" # use HTTPS
|
|
)
|
|
```
|
|
|
|
Both parameters are required for production. Without an explicit signing key, keys are signed using a key derived from the client_secret, which will cause invalidation upon rotation of the client secret. Without persistent storage, tokens are local to the server and won't be trusted across hosts. **Wrap your storage backend in `FernetEncryptionWrapper` to encrypt sensitive OAuth tokens at rest** - without encryption, tokens are stored in plaintext.
|
|
|
|
For more details on the token architecture and key management, see [OAuth Proxy Key and Storage Management](/servers/auth/oauth-proxy#key-and-storage-management).
|
|
|
|
## Reverse Proxy (nginx)
|
|
|
|
In production, you'll typically run your FastMCP server behind a reverse proxy like nginx. A reverse proxy provides TLS termination, domain-based routing, static file serving, and an additional layer of security between the internet and your application.
|
|
|
|
### Running FastMCP as a Linux Service
|
|
|
|
Before configuring nginx, you need your FastMCP server running as a background service. A systemd unit file ensures your server starts automatically and restarts on failure.
|
|
|
|
Create a file at `/etc/systemd/system/fastmcp.service`:
|
|
|
|
```ini
|
|
[Unit]
|
|
Description=FastMCP Server
|
|
After=network.target
|
|
|
|
[Service]
|
|
User=www-data
|
|
Group=www-data
|
|
WorkingDirectory=/opt/fastmcp
|
|
ExecStart=/opt/fastmcp/.venv/bin/uvicorn app:app --host 127.0.0.1 --port 8000
|
|
Restart=always
|
|
RestartSec=5
|
|
Environment="PATH=/opt/fastmcp/.venv/bin"
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
```
|
|
|
|
Enable and start the service:
|
|
|
|
```bash
|
|
sudo systemctl daemon-reload
|
|
sudo systemctl enable fastmcp
|
|
sudo systemctl start fastmcp
|
|
```
|
|
|
|
This assumes your ASGI application is in `/opt/fastmcp/app.py` with a virtual environment at `/opt/fastmcp/.venv`. Adjust paths to match your deployment layout.
|
|
|
|
### nginx Configuration
|
|
|
|
FastMCP's Streamable HTTP transport uses Server-Sent Events (SSE) for streaming responses. This requires specific nginx settings to prevent buffering from breaking the event stream.
|
|
|
|
Create a site configuration at `/etc/nginx/sites-available/fastmcp`:
|
|
|
|
```nginx
|
|
server {
|
|
listen 80;
|
|
server_name mcp.example.com;
|
|
|
|
# Redirect HTTP to HTTPS
|
|
return 301 https://$host$request_uri;
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl;
|
|
server_name mcp.example.com;
|
|
|
|
ssl_certificate /etc/letsencrypt/live/mcp.example.com/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/mcp.example.com/privkey.pem;
|
|
|
|
location / {
|
|
proxy_pass http://127.0.0.1:8000;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Connection '';
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
# Required for SSE (Server-Sent Events) streaming
|
|
proxy_buffering off;
|
|
proxy_cache off;
|
|
|
|
# Allow long-lived connections for streaming responses
|
|
proxy_read_timeout 300s;
|
|
proxy_send_timeout 300s;
|
|
}
|
|
}
|
|
```
|
|
|
|
Enable the site and reload nginx:
|
|
|
|
```bash
|
|
sudo ln -s /etc/nginx/sites-available/fastmcp /etc/nginx/sites-enabled/
|
|
sudo nginx -t
|
|
sudo systemctl reload nginx
|
|
```
|
|
|
|
Your FastMCP server is now accessible at `https://mcp.example.com/mcp`.
|
|
|
|
<Warning>
|
|
**SSE buffering is the most common issue.** If clients connect but never receive streaming responses (progress updates, tool results), verify that `proxy_buffering off` is set. Without it, nginx buffers the entire SSE stream and delivers it only when the connection closes, which breaks real-time communication.
|
|
</Warning>
|
|
|
|
### Key Considerations
|
|
|
|
When deploying FastMCP behind a reverse proxy, keep these points in mind:
|
|
|
|
- **Disable buffering**: SSE requires `proxy_buffering off` so events reach clients immediately. This is the single most important setting.
|
|
- **Increase timeouts**: The default nginx `proxy_read_timeout` is 60 seconds. Long-running MCP tools will cause the connection to drop. Set timeouts to at least 300 seconds, or higher if your tools run longer. For tools that may exceed any timeout, use [SSE Polling](#sse-polling-for-long-running-operations) to gracefully handle proxy disconnections.
|
|
- **Use HTTP/1.1**: Set `proxy_http_version 1.1` and `proxy_set_header Connection ''` to enable keep-alive connections between nginx and your server. Clearing the `Connection` header prevents clients from sending `Connection: close` to your upstream, which would break SSE streams. Both settings are required for proper SSE support.
|
|
- **Forward headers**: Pass `X-Forwarded-For` and `X-Forwarded-Proto` so your FastMCP server can determine the real client IP and protocol. This is important for logging and for OAuth redirect URLs.
|
|
- **TLS termination**: Let nginx handle TLS certificates (e.g., via Let's Encrypt with Certbot). Your FastMCP server can then run on plain HTTP internally.
|
|
|
|
### Mounting Under a Path Prefix
|
|
|
|
If you want your MCP server available at a subpath like `https://example.com/api/mcp` instead of at the root domain, adjust the nginx `location` block:
|
|
|
|
```nginx
|
|
location /api/ {
|
|
proxy_pass http://127.0.0.1:8000/;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Connection '';
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
# Required for SSE streaming
|
|
proxy_buffering off;
|
|
proxy_cache off;
|
|
proxy_read_timeout 300s;
|
|
proxy_send_timeout 300s;
|
|
}
|
|
```
|
|
|
|
Note the trailing `/` on both `location /api/` and `proxy_pass http://127.0.0.1:8000/` — this ensures nginx strips the `/api` prefix before forwarding to your server. If you're using OAuth authentication with a mount prefix, see [Mounting Authenticated Servers](#mounting-authenticated-servers) for additional configuration.
|
|
|
|
## Testing Your Deployment
|
|
|
|
Once your server is deployed, you'll need to verify it's accessible and functioning correctly. For comprehensive testing strategies including connectivity tests, client testing, and authentication testing, see the [Testing Your Server](/development/tests) guide.
|
|
|
|
## Hosting Your Server
|
|
|
|
This guide has shown you how to create an HTTP-accessible MCP server, but you'll still need a hosting provider to make it available on the internet. Your FastMCP server can run anywhere that supports Python web applications:
|
|
|
|
- **Cloud VMs** (AWS EC2, Google Compute Engine, Azure VMs)
|
|
- **Container platforms** (Cloud Run, Container Instances, ECS)
|
|
- **Platform-as-a-Service** (Railway, Render, Vercel)
|
|
- **Edge platforms** (Cloudflare Workers)
|
|
- **Kubernetes clusters** (self-managed or managed)
|
|
|
|
The key requirements are Python 3.10+ support and the ability to expose an HTTP port. Most providers will require you to package your server (requirements.txt, Dockerfile, etc.) according to their deployment format. For managed, zero-configuration deployment, see [Prefect Horizon](/deployment/prefect-horizon).
|