60e0ffc959
Upgrade checks / Notify on failure (push) Has been cancelled
Upgrade checks / Close issue on success (push) Has been cancelled
Schema Crash Test / Real-world schema crash test (232K schemas) (push) Has been cancelled
Run static analysis / static_analysis (push) Has been cancelled
Tests / Tests: Python 3.10 on ubuntu-latest (push) Has been cancelled
Tests / Tests: Python 3.13 on ubuntu-latest (push) Has been cancelled
Tests / Tests: Python 3.10 on windows-latest (push) Has been cancelled
Tests / Tests with lowest-direct dependencies (push) Has been cancelled
Tests / MCP conformance tests (push) Has been cancelled
Tests / Integration tests (push) Has been cancelled
Tests / Package install smoke (push) Has been cancelled
Upgrade checks / Static analysis (push) Has been cancelled
Upgrade checks / Tests: Python 3.10 on ubuntu-latest (push) Has been cancelled
Upgrade checks / Tests: Python 3.13 on ubuntu-latest (push) Has been cancelled
Upgrade checks / Tests: Python 3.10 on windows-latest (push) Has been cancelled
Upgrade checks / Integration tests (push) Has been cancelled
Update MCPServerConfig Schema / update-config-schema (push) Has been cancelled
Update SDK Documentation / update-sdk-docs (push) Has been cancelled
133 lines
4.6 KiB
Plaintext
133 lines
4.6 KiB
Plaintext
---
|
|
title: AuthKit 🤝 FastMCP
|
|
sidebarTitle: AuthKit
|
|
description: Secure your FastMCP server with AuthKit by WorkOS
|
|
icon: shield-check
|
|
tag: NEW
|
|
---
|
|
|
|
import { VersionBadge } from "/snippets/version-badge.mdx"
|
|
|
|
<VersionBadge version="2.11.0" />
|
|
|
|
This guide shows you how to secure your FastMCP server using WorkOS's **AuthKit**, a complete authentication and user management solution. This integration uses the [**Remote OAuth**](/v2/servers/auth/remote-oauth) pattern, where AuthKit handles user login and your FastMCP server validates the tokens.
|
|
|
|
|
|
## Configuration
|
|
### Prerequisites
|
|
|
|
Before you begin, you will need:
|
|
1. A **[WorkOS Account](https://workos.com/)** and a new **Project**.
|
|
2. An **[AuthKit](https://www.authkit.com/)** instance configured within your WorkOS project.
|
|
3. Your FastMCP server's URL (can be localhost for development, e.g., `http://localhost:8000`).
|
|
|
|
### Step 1: AuthKit Configuration
|
|
|
|
In your WorkOS Dashboard, enable AuthKit and configure the following settings:
|
|
|
|
<Steps>
|
|
<Step title="Enable Dynamic Client Registration">
|
|
Go to **Applications → Configuration** and enable **Dynamic Client Registration**. This allows MCP clients register with your application automatically.
|
|
|
|

|
|
</Step>
|
|
|
|
<Step title="Note Your AuthKit Domain">
|
|
Find your **AuthKit Domain** on the configuration page. It will look like `https://your-project-12345.authkit.app`. You'll need this for your FastMCP server configuration.
|
|
</Step>
|
|
</Steps>
|
|
|
|
### Step 2: FastMCP Configuration
|
|
|
|
Create your FastMCP server file and use the `AuthKitProvider` to handle all the OAuth integration automatically:
|
|
|
|
```python server.py
|
|
from fastmcp import FastMCP
|
|
from fastmcp.server.auth.providers.workos import AuthKitProvider
|
|
|
|
# The AuthKitProvider automatically discovers WorkOS endpoints
|
|
# and configures JWT token validation
|
|
auth_provider = AuthKitProvider(
|
|
authkit_domain="https://your-project-12345.authkit.app",
|
|
base_url="http://localhost:8000" # Use your actual server URL
|
|
)
|
|
|
|
mcp = FastMCP(name="AuthKit Secured App", auth=auth_provider)
|
|
```
|
|
|
|
## Testing
|
|
|
|
To test your server, you can use the `fastmcp` CLI to run it locally. Assuming you've saved the above code to `server.py` (after replacing the `authkit_domain` and `base_url` with your actual values!), you can run the following command:
|
|
|
|
```bash
|
|
fastmcp run server.py --transport http --port 8000
|
|
```
|
|
|
|
Now, you can use a FastMCP client to test that you can reach your server after authenticating:
|
|
|
|
```python
|
|
from fastmcp import Client
|
|
import asyncio
|
|
|
|
async def main():
|
|
async with Client("http://localhost:8000/mcp", auth="oauth") as client:
|
|
assert await client.ping()
|
|
|
|
if __name__ == "__main__":
|
|
asyncio.run(main())
|
|
```
|
|
|
|
|
|
## Environment Variables
|
|
|
|
<VersionBadge version="2.12.1" />
|
|
|
|
For production deployments, use environment variables instead of hardcoding credentials.
|
|
|
|
### Provider Selection
|
|
|
|
Setting this environment variable allows the AuthKit provider to be used automatically without explicitly instantiating it in code.
|
|
|
|
<Card>
|
|
<ParamField path="FASTMCP_SERVER_AUTH" default="Not set">
|
|
Set to `fastmcp.server.auth.providers.workos.AuthKitProvider` to use AuthKit authentication.
|
|
</ParamField>
|
|
</Card>
|
|
|
|
### AuthKit-Specific Configuration
|
|
|
|
These environment variables provide default values for the AuthKit provider, whether it's instantiated manually or configured via `FASTMCP_SERVER_AUTH`.
|
|
|
|
<Card>
|
|
<ParamField path="FASTMCP_SERVER_AUTH_AUTHKITPROVIDER_AUTHKIT_DOMAIN" required>
|
|
Your AuthKit domain (e.g., `https://your-project-12345.authkit.app`)
|
|
</ParamField>
|
|
|
|
<ParamField path="FASTMCP_SERVER_AUTH_AUTHKITPROVIDER_BASE_URL" required>
|
|
Public URL of your FastMCP server (e.g., `https://your-server.com` or `http://localhost:8000` for development)
|
|
</ParamField>
|
|
|
|
<ParamField path="FASTMCP_SERVER_AUTH_AUTHKITPROVIDER_REQUIRED_SCOPES" default="[]">
|
|
Comma-, space-, or JSON-separated list of required OAuth scopes (e.g., `openid profile email` or `["openid", "profile", "email"]`)
|
|
</ParamField>
|
|
</Card>
|
|
|
|
Example `.env` file:
|
|
```bash
|
|
# Use the AuthKit provider
|
|
FASTMCP_SERVER_AUTH=fastmcp.server.auth.providers.workos.AuthKitProvider
|
|
|
|
# AuthKit configuration
|
|
FASTMCP_SERVER_AUTH_AUTHKITPROVIDER_AUTHKIT_DOMAIN=https://your-project-12345.authkit.app
|
|
FASTMCP_SERVER_AUTH_AUTHKITPROVIDER_BASE_URL=https://your-server.com
|
|
FASTMCP_SERVER_AUTH_AUTHKITPROVIDER_REQUIRED_SCOPES=openid,profile,email
|
|
```
|
|
|
|
With environment variables set, your server code simplifies to:
|
|
|
|
```python server.py
|
|
from fastmcp import FastMCP
|
|
|
|
# Authentication is automatically configured from environment
|
|
mcp = FastMCP(name="AuthKit Secured App")
|
|
``` |