OAuth 2.1 + PKCE authentication for FastMCP servers with support for Google, Microsoft, and GitHub.
- π OAuth 2.1 + PKCE - Standards-compliant authentication
- π’ Multiple Providers - Google, Microsoft Entra ID, GitHub
- π‘οΈ Scope-based Authorization - Granular permission control
- π± MCP Tools - Authenticated AI tool access
- π Production Ready - Comprehensive error handling & security
# From PyPI (when published)
pip install fastmcp-oauth
# From Git
pip install git+https://github.com/peterlarnholt/fastmcp-oauth.git
# With Poetry
poetry add git+https://github.com/peterlarnholt/fastmcp-oauth.gitfrom fastmcp import FastMCP
from fastmcp_oauth import MicrosoftOAuth, require_auth
# Create server
mcp = FastMCP("My Server")
# Add Microsoft OAuth (3 lines!)
oauth = MicrosoftOAuth.from_env()
app = oauth.install(mcp)
# Protected tool
@mcp.tool()
@require_auth
async def get_user_info(ctx) -> str:
user = ctx.auth.user
return f"Hello {user.name}! Email: {user.email}"SECRET_KEY=your-secret-key-32-chars-minimum
MICROSOFT_CLIENT_ID=your-microsoft-client-id
MICROSOFT_CLIENT_SECRET=your-microsoft-client-secret
MICROSOFT_TENANT=common # or your tenant IDfrom fastmcp_oauth import MicrosoftOAuth
oauth = MicrosoftOAuth.from_env()from fastmcp_oauth import GoogleOAuth
oauth = GoogleOAuth.from_env()from fastmcp_oauth import GitHubOAuth
oauth = GitHubOAuth.from_env()from fastmcp_oauth import OAuthProvider
# Detects all configured providers
oauth = OAuthProvider.from_env()@mcp.tool()
@require_auth
async def protected_tool(ctx) -> str:
return f"Hello {ctx.auth.user.name}!"@mcp.tool()
@require_scope("admin")
async def admin_tool(ctx) -> str:
return "Admin operation"@mcp.tool()
@require_user(domain="company.com")
async def company_tool(ctx) -> str:
return "Company-only tool"
@mcp.tool()
@require_user(provider="microsoft")
async def microsoft_only(ctx) -> str:
return "Microsoft users only"- Setup Guides: Provider-specific setup instructions
- API Reference: Complete API documentation
- Examples: Working examples for each provider
- Security: Best practices and security considerations
- Go to Azure Portal
- Navigate to Azure Active Directory β App registrations
- Create new registration
- Add redirect URI:
http://localhost:8000/oauth/callback - Generate client secret
- Configure API permissions:
User.Read,openid,profile,email
- Go to Google Cloud Console
- Create OAuth 2.0 credentials
- Add redirect URI:
http://localhost:8000/oauth/callback - Configure OAuth consent screen
- Go to GitHub Settings β Developer settings β OAuth Apps
- Create new OAuth app
- Set Authorization callback URL:
http://localhost:8000/oauth/callback
# Test with MCP Inspector
npx @modelcontextprotocol/inspector http://localhost:8000/sseMIT License - see LICENSE file for details.
Contributions welcome! Please read our contributing guidelines.
git clone https://github.com/peterlarnholt/fastmcp-oauth.git
cd fastmcp-oauth
pip install -e ".[dev]"
pytest