FastMCP’s journey continues at a thrilling pace. Since my last update on Streamable HTTP, we’ve rolled out version 2.4 (“Config and Conquer”) to simplify MCP client configuration, and version 2.5 (“Route Awakening”) with powerful new tools for OpenAPI generation.
As the team and community around FastMCP grows, so does our commitment to rapid iteration. Our mission is clear: deliver the simplest path to production in the MCP ecosystem. This means shipping developer-friendly features that drive real-world adoption and partnering with best-in-class providers to make distribution effortless. Much more on that front coming soon!
Today, I’m incredibly excited to announce FastMCP 2.6 (“Blast Auth”). This release is a game-changer because it tackles a critical need that has, almost overnight, become paramount: authentication for remote MCP servers.
The timing here is no accident.
In just the last week, there’s been a whirlwind of major MCP activity. Industry leaders like Anthropic, OpenAI, and Google all announced support for accessing remote MCP servers directly within their APIs and SDKs. This is a massive step forward and a resounding validation of the MCP vision, signaling a serious industry-wide commitment to standardizing how AI models interact with tools and data.
But with great power (and public endpoints) comes great responsibility.
Many of these new API integrations hinge on the LLMs being able to access your MCP servers remotely. And let’s be frank: no one wants to expose an unauthenticated MCP server to the public internet, especially if it’s a gateway to sensitive internal systems. Therefore, MCP authentication has swiftly moved from a “nice-to-have” to an absolute necessity.
This is where the current landscape gets a bit… interesting.
The official MCP specification, in its wisdom, dictates that HTTP-based MCP servers must implement a full OAuth 2.1 handshake. That’s a robust standard, no doubt. But it’s also a heavy lift designed for interactive, browser-based use cases, and one that’s difficult to manage in the programmatic, server-to-server use cases that these new API integrations are designed for.
So while the big API providers are saying “Yes, bring your MCP servers!” and allowing users to provide access tokens for those servers, they’re punting on exactly how those tokens should be obtained, essentially saying, “That’s your problem.”
Happily, FastMCP 2.6 is here to solve it by introducing straightforward server and client authentication.
We have taken a decidedly pragmatic approach with our first cut of server-side auth and shipped a Bearer token authentication scheme. We want to be clear that this does not implement a full OAuth 2.1 handshake, and therefore is not strictly compliant with the MCP spec. However, it is fully compatible with how the major AI vendors are actually using MCP today, and allows users to begin shipping useful applications immediately.
Setting up a full OAuth 2.1 identity server is a significant undertaking more appropriate for enterprise production than a gradual developer adoption curve. Bearer token validation, by contrast, can be as simple as providing a public key. This means you can secure your FastMCP server with minimal friction and get back to building cool things.
Frankly, this feels like an area where the MCP spec might be running well ahead of its own maturity.
In FastMCP 2.6, you can either provide a public key directly to your server (in PEM format) or use a JWKS URI to fetch the key(s) dynamically from a remote server:
from fastmcp import FastMCPfrom fastmcp.server.auth import BearerAuthProvider
mcp = FastMCP( name="MyAuthenticatedServer", auth=BearerAuthProvider( # -- Provide a static public key (PEM format) # public_key="your-public-key-string", # -- OR, preferably for production, a JWKS URI jwks_uri="https://example.com/.well-known/jwks.json", ))
@mcp.tool()def echo(message: str) -> str: return f"Server echoes: {message}"
if __name__ == "__main__": mcp.run(transport="streamable-http")To learn more, please review the server-side auth docs.
A quick note: We’re already collaborating with partners to bring plug-and-play OAuth 2.1 server integrations to FastMCP. Bearer auth is only the first, pragmatic step to meet the ecosystem’s immediate needs.
On the client side, however, we’ve pulled out all the stops.
The FastMCP client now boasts comprehensive support for both Bearer token authentication (simply provide your token) and a remarkably smooth, full in-browser OAuth 2.1 flow.
For many OAuth-protected servers, our client can navigate the entire browser-based handshake with minimal, and sometimes zero, additional configuration on your part. After wading through the intricacies of auth protocols these past few months, seeing this “just work” feels like a genuine breakthrough for developer experience.
To use the client with default OAuth settings and dynamic registration, it’s as simple as passing the string "oauth" as the auth parameter:
import asynciofrom fastmcp import Client
client = Client( "http://my-secure-oauth-server.com/mcp", # URL to your MCP server auth="oauth", # Enable OAuth with default settings)
async def main(): async with client: await client.ping() print("Successfully connected with OAuth!")
if __name__ == "__main__": asyncio.run(main())This enables your FastMCP client applications to securely interact with a wide array of OAuth-protected MCP servers, with FastMCP elegantly handling the underlying complexities.
You can learn more about customizing client-side auth in the client auth docs.
To help you hit the ground running, we’ve also shipped four new tutorials demonstrating how to integrate your FastMCP servers with Anthropic’s API, Claude Desktop, OpenAI’s API, and the Gemini SDK. These guides make it easier than ever to connect your secure FastMCP servers to the world’s leading AI models.
This release, and our approach to authentication in particular, exemplifies how FastMCP 2.0 is committed to making high-level, opinionated decisions that prioritize developer experience and enable rapid, practical deployment. We’re building the toolkit we want for working with MCP in the real world.
And speaking of real-world deployment: we know that securing your server is only half the battle; you also need a place to host it. We’ve got some very exciting news on that front coming very, very soon…
For now, dive into FastMCP 2.6!
Happy Authenticating! 🔒