Skip to main content

fastmcp.server.auth.providers.jwt

TokenVerifier implementations for FastMCP.

Classes

JWKData

JSON Web Key data structure.

JWKSData

JSON Web Key Set data structure.

RSAKeyPair

RSA key pair for JWT testing. Methods:

generate 

generate(cls) -> RSAKeyPair
Generate an RSA key pair for testing. Returns:
  • Generated key pair

create_token 

create_token(self, subject: str = 'fastmcp-user', issuer: str = 'https://fastmcp.example.com', audience: str | list[str] | None = None, scopes: list[str] | None = None, expires_in_seconds: int = 3600, additional_claims: dict[str, Any] | None = None, kid: str | None = None) -> str
Generate a test JWT token for testing purposes. Args:
  • subject: Subject claim (usually user ID)
  • issuer: Issuer claim
  • audience: Audience claim - can be a string or list of strings (optional)
  • scopes: List of scopes to include
  • expires_in_seconds: Token expiration time in seconds
  • additional_claims: Any additional claims to include
  • kid: Key ID to include in header

JWTVerifierSettings

Settings for JWT token verification.

JWTVerifier

JWT token verifier supporting both asymmetric (RSA/ECDSA) and symmetric (HMAC) algorithms. This verifier validates JWT tokens using various signing algorithms:
  • Asymmetric algorithms (RS256/384/512, ES256/384/512, PS256/384/512): Uses public/private key pairs. Ideal for external clients and services where only the authorization server has the private key.
  • Symmetric algorithms (HS256/384/512): Uses a shared secret for both signing and verification. Perfect for internal microservices and trusted environments where the secret can be securely shared.
Use this when:
  • You have JWT tokens issued by an external service (asymmetric)
  • You need JWKS support for automatic key rotation (asymmetric)
  • You have internal microservices sharing a secret key (symmetric)
  • Your tokens contain standard OAuth scopes and claims
Methods:

load_access_token 

load_access_token(self, token: str) -> AccessToken | None
Validates the provided JWT bearer token. Args:
  • token: The JWT token string to validate
Returns:
  • AccessToken object if valid, None if invalid or expired

verify_token 

verify_token(self, token: str) -> AccessToken | None
Verify a bearer token and return access info if valid. This method implements the TokenVerifier protocol by delegating to our existing load_access_token method. Args:
  • token: The JWT token string to validate
Returns:
  • AccessToken object if valid, None if invalid or expired

StaticTokenVerifier

Simple static token verifier for testing and development. This verifier validates tokens against a predefined dictionary of valid token strings and their associated claims. When a token string matches a key in the dictionary, the verifier returns the corresponding claims as if the token was validated by a real authorization server. Use this when:
  • You’re developing or testing locally without a real OAuth server
  • You need predictable tokens for automated testing
  • You want to simulate different users/scopes without complex setup
  • You’re prototyping and need simple API key-style authentication
WARNING: Never use this in production - tokens are stored in plain text! Methods:

verify_token 

verify_token(self, token: str) -> AccessToken | None
Verify token against static token dictionary.
I