Supabase 🤝 FastMCP

import { VersionBadge } from "/snippets/version-badge.mdx"

This guide shows you how to secure your FastMCP server using Supabase Auth. This integration uses the Remote OAuth pattern, where Supabase handles user authentication and your FastMCP server validates the tokens.

Consent UI Requirement

Supabase's OAuth Server delegates the user consent screen to your application. When an MCP client initiates authorization, Supabase authenticates the user and then redirects to your application at a configured callback URL (e.g., https://your-app.com/oauth/callback?authorization_id=...). Your application must host a page that calls Supabase's approveAuthorization() or denyAuthorization() APIs to complete the flow.

SupabaseProvider handles the resource server side (token verification and metadata), but you are responsible for building and hosting the consent UI separately. See Supabase's OAuth Server documentation for details on implementing the authorization page.

Configuration

Prerequisites

Before you begin, you will need:

1. A Supabase Account with a project or a self-hosted Supabase Auth instance
2. OAuth Server enabled in your Supabase Dashboard (Authentication → OAuth Server)
3. Dynamic Client Registration enabled in the same settings
4. A consent UI hosted at your configured authorization path (see above)
5. Your FastMCP server's URL (can be localhost for development, e.g., http://localhost:8000)

Step 1: Enable Supabase OAuth Server

In your Supabase Dashboard:

1. Go to Authentication → OAuth Server
2. Enable the OAuth Server
3. Set your Site URL to where your consent UI is hosted
4. Set the Authorization Path (e.g., /oauth/callback)
5. Enable Allow Dynamic OAuth Apps for MCP client registration

Step 2: Get Supabase Project URL

In your Supabase Dashboard:

1. Go to Project Settings
2. Copy your Project URL (e.g., https://abc123.supabase.co)

Step 3: FastMCP Configuration

Create your FastMCP server using the SupabaseProvider:

from fastmcp import FastMCP
from fastmcp.server.auth.providers.supabase import SupabaseProvider

auth = SupabaseProvider(
    project_url="https://abc123.supabase.co",
    base_url="http://localhost:8000",
)

mcp = FastMCP("Supabase Protected Server", auth=auth)

@mcp.tool
def protected_tool(message: str) -> str:
    """This tool requires authentication."""
    return f"Authenticated user says: {message}"

if __name__ == "__main__":
    mcp.run(transport="http", port=8000)

Testing

Running the Server

Start your FastMCP server with HTTP transport to enable OAuth flows:

fastmcp run server.py --transport http --port 8000

Testing with a Client

Create a test client that authenticates with your Supabase-protected server:

from fastmcp import Client
import asyncio

async def main():
    async with Client("http://localhost:8000/mcp", auth="oauth") as client:
        print("Authenticated with Supabase!")

        result = await client.call_tool("protected_tool", {"message": "Hello!"})
        print(result)

if __name__ == "__main__":
    asyncio.run(main())

When you run the client for the first time:

1. Your browser will open to Supabase's authorization endpoint
2. After authenticating, Supabase redirects to your consent UI
3. After you approve, the client receives the token and can make authenticated requests

Production Configuration

For production deployments, load configuration from environment variables:

import os
from fastmcp import FastMCP
from fastmcp.server.auth.providers.supabase import SupabaseProvider

auth = SupabaseProvider(
    project_url=os.environ["SUPABASE_PROJECT_URL"],
    base_url=os.environ.get("BASE_URL", "https://your-server.com"),
)

mcp = FastMCP(name="Supabase Secured App", auth=auth)