ContextQMD
Back to Fastmcp

jwt

docs/python-sdk/fastmcp-server-auth-providers-jwt.mdx

3.2.45.5 KB
Original Source

fastmcp.server.auth.providers.jwt

TokenVerifier implementations for FastMCP.

Classes

JWKData <sup><a href="https://github.com/PrefectHQ/fastmcp/blob/main/src/fastmcp/server/auth/providers/jwt.py#L27" target="_blank"><Icon icon="github" style="width: 14px; height: 14px;" /></a></sup>

JSON Web Key data structure.

JWKSData <sup><a href="https://github.com/PrefectHQ/fastmcp/blob/main/src/fastmcp/server/auth/providers/jwt.py#L40" target="_blank"><Icon icon="github" style="width: 14px; height: 14px;" /></a></sup>

JSON Web Key Set data structure.

RSAKeyPair <sup><a href="https://github.com/PrefectHQ/fastmcp/blob/main/src/fastmcp/server/auth/providers/jwt.py#L47" target="_blank"><Icon icon="github" style="width: 14px; height: 14px;" /></a></sup>

RSA key pair for JWT testing.

Methods:

generate <sup><a href="https://github.com/PrefectHQ/fastmcp/blob/main/src/fastmcp/server/auth/providers/jwt.py#L54" target="_blank"><Icon icon="github" style="width: 14px; height: 14px;" /></a></sup>

python
generate(cls) -> RSAKeyPair

Generate an RSA key pair for testing.

Returns:

  • Generated key pair

create_token <sup><a href="https://github.com/PrefectHQ/fastmcp/blob/main/src/fastmcp/server/auth/providers/jwt.py#L89" target="_blank"><Icon icon="github" style="width: 14px; height: 14px;" /></a></sup>

python
create_token(self, subject: str = 'fastmcp-user', issuer: str = 'https://fastmcp.example.com', audience: str | list[str] | None = None, scopes: list[str] | None = None, expires_in_seconds: int = 3600, additional_claims: dict[str, Any] | None = None, kid: str | None = None) -> str

Generate a test JWT token for testing purposes.

Args:

  • subject: Subject claim (usually user ID)
  • issuer: Issuer claim
  • audience: Audience claim - can be a string or list of strings (optional)
  • scopes: List of scopes to include
  • expires_in_seconds: Token expiration time in seconds
  • additional_claims: Any additional claims to include
  • kid: Key ID to include in header

JWTVerifier <sup><a href="https://github.com/PrefectHQ/fastmcp/blob/main/src/fastmcp/server/auth/providers/jwt.py#L156" target="_blank"><Icon icon="github" style="width: 14px; height: 14px;" /></a></sup>

JWT token verifier supporting both asymmetric (RSA/ECDSA) and symmetric (HMAC) algorithms.

This verifier validates JWT tokens using various signing algorithms:

  • Asymmetric algorithms (RS256/384/512, ES256/384/512, PS256/384/512): Uses public/private key pairs. Ideal for external clients and services where only the authorization server has the private key.
  • Symmetric algorithms (HS256/384/512): Uses a shared secret for both signing and verification. Perfect for internal microservices and trusted environments where the secret can be securely shared.

Use this when:

  • You have JWT tokens issued by an external service (asymmetric)
  • You need JWKS support for automatic key rotation (asymmetric)
  • You have internal microservices sharing a secret key (symmetric)
  • Your tokens contain standard OAuth scopes and claims

Methods:

load_access_token <sup><a href="https://github.com/PrefectHQ/fastmcp/blob/main/src/fastmcp/server/auth/providers/jwt.py#L397" target="_blank"><Icon icon="github" style="width: 14px; height: 14px;" /></a></sup>

python
load_access_token(self, token: str) -> AccessToken | None

Validate a JWT bearer token and return an AccessToken when the token is valid.

Args:

  • token: The JWT bearer token string to validate.

Returns:

  • AccessToken | None: An AccessToken populated from token claims if the token is valid; None if the token is expired, has an invalid signature or format, fails issuer/audience/scope validation, or any other validation error occurs.

verify_token <sup><a href="https://github.com/PrefectHQ/fastmcp/blob/main/src/fastmcp/server/auth/providers/jwt.py#L523" target="_blank"><Icon icon="github" style="width: 14px; height: 14px;" /></a></sup>

python
verify_token(self, token: str) -> AccessToken | None

Verify a bearer token and return access info if valid.

This method implements the TokenVerifier protocol by delegating to our existing load_access_token method.

Args:

  • token: The JWT token string to validate

Returns:

  • AccessToken object if valid, None if invalid or expired

StaticTokenVerifier <sup><a href="https://github.com/PrefectHQ/fastmcp/blob/main/src/fastmcp/server/auth/providers/jwt.py#L539" target="_blank"><Icon icon="github" style="width: 14px; height: 14px;" /></a></sup>

Simple static token verifier for testing and development.

This verifier validates tokens against a predefined dictionary of valid token strings and their associated claims. When a token string matches a key in the dictionary, the verifier returns the corresponding claims as if the token was validated by a real authorization server.

Use this when:

  • You're developing or testing locally without a real OAuth server
  • You need predictable tokens for automated testing
  • You want to simulate different users/scopes without complex setup
  • You're prototyping and need simple API key-style authentication

WARNING: Never use this in production - tokens are stored in plain text!

Methods:

verify_token <sup><a href="https://github.com/PrefectHQ/fastmcp/blob/main/src/fastmcp/server/auth/providers/jwt.py#L573" target="_blank"><Icon icon="github" style="width: 14px; height: 14px;" /></a></sup>

python
verify_token(self, token: str) -> AccessToken | None

Verify token against static token dictionary.