FastMCP includes built-in OAuth providers for popular identity platforms: Google, GitHub, Azure/Entra ID, and a generic provider for custom OAuth servers.
GoogleProvider
Pre-configured OAuth provider for Google Identity Platform.
import { FastMCP, GoogleProvider } from "fastmcp";
const server = new FastMCP({
name: "google-auth-server",
version: "1.0.0",
auth: new GoogleProvider({
baseUrl: "http://localhost:8000",
clientId: process.env.GOOGLE_CLIENT_ID!,
clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
}),
});
Configuration
Google OAuth 2.0 client ID from Google Cloud Console
Google OAuth 2.0 client secret from Google Cloud Console
scopes
string[]
default:"[\"openid\", \"profile\", \"email\"]"
OAuth scopes to request
Require user consent screen
allowedRedirectUriPatterns
string[]
default:"[\"http://localhost:*\", \"https://*\"]"
Allowed redirect URI patterns for client registration
Encryption key for token storage (auto-generated if not provided, set to false to disable)
JWT signing key for token swap (auto-generated if not provided)
Custom token storage backend (defaults to MemoryTokenStorage)
Session Type
interface GoogleSession extends OAuthSession {
accessToken: string;
scopes?: string[];
expiresAt?: number;
idToken?: string;
refreshToken?: string;
claims?: Record<string, unknown>;
email?: string; // Google-specific
}
Endpoints
- Authorization:
https://accounts.google.com/o/oauth2/v2/auth
- Token:
https://oauth2.googleapis.com/token
- Callback:
{baseUrl}/oauth/callback
GitHubProvider
Pre-configured OAuth provider for GitHub OAuth Apps.
import { FastMCP, GitHubProvider } from "fastmcp";
const server = new FastMCP({
name: "github-auth-server",
version: "1.0.0",
auth: new GitHubProvider({
baseUrl: "http://localhost:8000",
clientId: process.env.GITHUB_CLIENT_ID!,
clientSecret: process.env.GITHUB_CLIENT_SECRET!,
}),
});
Configuration
Base URL where the MCP server is accessible
GitHub OAuth App client ID from GitHub Developer Settings
GitHub OAuth App client secret
scopes
string[]
default:"[\"read:user\", \"user:email\"]"
OAuth scopes to request
Require user consent screen
allowedRedirectUriPatterns
string[]
default:"[\"http://localhost:*\", \"https://*\"]"
Allowed redirect URI patterns
Encryption key for token storage
JWT signing key for token swap
Custom token storage backend
Session Type
interface GitHubSession extends OAuthSession {
accessToken: string;
scopes?: string[];
expiresAt?: number;
idToken?: string;
refreshToken?: string;
claims?: Record<string, unknown>;
username?: string; // GitHub-specific
}
Endpoints
- Authorization:
https://github.com/login/oauth/authorize
- Token:
https://github.com/login/oauth/access_token
- Callback:
{baseUrl}/oauth/callback
AzureProvider
Pre-configured OAuth provider for Microsoft Azure AD / Entra ID.
import { FastMCP, AzureProvider } from "fastmcp";
const server = new FastMCP({
name: "azure-auth-server",
version: "1.0.0",
auth: new AzureProvider({
baseUrl: "http://localhost:8000",
clientId: process.env.AZURE_CLIENT_ID!,
clientSecret: process.env.AZURE_CLIENT_SECRET!,
tenantId: "common", // or specific tenant ID
}),
});
Configuration
Base URL where the MCP server is accessible
Azure AD application (client) ID from Azure Portal
Azure AD client secret (value, not secret ID)
Azure AD tenant ID or “common” / “organizations” / “consumers”
scopes
string[]
default:"[\"openid\", \"profile\", \"email\"]"
OAuth scopes to request
Require user consent screen
allowedRedirectUriPatterns
string[]
default:"[\"http://localhost:*\", \"https://*\"]"
Allowed redirect URI patterns
Encryption key for token storage
JWT signing key for token swap
Custom token storage backend
Session Type
interface AzureSession extends OAuthSession {
accessToken: string;
scopes?: string[];
expiresAt?: number;
idToken?: string;
refreshToken?: string;
claims?: Record<string, unknown>;
upn?: string; // Azure-specific (User Principal Name)
}
Endpoints
- Authorization:
https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/authorize
- Token:
https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token
- Callback:
{baseUrl}/oauth/callback
OAuthProvider
Generic OAuth provider for any OAuth 2.0 compliant authorization server.
import { FastMCP, OAuthProvider } from "fastmcp";
const server = new FastMCP({
name: "custom-oauth-server",
version: "1.0.0",
auth: new OAuthProvider({
baseUrl: "http://localhost:8000",
clientId: process.env.OAUTH_CLIENT_ID!,
clientSecret: process.env.OAUTH_CLIENT_SECRET!,
authorizationEndpoint: "https://auth.example.com/oauth/authorize",
tokenEndpoint: "https://auth.example.com/oauth/token",
scopes: ["read", "write"],
}),
});
Configuration
Base URL where the MCP server is accessible
OAuth client ID from your provider
OAuth client secret from your provider
scopes
string[]
default:"[\"openid\"]"
OAuth scopes to request
tokenEndpointAuthMethod
'client_secret_basic' | 'client_secret_post'
default:"client_secret_basic"
Token endpoint authentication method
Require user consent screen
allowedRedirectUriPatterns
string[]
default:"[\"http://localhost:*\", \"https://*\"]"
Allowed redirect URI patterns
Encryption key for token storage
JWT signing key for token swap
Custom token storage backend
Session Type
interface OAuthSession {
accessToken: string;
scopes?: string[];
expiresAt?: number;
idToken?: string;
refreshToken?: string;
claims?: Record<string, unknown>;
}
import { requireAuth } from "fastmcp";
server.addTool({
name: "get_profile",
description: "Get user profile",
canAccess: requireAuth,
execute: async (args, context) => {
const session = context.session; // GoogleSession | GitHubSession | etc.
return `User: ${session.email || session.username}`;
},
});