getmcpauth
Drop-in OAuth 2.1 + Dynamic Client Registration (RFC 7591) token verification for Python MCP servers, backed by mcpauth.
Implements the official mcp SDK's TokenVerifier protocol — the official SDK ships a full bearer-auth middleware stack (BearerAuthBackend, RequireAuthMiddleware) but no ready-made verifier that actually checks a token against a real authorization server. This package is that verifier.
Install
pip install getmcpauth
Usage
import os
from mcp.server.fastmcp import FastMCP
from getmcpauth import McpAuthTokenVerifier, build_auth_settings
mcp = FastMCP(
"my-server",
token_verifier=McpAuthTokenVerifier(
"https://getmcpauth.dev/api/oauth/introspect",
registration_secret=os.environ["MCPAUTH_SECRET"],
),
auth=build_auth_settings(
"https://getmcpauth.dev",
resource_server_url="https://my-server.example.com",
),
)
Get a registration_secret by creating a project at getmcpauth.dev/dashboard.
API
McpAuthTokenVerifier— implementsmcp.server.auth.provider.TokenVerifier. Successful verifications are cached in-process (default 30s) so a chatty agent conversation doesn't trigger a network round trip on every tool call.build_auth_settings(issuer_url, *, resource_server_url, required_scopes=None)— builds anAuthSettingsforFastMCPwith Dynamic Client Registration enabled.required_scope_for_call(body)/is_authorized(required_scope, granted_scopes)/check_batch(bodies, granted_scopes)— helpers for MCP-native tool scoping (tool:<name>scope strings mapped directly totools/callrequests).
Full docs: getmcpauth.dev/docs
Development
pip install -e ".[test]"
pytest
License
MIT