Merge pull request jlowin#655 from jlowin/auth-docs

Add docs for server + client auth

Author: jlowin

docs/clients/auth/bearer.mdx

@@ -0,0 +1,81 @@
+---
+title: Bearer Token Authentication
+sidebarTitle: Bearer Auth
+description: Authenticate your FastMCP client using pre-existing OAuth 2.0 Bearer tokens.
+icon: key
+---
+
+import { VersionBadge } from "/snippets/version-badge.mdx"
+
+<VersionBadge version="2.6.0" />
+
+<Tip>
+Bearer Token authentication is only relevant for HTTP-based transports.
+</Tip>
+
+You can configure your FastMCP client to use **bearer authentication** by supplying a valid access token. This is most appropriate for service accounts, long-lived API keys, CI/CD, applications where authentication is managed separately, or other non-interactive authentication methods.
+
+A Bearer token is a JSON Web Token (JWT) that is used to authenticate a request. It is most commonly used in the `Authorization` header of an HTTP request, using the `Bearer` scheme:
+
+```http
+Authorization: Bearer <token>
+```
+
+
+## Client Usage
+
+The most straightforward way to use a pre-existing Bearer token is to provide it as a string to the `auth` parameter of the `fastmcp.Client` or transport instance. FastMCP will automatically format it correctly for the `Authorization` header and bearer scheme.
+
+<Tip>
+If you're using a string token, do not include the `Bearer` prefix. FastMCP will add it for you.
+</Tip>
+
+```python {4}
+from fastmcp import Client
+
+async with Client(
+    "https://fastmcp.cloud/mcp", auth="<your-token>"
+) as client:
+    await client.ping()
+```
+
+You can also supply a Bearer token to a transport instance, such as `StreamableHttpTransport` or `SSETransport`:
+
+```python {5}
+from fastmcp import Client
+from fastmcp.client.transports import StreamableHttpTransport
+
+transport = StreamableHttpTransport(
+    "http://fastmcp.cloud/mcp", auth="<your-token>"
+)
+
+async with Client(transport) as client:
+    await client.ping()
+```
+
+## `BearerAuth` Helper
+
+If you prefer to be more explicit and not rely on FastMCP to transform your string token, you can use the `BearerAuth` class yourself, which implements the `httpx.Auth` interface.
+
+```python {5}
+from fastmcp import Client
+from fastmcp.client.auth import BearerAuth
+
+async with Client(
+    "https://fastmcp.cloud/mcp", auth=BearerAuth(token="<your-token>")
+) as client:
+    await client.ping()
+```
+
+## Custom Headers
+
+If the MCP server expects a custom header or token scheme, you can manually set the client's `headers` instead of using the `auth` parameter:
+
+```python {4}
+from fastmcp import Client
+
+async with Client(
+    "https://fastmcp.cloud/mcp", headers={"X-API-Key": "<your-token>"}
+) as client:
+    await client.ping()
+```

docs/clients/auth/oauth.mdx

@@ -0,0 +1,116 @@
+---
+title: OAuth Authentication
+sidebarTitle: OAuth
+description: Authenticate your FastMCP client with servers using the OAuth 2.0 Authorization Code Grant, including user interaction via a web browser.
+icon: window
+---
+
+import { VersionBadge } from "/snippets/version-badge.mdx"
+
+<VersionBadge version="2.6.0" />
+
+<Tip>
+OAuth authentication is only relevant for HTTP-based transports and requires user interaction via a web browser.
+</Tip>
+
+When your FastMCP client needs to access an MCP server protected by OAuth 2.0, and the process requires user interaction (like logging in and granting consent), you should use the Authorization Code Flow. FastMCP provides the `fastmcp.client.auth.OAuth` helper to simplify this entire process.
+
+This flow is common for user-facing applications where the application acts on behalf of the user.
+
+## Client Usage
+
+
+### Default Configuration
+
+The simplest way to use OAuth is to pass the string `"oauth"` to the `auth` parameter of the `Client` or transport instance. FastMCP will automatically configure the client to use OAuth with default settings:
+
+```python {4}
+from fastmcp import Client
+
+# Uses default OAuth settings
+async with Client("https://fastmcp.cloud/mcp", auth="oauth") as client:
+    await client.ping()
+```
+
+
+### `OAuth` Helper
+
+To fully configure the OAuth flow, use the `OAuth` helper and pass it to the `auth` parameter of the `Client` or transport instance. `OAuth` manages the complexities of the OAuth 2.0 Authorization Code Grant with PKCE (Proof Key for Code Exchange) for enhanced security, and implements the full `httpx.Auth` interface.
+
+```python {2, 4, 6}
+from fastmcp import Client
+from fastmcp.client.auth import OAuth
+
+oauth = OAuth(mcp_url="https://fastmcp.cloud/mcp")
+
+async with Client("https://fastmcp.cloud/mcp", auth=oauth) as client:
+    await client.ping()
+```
+
+#### `OAuth` Parameters
+
+- **`mcp_url`** (`str`): The full URL of the target MCP server endpoint. Used to discover OAuth server metadata
+- **`scopes`** (`str | list[str]`, optional): OAuth scopes to request. Can be space-separated string or list of strings
+- **`client_name`** (`str`, optional): Client name for dynamic registration. Defaults to `"FastMCP Client"`
+- **`token_storage_cache_dir`** (`Path`, optional): Token cache directory. Defaults to `~/.fastmcp/oauth-mcp-client-cache/`
+- **`additional_client_metadata`** (`dict[str, Any]`, optional): Extra metadata for client registration
+
+
+## OAuth Flow
+
+The OAuth flow is triggered when you use a FastMCP `Client` configured to use OAuth.
+
+<Steps>
+<Step title="Token Check">
+The client first checks the `token_storage_cache_dir` for existing, valid tokens for the target server. If one is found, it will be used to authenticate the client.
+</Step>
+<Step title="OAuth Server Discovery">
+If no valid tokens exist, the client attempts to discover the OAuth server's endpoints using a well-known URI (e.g., `/.well-known/oauth-authorization-server`) based on the `mcp_url`.
+</Step>
+<Step title="Dynamic Client Registration">
+If the OAuth server supports it and the client isn't already registered (or credentials aren't cached), the client performs dynamic client registration according to RFC 7591.
+</Step>
+<Step title="Local Callback Server">
+A temporary local HTTP server is started on an available port. This server's address (e.g., `http://127.0.0.1:<port>/callback`) acts as the `redirect_uri` for the OAuth flow.
+</Step>
+<Step title="Browser Interaction">
+The user's default web browser is automatically opened, directing them to the OAuth server's authorization endpoint. The user logs in and grants (or denies) the requested `scopes`.
+</Step>
+<Step title="Authorization Code & Token Exchange">
+Upon approval, the OAuth server redirects the user's browser to the local callback server with an `authorization_code`. The client captures this code and exchanges it with the OAuth server's token endpoint for an `access_token` (and often a `refresh_token`) using PKCE for security.
+</Step>
+<Step title="Token Caching">
+The obtained tokens are saved to the `token_storage_cache_dir` for future use, eliminating the need for repeated browser interactions.
+</Step> 
+<Step title="Authenticated Requests">
+The access token is automatically included in the `Authorization` header for requests to the MCP server. 
+</Step>
+<Step title="Refresh Token">
+If the access token expires, the client will automatically use the refresh token to get a new access token.
+</Step>
+</Steps>
+
+## Token Management
+
+### Token Storage
+
+OAuth access tokens are automatically cached in `~/.fastmcp/oauth-mcp-client-cache/` and persist between application runs. Files are keyed by the OAuth server's base URL.
+
+### Managing Cache
+
+To clear the tokens for a specific server, instantiate a `FileTokenStorage` instance and call the `clear` method:
+
+```python
+from fastmcp.client.auth import FileTokenStorage
+
+storage = FileTokenStorage(server_url="https://fastmcp.cloud/mcp")
+await storage.clear()
+```
+
+To clear *all* tokens for all servers, call the `clear_all` method on the `FileTokenStorage` class:
+
+```python
+from fastmcp.client.auth import FileTokenStorage
+
+FileTokenStorage.clear_all()
+```

docs/deployment/authentication.mdx

@@ -56,25 +56,39 @@
                             "servers/context"
                         ]
                     },
+                    {
+                        "group": "Authentication",
+                        "icon": "shield-check",
+                        "pages": [
+                            "servers/auth/bearer"
+                        ]
+                    },
                     "servers/openapi",
                     "servers/proxy",
-                    "servers/composition"
-                ]
-            },
-            {
-                "group": "Deployment",
-                "pages": [
-                    "deployment/running-server",
-                    "deployment/asgi",
-                    "deployment/authentication",
-                    "deployment/cli"
+                    "servers/composition",
+                    {
+                        "group": "Deployment",
+                        "pages": [
+                            "deployment/running-server",
+                            "deployment/asgi",
+                            "deployment/cli"
+                        ]
+                    }
                 ]
             },
             {
                 "group": "Clients",
                 "pages": [
                     "clients/client",
                     "clients/transports",
+                    {
+                        "group": "Authentication",
+                        "icon": "user-shield",
+                        "pages": [
+                            "clients/auth/bearer",
+                            "clients/auth/oauth"
+                        ]
+                    },
                     "clients/advanced-features"
                 ]
             },