Skip to content

feat: add claims field to AccessToken for decoded token payload #1165

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

feat: add claims field to AccessToken for decoded token payload #1165

wants to merge 9 commits into from
+2 −1

Conversation

robertofalk
Copy link

@robertofalk robertofalk commented Jul 17, 2025
edited
Loading

Add optional claims dict to AccessToken class to provide access to all decoded JWT claims (both standard and custom) instead of restricting to only specific fields like scopes and expires_at.

Motivation and Context

FastMCP provides a BearerAuthProvider class to validate bearer tokens and returns it using the AccessToken class (https://github.com/jlowin/fastmcp/blob/main/src/fastmcp/server/auth/providers/bearer.py#L387). With the current implementation the claims from the token are limited to the ones defined so far, so any additional claim is not available and to get it currently I had to define an additional middleware that decodes the token again, which is a waste since the token is was already decoded by BearerAuthProvider.

How Has This Been Tested?

I was not able to test it since it's just an attribute that will be used by applications relying on the python-sdk AccessToken class.

Breaking Changes

No, it's an optional attribute.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Resolves #1038

@ihrpr ihrpr added this to the auth milestone Jul 17, 2025
@robertofalk robertofalk requested review from a team as code owners July 18, 2025 20:16
@robertofalk robertofalk requested a review from ochafik July 18, 2025 20:16
@robertofalk
Copy link
Author

@ihrpr, @ochafik Any comments? since you have been driving the auth milestone.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ochafik ochafik Awaiting requested review from ochafik ochafik is a code owner automatically assigned from modelcontextprotocol/python-sdk-auth

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
auth
Development

Successfully merging this pull request may close these issues.

MCP server: AccessToken class should have field for subject claim ("sub")
2 participants
@robertofalk @ihrpr