k7iNSrSSKJr SSKrSSKJrJr SSKJrJ r SSK J r SSK J r SSKJrJr SS KJr SS KJr SS KJr SS KJr SS KJrJr \"\5r"SS\5r"SS\5rg)aSupabase authentication provider for FastMCP. This module provides SupabaseProvider - a complete authentication solution that integrates with Supabase Auth's JWT verification, supporting Dynamic Client Registration (DCR) for seamless MCP client authentication. ) annotationsN) AnyHttpUrlfield_validator) BaseSettingsSettingsConfigDict) JSONResponse)Route)RemoteAuthProvider TokenVerifier) JWTVerifier)ENV_FILE parse_scopes) get_logger)NotSetNotSetTcl\rSrSr%\"S\SS9rS\S'S\S'SrS \S '\ "S S S 9\ S 55r Sr g)SupabaseProviderSettingsFASTMCP_SERVER_AUTH_SUPABASE_ignore) env_prefixenv_fileextrar project_urlbase_urlNzlist[str] | Nonerequired_scopesbefore)modec[U5$Nr)clsvs `/home/james-whalen/.local/lib/python3.13/site-packages/fastmcp/server/auth/providers/supabase.py _parse_scopes&SupabaseProviderSettings._parse_scopes%sA) __name__ __module__ __qualname____firstlineno__rr model_config__annotations__rr classmethodr%__static_attributes__r(r'r$rrsP%2L (,O%,&X67r'rch^\rSrSrSr\\\SS.SU4SjjjrS S U4SjjjrSrU=r $) SupabaseProvider+aOSupabase metadata provider for DCR (Dynamic Client Registration). This provider implements Supabase Auth integration using metadata forwarding. This approach allows Supabase to handle the OAuth flow directly while FastMCP acts as a resource server, verifying JWTs issued by Supabase Auth. IMPORTANT SETUP REQUIREMENTS: 1. Supabase Project Setup: - Create a Supabase project at https://supabase.com - Note your project URL (e.g., "https://abc123.supabase.co") - For projects created after May 1st, 2025, asymmetric RS256 keys are used by default - For older projects, consider migrating to asymmetric keys for better security 2. JWT Verification: - FastMCP verifies JWTs using the JWKS endpoint at {project_url}/auth/v1/.well-known/jwks.json - JWTs are issued by {project_url}/auth/v1 - Tokens are cached for up to 10 minutes by Supabase's edge servers For detailed setup instructions, see: https://supabase.com/docs/guides/auth/jwts Example: ```python from fastmcp.server.auth.providers.supabase import SupabaseProvider # Create Supabase metadata provider (JWT verifier created automatically) supabase_auth = SupabaseProvider( project_url="https://abc123.supabase.co", base_url="https://your-fastmcp-server.com", ) # Use with FastMCP mcp = FastMCP("My App", auth=supabase_auth) ``` N)rrrtoken_verifierc >[RUUUS.R5VVs0sHupVU[LdMXV_M snn5n[ UR 5R S5Ul[ UR5R S5UlUc0[UR S3UR S3SURS9n[TU]-U[UR S35/URS9 gs snnf) aOInitialize Supabase metadata provider. Args: project_url: Your Supabase project URL (e.g., "https://abc123.supabase.co") base_url: Public URL of this FastMCP server required_scopes: Optional list of scopes to require for all requests token_verifier: Optional token verifier. If None, creates JWT verifier for Supabase )rrr/Nz/auth/v1/.well-known/jwks.jsonz/auth/v1ES256)jwks_uriissuer algorithmr)r4authorization_serversr) rmodel_validateitemsrstrrrstriprr rsuper__init__r) selfrrrr4kr#settings __class__s r$rASupabaseProvider.__init__Qs ,::$/ ('6%'  DA F?    x334;;C@H--.55c:   !( ,,--KL**+84! ( 8 8 N )#-1A1A0B(.K#L"M]]  1 s C? C? cj>^[TT]U5nU4SjnUR[SUS/S95 U$)auGet OAuth routes including Supabase authorization server metadata forwarding. This returns the standard protected resource routes plus an authorization server metadata endpoint that forwards Supabase's OAuth metadata to clients. Args: mcp_path: The path where the MCP endpoint is mounted (e.g., "/mcp") This is used to advertise the resource URL in metadata. c># [R"5IShvN nURTRS35IShvN nUR 5 UR 5n[ U5sSSS5IShvN $NfNBN !,IShvN (df  g=f![an[ SSU3S.SS9sSnA$SnAff=f7f)zQForward Supabase OAuth authorization server metadata with FastMCP customizations.Nz//auth/v1/.well-known/oauth-authorization-server server_errorz#Failed to fetch Supabase metadata: )errorerror_descriptioni) status_code)httpx AsyncClientgetrraise_for_statusjsonr Exception)requestclientresponsemetadataerBs r$#oauth_authorization_server_metadataHSupabaseProvider.get_routes..oauth_authorization_server_metadatas  ,,..&%+ZZ++,,[\& H--/'}}H'1 /.. /... #!//RSTRU-V!$  sC B%BB%"B B.B 3 B%?B B%C B%B  B% B"B  B"B%!C "B%% C /C>C ?C C  C z'/.well-known/oauth-authorization-serverGET)endpointmethods)r@ get_routesappendr )rBmcp_pathroutesrXrEs` r$r]SupabaseProvider.get_routessA#H- (  9<   r')rr)rAnyHttpUrl | str | NotSetTrrbrzlist[str] | NotSetT | Noner4zTokenVerifier | Noner!)r_z str | Nonereturnz list[Route]) r)r*r+r,__doc__rrAr]r0 __classcell__)rEs@r$r2r2+sk#P39/56rrsU# 0>,#A9%/03 H |"A)Ar'