fastmcp

The framework utilizes Zod/ArkType/Valibot for robust input validation in tools, which is a strong security practice. It provides explicit authentication hooks (`authenticate` function) and granular access control (`canAccess` on tools). The OAuth Proxy implementation includes essential security features like PKCE and `redirect_uri` validation. Encrypted token storage (`EncryptedTokenStorage`) is available for sensitive data. Potential risks include user-controlled `fetch` URLs in `DiscoveryDocumentCache` or content processing, which could lead to SSRF if not properly validated by the implementing developer. Additionally, misconfiguration of OAuth keys or persistent storage for OAuth can introduce vulnerabilities, although the framework encourages best practices and secure defaults (e.g., auto-generated strong keys for encryption/signing if not provided). JWKS verification (via `JWKSVerifier`) requires the optional `jose` package, and its absence could lead to silent failures if JWKS is expected for token validation.