MyTaskly-mcp

The server implements a robust dual-JWT authentication mechanism, validating incoming MCP tokens against a specified audience and then generating new JWTs for the FastAPI backend using a shared secret key. This shared `JWT_SECRET_KEY` is a critical security dependency, as explicitly highlighted in the documentation; it must be securely managed and consistent across both services. The `X-API-Key` header provides an additional layer of authentication for the MCP server's communication with the FastAPI backend. Debug logging of JWT token details in `src/auth.py` is present, which should be disabled or carefully managed in production to prevent exposure of sensitive information. An older/deprecated file, `src/client.py`, contains a hardcoded `secret_key` for JWT generation; while the primary entry point (`main.py`) appears to use the refactored, secure client structure, the presence of this file is a potential vulnerability if it were to be inadvertently used.