Fix FastMCP authentication API breaking change (#11416)

Co-authored-by: openhands <openhands@all-hands.dev>
2026-03-22 05:37:20 +08:00 · 2025-10-17 10:32:36 -06:00
parent 9bd0566e4e
commit 1ebc3ab04e
3 changed files with 16 additions and 5 deletions
--- a/openhands/runtime/mcp/proxy/manager.py
+++ b/openhands/runtime/mcp/proxy/manager.py
@@ -10,6 +10,7 @@ from typing import Any, Optional
 from anyio import get_cancelled_exc_class
 from fastapi import FastAPI
 from fastmcp import FastMCP
+from fastmcp.server.auth import StaticTokenVerifier
 from fastmcp.utilities.logging import get_logger as fastmcp_get_logger

 from openhands.core.config.mcp_config import MCPStdioServerConfig
@@ -59,11 +60,21 @@ class MCPProxyManager:
            )
            return None

+        # Create authentication provider if auth is enabled
+        auth_provider = None
+        if self.auth_enabled and self.api_key:
+            # Use StaticTokenVerifier for simple API key authentication
+            auth_provider = StaticTokenVerifier(
+                {self.api_key: {'client_id': 'openhands', 'scopes': []}}
+            )
+            logger.info('FastMCP Proxy authentication enabled')
+        else:
+            logger.info('FastMCP Proxy authentication disabled')
+
        # Create a new proxy with the current configuration
        self.proxy = FastMCP.as_proxy(
            self.config,
-            auth_enabled=self.auth_enabled,
-            api_key=self.api_key,
+            auth=auth_provider,
        )

        logger.info('FastMCP Proxy initialized successfully')
--- a/poetry.lock
+++ b/poetry.lock
@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 2.1.4 and should not be changed by hand.
+# This file is automatically @generated by Poetry 2.2.1 and should not be changed by hand.

 [[package]]
 name = "aiofiles"
@@ -12608,4 +12608,4 @@ third-party-runtimes = ["daytona", "e2b-code-interpreter", "modal", "runloop-api
 [metadata]
 lock-version = "2.1"
 python-versions = "^3.12,<3.14"
-content-hash = "6973cf1c9ccb0d6926006697ae4863bcd0ab740a88f09fc17c205e016782cf77"
+content-hash = "38201ae2a56788a893231d07f66974285f3cd70b670aa1d0e36374e3febf03b9"
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -73,7 +73,7 @@ prompt-toolkit = "^3.0.50"
 poetry = "^2.1.2"
 anyio = "4.9.0"
 pythonnet = "*"
-fastmcp = "^2.5.2"
+fastmcp = "^2.12.4"           # Note: 2.12.0+ has breaking auth API changes
 python-frontmatter = "^1.1.0"
 shellingham = "^1.5.4"
 # TODO: Should these go into the runtime group?