FastMCP 2.13.1 introduces meta parameter support for ToolResult (#2283), letting tools return metadata alongside results to enable new use cases such as OpenAI's Apps SDK. It also supports client-sent meta (#2206) as well as improved OAuth capabilities and custom token verifiers (including the new DebugTokenVerifier) and an OCI authentication provider. A large list of enhancements and bugfixes round out the release.

Note that #2422 excludes MCP SDK 1.21.1 as a permitted dependency version due to a bug that fails FastMCP integration tests.

What's Changed

Enhancements 🔧

• Cleanly render auth errors from OAuth Proxy by @jlowin in #2268
• Add custom token verifier support to OIDCProxy by @jlowin in #2279
• Supporting Multiple Issuers For JWTVerifier Oauth Workflow by @mhassaninmsft in #2233
• Switch to logger.exception for fastmcp run/inspect by @jakekaplan in #2294
• Add base_authority parameter to AzureProvider for Azure Government support by @jlowin in #2306
• Add DebugTokenVerifier with custom sync/async validation by @jlowin in #2296
• Added to_data_uri method for Image class. by @Hyperclaw79 in #2227
• Remove test warnings by @jlowin in #2331
• Mark flaky Windows test for retry by @jlowin in #2344
• Add meta support to ToolResult by @BrandonShar in #2283
• switch from pre-commit to prek by @zzstoatzz in #2309
• Add manual initialization control to Client by @jlowin in #2355
• Pin Cyclopts to v4.0.0 + compliance note by @jlowin in #2354
• Switch marvin to prek from pre-commit by @strawgate in #2361
• Add meta to call tool by @aiorga-sherpas in #2206
• feat: add algorithm configuration to Supabase auth provider by @cemalkilic in #2376
• chore(typos): fix additional typos by @pstoeckle in #2396
• Martian triage for test failures by @strawgate in #2407
• OCI Provider with Docs by @kiranthakkar in #2389

Fixes 🐞

• Fix OAuth token storage documentation by @jlowin in #2272
• fix(docs): correct the key_value repo link by @JonZeolla in #2276
• Remove trailing slashes from MCP endpoint URLs by @jlowin in #2277
• Fix py-key-value-aio minimum version to 0.2.8 by @jlowin in #2288
• Fix Chrome CSP blocking OAuth consent form with custom protocol redirects by @jlowin in #2305
• Add OIDCProxy to auth module exports by @jlowin in #2308
• Require uvicorn>=0.35 for websockets-sansio support by @jlowin in #2307
• Fix query-only resource templates not matching URIs without query strings by @joshuadavidthomas in #2323
• Security: Update authlib to 1.6.5 (CVE-2025-61920) by @ColeMurray in #2347
• Security: Validate Cursor deeplink URLs and use safer Windows API by @ColeMurray in #2348
• fix: on_initialize is not using request params but the whole request by @Maxi91f in #2357
• Fix OAuth metadata endpoint URLs when base_url differs from issuer_url by @jlowin in #2353
• Fix Windows test timeouts from SQLite locking by @jlowin in #2368
• Fix: URL-encode server name in Cursor deeplinks by @jlowin in #2369
• Fix get_http_headers() returning empty dict in on_initialize middleware by @jlowin in #2370
• Allow OAuth instance to use the same httpx factory as the Transport by @guschnwg in #2324
• Fix consent form action for subpath mounting by @jlowin in #2382
• Fix Windows test timeout and restore parallel testing by @jlowin in #2383
• Fix duplicate keyword argument error in configure_logging by @strawgate in #2381
• Update CSP to allow data URI images on OAuth screens by @lawrence-law in #2405
• fix: upstream token cache expires when refresh expires by @wipash in #2410
• fix(oauth_proxy): 🐛 add extra_token_params as kwargs in refresh… by @EdenTrainorCDL in #2387
• fix(OpenAPIParser): Fix missing $defs for response schemas in experimental OpenAPI parser by @ChristophNetsch in #2398
• docs: fix run_server_async documentation by @jlowin in #2423
• Fix self-referencing types not being recognized as object schemas by @jlowin in #2424
• Simplify _is_object_schema helper by @jlowin in #2426

Docs 📚

• Update Azure sidebar title to include Entra ID by @jlowin in #2266
• Improve OAuth client token storage security documentation by @jlowin in #2270
• Add note about docs version by @jlowin in #2271
• 📝 Add docstrings to enhancement/support-jwt-multiple-issuers by @coderabbitai[bot] in #2282
• Add maturity warnings for py-key-value backends by @strawgate in #2311
• Improve ToolResult and structured output documentation by @jlowin in #2349
• Document client meta parameter by @jlowin in #2367
• docs: clarify pytest-asyncio dependency and asyncio mode configuration by @strawgate in #2399

Dependencies 📦

• Bump ty to ==0.0.1a25 by @jlowin in #2350

Other Changes 🦾

• Replace openapi-core with jsonschema-path by @jlowin in #2291
• Fix lowest-direct dependency tests to actually test minimum versions by @Copilot in #2295
• Add version badge for DebugTokenVerifier by @jlowin in #2390
• Handle request_context availability during MCP initialization by @jlowin in #2400
• Exclude MCP SDK 1.21.1 and add scope validation to InMemoryOAuthProvider by @jlowin in #2422

New Contributors

• @JonZeolla made their first contribution in #2276
• @mhassaninmsft made their first contribution in #2233
• @coderabbitai[bot] made their first contribution in #2282
• @jakekaplan made their first contribution in #2294
• @joshuadavidthomas made their first contribution in #2323
• @Hyperclaw79 made their first contribution in #2227
• @ColeMurray made their first contribution in #2347
• @BrandonShar made their first contribution in #2283
• @aiorga-sherpas made their first contribution in #2206
• @guschnwg made their first contribution in #2324
• @cemalkilic made their first contribution in #2376
• @pstoeckle made their first contribution in #2396
• @lawrence-law made their first contribution in #2405
• @wipash made their first contribution in #2410
• @EdenTrainorCDL made their first contribution in #2387
• @ChristophNetsch made their first contribution in #2398
• @kiranthakkar made their first contribution in #2389

Full Changelog: v2.13.0.1...v2.13.1