fastmcp 2.14.1__py3-none-any.whl → 2.14.3__py3-none-any.whl

fastmcp/cli/cli.py

@@ -28,6 +28,7 @@ from fastmcp.utilities.inspect import (
 )
 from fastmcp.utilities.logging import get_logger
 from fastmcp.utilities.mcp_server_config import MCPServerConfig
+from fastmcp.utilities.version_check import check_for_newer_version
 
 logger = get_logger("cli")
 console = Console()
@@ -122,6 +123,14 @@ def version(
     else:
         console.print(g)
 
+        # Check for updates (not included in --copy output)
+        if newer_version := check_for_newer_version():
+            console.print()
+            console.print(
+                f"[bold]🎉 FastMCP update available:[/bold] [green]{newer_version}[/green]"
+            )
+            console.print("[dim]Run: pip install --upgrade fastmcp[/dim]")
+
 
 @app.command
 async def dev(

fastmcp/client/auth/oauth.py

@@ -105,10 +105,13 @@ class TokenStorageAdapter(TokenStorage):
 
     @override
     async def set_tokens(self, tokens: OAuthToken) -> None:
+        # Don't set TTL based on access token expiry - the refresh token may be
+        # valid much longer. Use 1 year as a reasonable upper bound; the OAuth
+        # provider handles actual token expiry/refresh logic.
         await self._storage_oauth_token.put(
             key=self._get_token_cache_key(),
             value=tokens,
-            ttl=tokens.expires_in,
+            ttl=60 * 60 * 24 * 365,  # 1 year
         )
 
     @override

fastmcp/client/transports.py

@@ -25,7 +25,7 @@ from mcp.client.sse import sse_client
 from mcp.client.stdio import stdio_client
 from mcp.client.streamable_http import streamable_http_client
 from mcp.server.fastmcp import FastMCP as FastMCP1Server
-from mcp.shared._httpx_utils import McpHttpClientFactory
+from mcp.shared._httpx_utils import McpHttpClientFactory, create_mcp_http_client
 from mcp.shared.memory import create_client_server_memory_streams
 from pydantic import AnyUrl
 from typing_extensions import TypedDict, Unpack
@@ -284,25 +284,31 @@ class StreamableHttpTransport(ClientTransport):
         # need to be forwarded to the remote server.
         headers = get_http_headers() | self.headers
 
-        # Build httpx client configuration
-        httpx_client_kwargs: dict[str, Any] = {
-            "headers": headers,
-            "auth": self.auth,
-            "follow_redirects": True,
-        }
-
-        # Configure timeout if provided (convert timedelta to seconds for httpx)
+        # Configure timeout if provided, preserving MCP's 30s connect default
+        timeout: httpx.Timeout | None = None
         if session_kwargs.get("read_timeout_seconds") is not None:
             read_timeout_seconds = cast(
                 datetime.timedelta, session_kwargs.get("read_timeout_seconds")
             )
-            httpx_client_kwargs["timeout"] = read_timeout_seconds.total_seconds()
+            timeout = httpx.Timeout(30.0, read=read_timeout_seconds.total_seconds())
 
-        # Create httpx client from factory or use default
+        # Create httpx client from factory or use default with MCP-appropriate timeouts
+        # create_mcp_http_client uses 30s connect/5min read timeout by default,
+        # and always enables follow_redirects
         if self.httpx_client_factory is not None:
-            http_client = self.httpx_client_factory(**httpx_client_kwargs)
+            # Factory clients get the full kwargs for backwards compatibility
+            http_client = self.httpx_client_factory(
+                headers=headers,
+                auth=self.auth,
+                follow_redirects=True,
+                **({"timeout": timeout} if timeout else {}),
+            )
         else:
-            http_client = httpx.AsyncClient(**httpx_client_kwargs)
+            http_client = create_mcp_http_client(
+                headers=headers,
+                timeout=timeout,
+                auth=self.auth,
+            )
 
         # Ensure httpx client is closed after use
         async with (

fastmcp/prompts/prompt_manager.py

@@ -7,7 +7,7 @@ from typing import Any
 from mcp import GetPromptResult
 
 from fastmcp import settings
-from fastmcp.exceptions import NotFoundError, PromptError
+from fastmcp.exceptions import FastMCPError, NotFoundError, PromptError
 from fastmcp.prompts.prompt import FunctionPrompt, Prompt, PromptResult
 from fastmcp.settings import DuplicateBehavior
 from fastmcp.utilities.logging import get_logger
@@ -107,9 +107,8 @@ class PromptManager:
         try:
             messages = await prompt.render(arguments)
             return GetPromptResult(description=prompt.description, messages=messages)
-        except PromptError as e:
-            logger.exception(f"Error rendering prompt {name!r}")
-            raise e
+        except FastMCPError:
+            raise
         except Exception as e:
             logger.exception(f"Error rendering prompt {name!r}")
             if self.mask_error_details:

fastmcp/resources/resource_manager.py

@@ -10,7 +10,7 @@ from typing import Any
 from pydantic import AnyUrl
 
 from fastmcp import settings
-from fastmcp.exceptions import NotFoundError, ResourceError
+from fastmcp.exceptions import FastMCPError, NotFoundError, ResourceError
 from fastmcp.resources.resource import Resource
 from fastmcp.resources.template import (
     ResourceTemplate,
@@ -268,10 +268,9 @@ class ResourceManager:
                         uri_str,
                         params=params,
                     )
-                # Pass through ResourceErrors as-is
-                except ResourceError as e:
-                    logger.error(f"Error creating resource from template: {e}")
-                    raise e
+                # Pass through FastMCPErrors as-is
+                except FastMCPError:
+                    raise
                 # Handle other exceptions
                 except Exception as e:
                     logger.error(f"Error creating resource from template: {e}")
@@ -299,10 +298,9 @@ class ResourceManager:
             try:
                 return await resource.read()
 
-            # raise ResourceErrors as-is
-            except ResourceError as e:
-                logger.exception(f"Error reading resource {uri_str!r}")
-                raise e
+            # raise FastMCPErrors as-is
+            except FastMCPError:
+                raise
 
             # Handle other exceptions
             except Exception as e:
@@ -322,11 +320,8 @@ class ResourceManager:
                 try:
                     resource = await template.create_resource(uri_str, params=params)
                     return await resource.read()
-                except ResourceError as e:
-                    logger.exception(
-                        f"Error reading resource from template {uri_str!r}"
-                    )
-                    raise e
+                except FastMCPError:
+                    raise
                 except Exception as e:
                     logger.exception(
                         f"Error reading resource from template {uri_str!r}"

fastmcp/server/auth/auth.py

@@ -114,6 +114,8 @@ class AuthProvider(TokenVerifierProtocol):
             base_url = AnyHttpUrl(base_url)
         self.base_url = base_url
         self.required_scopes = required_scopes or []
+        self._mcp_path: str | None = None
+        self._resource_url: AnyHttpUrl | None = None
 
     async def verify_token(self, token: str) -> AccessToken | None:
         """Verify a bearer token and return access info if valid.
@@ -128,6 +130,20 @@ class AuthProvider(TokenVerifierProtocol):
         """
         raise NotImplementedError("Subclasses must implement verify_token")
 
+    def set_mcp_path(self, mcp_path: str | None) -> None:
+        """Set the MCP endpoint path and compute resource URL.
+
+        This method is called by get_routes() to configure the expected
+        resource URL before route creation. Subclasses can override to
+        perform additional initialization that depends on knowing the
+        MCP endpoint path.
+
+        Args:
+            mcp_path: The path where the MCP endpoint is mounted (e.g., "/mcp")
+        """
+        self._mcp_path = mcp_path
+        self._resource_url = self._get_resource_url(mcp_path)
+
     def get_routes(
         self,
         mcp_path: str | None = None,
@@ -407,6 +423,8 @@ class OAuthProvider(
         Returns:
             List of OAuth routes
         """
+        # Configure resource URL before creating routes
+        self.set_mcp_path(mcp_path)
 
         # Create standard OAuth authorization server routes
         # Pass base_url as issuer_url to ensure metadata declares endpoints where
@@ -451,11 +469,8 @@ class OAuthProvider(
             else:
                 oauth_routes.append(route)
 
-        # Get the resource URL based on the MCP path
-        resource_url = self._get_resource_url(mcp_path)
-
         # Add protected resource routes if this server is also acting as a resource server
-        if resource_url:
+        if self._resource_url:
             supported_scopes = (
                 self.client_registration_options.valid_scopes
                 if self.client_registration_options
@@ -463,7 +478,7 @@ class OAuthProvider(
                 else self.required_scopes
             )
             protected_routes = create_protected_resource_routes(
-                resource_url=resource_url,
+                resource_url=self._resource_url,
                 authorization_servers=[cast(AnyHttpUrl, self.issuer_url)],
                 scopes_supported=supported_scopes,
             )

fastmcp/server/auth/oauth_proxy.py

@@ -34,7 +34,6 @@ from authlib.integrations.httpx_client import AsyncOAuth2Client
 from cryptography.fernet import Fernet
 from key_value.aio.adapters.pydantic import PydanticAdapter
 from key_value.aio.protocols import AsyncKeyValue
-from key_value.aio.stores.disk import DiskStore
 from key_value.aio.wrappers.encryption import FernetEncryptionWrapper
 from mcp.server.auth.provider import (
     AccessToken,
@@ -805,14 +804,16 @@ class OAuthProxy(OAuthProvider):
                 salt="fastmcp-jwt-signing-key",
             )
 
-        self._jwt_issuer: JWTIssuer = JWTIssuer(
-            issuer=str(self.base_url),
-            audience=f"{str(self.base_url).rstrip('/')}/mcp",
-            signing_key=jwt_signing_key,
-        )
+        # Store JWT signing key for deferred JWTIssuer creation in set_mcp_path()
+        self._jwt_signing_key: bytes = jwt_signing_key
+        # JWTIssuer will be created in set_mcp_path() with correct audience
+        self._jwt_issuer: JWTIssuer | None = None
 
         # If the user does not provide a store, we will provide an encrypted disk store
         if client_storage is None:
+            # Import lazily to avoid sqlite3 dependency when not using OAuthProxy
+            from key_value.aio.stores.disk import DiskStore
+
             storage_encryption_key = derive_jwt_key(
                 high_entropy_material=jwt_signing_key.decode(),
                 salt="fastmcp-storage-encryption-key",
@@ -897,6 +898,47 @@ class OAuthProxy(OAuthProvider):
             self._upstream_authorization_endpoint,
         )
 
+    # -------------------------------------------------------------------------
+    # MCP Path Configuration
+    # -------------------------------------------------------------------------
+
+    def set_mcp_path(self, mcp_path: str | None) -> None:
+        """Set the MCP endpoint path and create JWTIssuer with correct audience.
+
+        This method is called by get_routes() to configure the resource URL
+        and create the JWTIssuer. The JWT audience is set to the full resource
+        URL (e.g., http://localhost:8000/mcp) to ensure tokens are bound to
+        this specific MCP endpoint.
+
+        Args:
+            mcp_path: The path where the MCP endpoint is mounted (e.g., "/mcp")
+        """
+        super().set_mcp_path(mcp_path)
+
+        # Create JWT issuer with correct audience based on actual MCP path
+        # This ensures tokens are bound to the specific resource URL
+        self._jwt_issuer = JWTIssuer(
+            issuer=str(self.base_url),
+            audience=str(self._resource_url),
+            signing_key=self._jwt_signing_key,
+        )
+
+        logger.debug("Configured OAuth proxy for resource URL: %s", self._resource_url)
+
+    @property
+    def jwt_issuer(self) -> JWTIssuer:
+        """Get the JWT issuer, ensuring it has been initialized.
+
+        The JWT issuer is created when set_mcp_path() is called (via get_routes()).
+        This property ensures a clear error if used before initialization.
+        """
+        if self._jwt_issuer is None:
+            raise RuntimeError(
+                "JWT issuer not initialized. Ensure get_routes() is called "
+                "before token operations."
+            )
+        return self._jwt_issuer
+
     # -------------------------------------------------------------------------
     # PKCE Helper Methods
     # -------------------------------------------------------------------------
@@ -998,13 +1040,29 @@ class OAuthProxy(OAuthProvider):
         """Start OAuth transaction and route through consent interstitial.
 
         Flow:
-        1. Store transaction with client details and PKCE (if forwarding)
-        2. Return local /consent URL; browser visits consent first
-        3. Consent handler redirects to upstream IdP if approved/already approved
+        1. Validate client's resource matches server's resource URL (security check)
+        2. Store transaction with client details and PKCE (if forwarding)
+        3. Return local /consent URL; browser visits consent first
+        4. Consent handler redirects to upstream IdP if approved/already approved
 
         If consent is disabled (require_authorization_consent=False), skip the consent screen
         and redirect directly to the upstream IdP.
         """
+        # Security check: validate client's requested resource matches this server
+        # This prevents tokens intended for one server from being used on another
+        client_resource = getattr(params, "resource", None)
+        if client_resource and self._resource_url:
+            if str(client_resource) != str(self._resource_url):
+                logger.warning(
+                    "Resource mismatch: client requested %s but server is %s",
+                    client_resource,
+                    self._resource_url,
+                )
+                raise AuthorizeError(
+                    error="invalid_target",  # type: ignore[arg-type]
+                    error_description="Resource does not match this server",
+                )
+
         # Generate transaction ID for this authorization request
         txn_id = secrets.token_urlsafe(32)
 
@@ -1163,12 +1221,24 @@ class OAuthProxy(OAuthProvider):
         # - 1 year if no refresh token (likely API-key-style token like GitHub OAuth Apps)
         if "expires_in" in idp_tokens:
             expires_in = int(idp_tokens["expires_in"])
+            logger.debug(
+                "Access token TTL: %d seconds (from IdP expires_in)", expires_in
+            )
         elif self._fallback_access_token_expiry_seconds is not None:
             expires_in = self._fallback_access_token_expiry_seconds
+            logger.debug(
+                "Access token TTL: %d seconds (using configured fallback)", expires_in
+            )
         elif idp_tokens.get("refresh_token"):
             expires_in = DEFAULT_ACCESS_TOKEN_EXPIRY_SECONDS
+            logger.debug(
+                "Access token TTL: %d seconds (default, has refresh token)", expires_in
+            )
         else:
             expires_in = DEFAULT_ACCESS_TOKEN_EXPIRY_NO_REFRESH_SECONDS
+            logger.debug(
+                "Access token TTL: %d seconds (default, no refresh token)", expires_in
+            )
 
         # Calculate refresh token expiry if provided by upstream
         # Some providers include refresh_expires_in, some don't
@@ -1208,15 +1278,16 @@ class OAuthProxy(OAuthProvider):
         await self._upstream_token_store.put(
             key=upstream_token_id,
             value=upstream_token_set,
-            ttl=refresh_expires_in
-            or expires_in,  # Auto-expire when refresh token, or access token expires
+            ttl=max(
+                refresh_expires_in or 0, expires_in, 1
+            ),  # Keep until longest-lived token expires (min 1s for safety)
         )
         logger.debug("Stored encrypted upstream tokens (jti=%s)", access_jti[:8])
 
         # Issue minimal FastMCP access token (just a reference via JTI)
         if client.client_id is None:
             raise TokenError("invalid_client", "Client ID is required")
-        fastmcp_access_token = self._jwt_issuer.issue_access_token(
+        fastmcp_access_token = self.jwt_issuer.issue_access_token(
             client_id=client.client_id,
             scopes=authorization_code.scopes,
             jti=access_jti,
@@ -1227,7 +1298,7 @@ class OAuthProxy(OAuthProvider):
         # Use upstream refresh token expiry to align lifetimes
         fastmcp_refresh_token = None
         if refresh_jti and refresh_expires_in:
-            fastmcp_refresh_token = self._jwt_issuer.issue_refresh_token(
+            fastmcp_refresh_token = self.jwt_issuer.issue_refresh_token(
                 client_id=client.client_id,
                 scopes=authorization_code.scopes,
                 jti=refresh_jti,
@@ -1352,7 +1423,7 @@ class OAuthProxy(OAuthProvider):
         """
         # Verify FastMCP refresh token
         try:
-            refresh_payload = self._jwt_issuer.verify_token(refresh_token.token)
+            refresh_payload = self.jwt_issuer.verify_token(refresh_token.token)
             refresh_jti = refresh_payload["jti"]
         except Exception as e:
             logger.debug("FastMCP refresh token validation failed: %s", e)
@@ -1409,10 +1480,21 @@ class OAuthProxy(OAuthProvider):
         # (user override still applies if set)
         if "expires_in" in token_response:
             new_expires_in = int(token_response["expires_in"])
+            logger.debug(
+                "Refreshed access token TTL: %d seconds (from IdP expires_in)",
+                new_expires_in,
+            )
         elif self._fallback_access_token_expiry_seconds is not None:
             new_expires_in = self._fallback_access_token_expiry_seconds
+            logger.debug(
+                "Refreshed access token TTL: %d seconds (using configured fallback)",
+                new_expires_in,
+            )
         else:
             new_expires_in = DEFAULT_ACCESS_TOKEN_EXPIRY_SECONDS
+            logger.debug(
+                "Refreshed access token TTL: %d seconds (default)", new_expires_in
+            )
         upstream_token_set.access_token = token_response["access_token"]
         upstream_token_set.expires_at = time.time() + new_expires_in
 
@@ -1446,22 +1528,25 @@ class OAuthProxy(OAuthProvider):
                 )
 
         upstream_token_set.raw_token_data = token_response
+        # Calculate refresh TTL for storage
+        refresh_ttl = new_refresh_expires_in or (
+            int(upstream_token_set.refresh_token_expires_at - time.time())
+            if upstream_token_set.refresh_token_expires_at
+            else 60 * 60 * 24 * 30  # Default to 30 days if unknown
+        )
         await self._upstream_token_store.put(
             key=upstream_token_set.upstream_token_id,
             value=upstream_token_set,
-            ttl=new_refresh_expires_in
-            or (
-                int(upstream_token_set.refresh_token_expires_at - time.time())
-                if upstream_token_set.refresh_token_expires_at
-                else 60 * 60 * 24 * 30  # Default to 30 days if unknown
-            ),  # Auto-expire when refresh token expires
+            ttl=max(
+                refresh_ttl, new_expires_in, 1
+            ),  # Keep until longest-lived token expires (min 1s for safety)
         )
 
         # Issue new minimal FastMCP access token (just a reference via JTI)
         if client.client_id is None:
             raise TokenError("invalid_client", "Client ID is required")
         new_access_jti = secrets.token_urlsafe(32)
-        new_fastmcp_access = self._jwt_issuer.issue_access_token(
+        new_fastmcp_access = self.jwt_issuer.issue_access_token(
             client_id=client.client_id,
             scopes=scopes,
             jti=new_access_jti,
@@ -1482,7 +1567,7 @@ class OAuthProxy(OAuthProvider):
         # Issue NEW minimal FastMCP refresh token (rotation for security)
         # Use upstream refresh token expiry to align lifetimes
         new_refresh_jti = secrets.token_urlsafe(32)
-        new_fastmcp_refresh = self._jwt_issuer.issue_refresh_token(
+        new_fastmcp_refresh = self.jwt_issuer.issue_refresh_token(
             client_id=client.client_id,
             scopes=scopes,
             jti=new_refresh_jti,
@@ -1491,7 +1576,7 @@ class OAuthProxy(OAuthProvider):
         )
 
         # Store new refresh token JTI mapping with aligned expiry
-        refresh_ttl = new_refresh_expires_in or 60 * 60 * 24 * 30
+        # (reuse refresh_ttl calculated above for upstream token store)
         await self._jti_mapping_store.put(
             key=new_refresh_jti,
             value=JTIMapping(
@@ -1558,13 +1643,16 @@ class OAuthProxy(OAuthProvider):
         """
         try:
             # 1. Verify FastMCP JWT signature and claims
-            payload = self._jwt_issuer.verify_token(token)
+            payload = self.jwt_issuer.verify_token(token)
             jti = payload["jti"]
 
             # 2. Look up upstream token via JTI mapping
             jti_mapping = await self._jti_mapping_store.get(key=jti)
             if not jti_mapping:
-                logger.debug("JTI mapping not found: %s", jti)
+                logger.info(
+                    "JTI mapping not found (token may have expired): jti=%s...",
+                    jti[:16],
+                )
                 return None
 
             upstream_token_set = await self._upstream_token_store.get(
@@ -1807,6 +1895,11 @@ class OAuthProxy(OAuthProvider):
                 logger.debug(
                     f"Successfully exchanged IdP code for tokens (transaction: {txn_id}, PKCE: {bool(proxy_code_verifier)})"
                 )
+                logger.debug(
+                    "IdP token response: expires_in=%s, has_refresh_token=%s",
+                    idp_tokens.get("expires_in"),
+                    "refresh_token" in idp_tokens,
+                )
 
             except Exception as e:
                 logger.error("IdP token exchange failed: %s", e)

fastmcp/server/auth/providers/supabase.py

@@ -34,6 +34,7 @@ class SupabaseProviderSettings(BaseSettings):
 
     project_url: AnyHttpUrl
     base_url: AnyHttpUrl
+    auth_route: str = "/auth/v1"
     algorithm: Literal["HS256", "RS256", "ES256"] = "ES256"
     required_scopes: list[str] | None = None
 
@@ -59,8 +60,8 @@ class SupabaseProvider(RemoteAuthProvider):
        - Asymmetric keys (RS256/ES256) are recommended for production
 
     2. JWT Verification:
-       - FastMCP verifies JWTs using the JWKS endpoint at {project_url}/auth/v1/.well-known/jwks.json
-       - JWTs are issued by {project_url}/auth/v1
+       - FastMCP verifies JWTs using the JWKS endpoint at {project_url}{auth_route}/.well-known/jwks.json
+       - JWTs are issued by {project_url}{auth_route}
        - Tokens are cached for up to 10 minutes by Supabase's edge servers
        - Algorithm must match your Supabase Auth configuration
 
@@ -93,6 +94,7 @@ class SupabaseProvider(RemoteAuthProvider):
         *,
         project_url: AnyHttpUrl | str | NotSetT = NotSet,
         base_url: AnyHttpUrl | str | NotSetT = NotSet,
+        auth_route: str | NotSetT = NotSet,
         algorithm: Literal["HS256", "RS256", "ES256"] | NotSetT = NotSet,
         required_scopes: list[str] | NotSetT | None = NotSet,
         token_verifier: TokenVerifier | None = None,
@@ -102,6 +104,7 @@ class SupabaseProvider(RemoteAuthProvider):
         Args:
             project_url: Your Supabase project URL (e.g., "https://abc123.supabase.co")
             base_url: Public URL of this FastMCP server
+            auth_route: Supabase Auth route. Defaults to "/auth/v1".
             algorithm: JWT signing algorithm (HS256, RS256, or ES256). Must match your
                 Supabase Auth configuration. Defaults to ES256.
             required_scopes: Optional list of scopes to require for all requests.
@@ -115,6 +118,7 @@ class SupabaseProvider(RemoteAuthProvider):
                 for k, v in {
                     "project_url": project_url,
                     "base_url": base_url,
+                    "auth_route": auth_route,
                     "algorithm": algorithm,
                     "required_scopes": required_scopes,
                 }.items()
@@ -124,12 +128,13 @@ class SupabaseProvider(RemoteAuthProvider):
 
         self.project_url = str(settings.project_url).rstrip("/")
         self.base_url = AnyHttpUrl(str(settings.base_url).rstrip("/"))
+        self.auth_route = settings.auth_route.strip("/")
 
         # Create default JWT verifier if none provided
         if token_verifier is None:
             token_verifier = JWTVerifier(
-                jwks_uri=f"{self.project_url}/auth/v1/.well-known/jwks.json",
-                issuer=f"{self.project_url}/auth/v1",
+                jwks_uri=f"{self.project_url}/{self.auth_route}/.well-known/jwks.json",
+                issuer=f"{self.project_url}/{self.auth_route}",
                 algorithm=settings.algorithm,
                 required_scopes=settings.required_scopes,
             )
@@ -137,7 +142,7 @@ class SupabaseProvider(RemoteAuthProvider):
         # Initialize RemoteAuthProvider with Supabase as the authorization server
         super().__init__(
             token_verifier=token_verifier,
-            authorization_servers=[AnyHttpUrl(f"{self.project_url}/auth/v1")],
+            authorization_servers=[AnyHttpUrl(f"{self.project_url}/{self.auth_route}")],
             base_url=self.base_url,
         )
 
@@ -162,7 +167,7 @@ class SupabaseProvider(RemoteAuthProvider):
             try:
                 async with httpx.AsyncClient() as client:
                     response = await client.get(
-                        f"{self.project_url}/auth/v1/.well-known/oauth-authorization-server"
+                        f"{self.project_url}/{self.auth_route}/.well-known/oauth-authorization-server"
                     )
                     response.raise_for_status()
                     metadata = response.json()

fastmcp/server/context.py

@@ -185,10 +185,24 @@ class Context:
         self._tokens.append(token)
 
         # Set current server for dependency injection (use weakref to avoid reference cycles)
-        from fastmcp.server.dependencies import _current_server
+        from fastmcp.server.dependencies import (
+            _current_docket,
+            _current_server,
+            _current_worker,
+        )
 
         self._server_token = _current_server.set(weakref.ref(self.fastmcp))
 
+        # Set docket/worker from server instance for this request's context.
+        # This ensures ContextVars work even in environments (like Lambda) where
+        # lifespan ContextVars don't propagate to request handlers.
+        server = self.fastmcp
+        if server._docket is not None:
+            self._docket_token = _current_docket.set(server._docket)
+
+        if server._worker is not None:
+            self._worker_token = _current_worker.set(server._worker)
+
         return self
 
     async def __aexit__(self, exc_type, exc_val, exc_tb) -> None:
@@ -196,10 +210,20 @@ class Context:
         # Flush any remaining notifications before exiting
         await self._flush_notifications()
 
-        # Reset server token
-        if hasattr(self, "_server_token"):
-            from fastmcp.server.dependencies import _current_server
+        # Reset server/docket/worker tokens
+        from fastmcp.server.dependencies import (
+            _current_docket,
+            _current_server,
+            _current_worker,
+        )
 
+        if hasattr(self, "_worker_token"):
+            _current_worker.reset(self._worker_token)
+            delattr(self, "_worker_token")
+        if hasattr(self, "_docket_token"):
+            _current_docket.reset(self._docket_token)
+            delattr(self, "_docket_token")
+        if hasattr(self, "_server_token"):
             _current_server.reset(self._server_token)
             delattr(self, "_server_token")
 

fastmcp/server/dependencies.py

@@ -21,6 +21,7 @@ from mcp.server.auth.provider import (
 from mcp.server.lowlevel.server import request_ctx
 from starlette.requests import Request
 
+from fastmcp.exceptions import FastMCPError
 from fastmcp.server.auth import AccessToken
 from fastmcp.server.http import _current_http_request
 from fastmcp.utilities.types import is_class_member_of_type
@@ -188,6 +189,10 @@ async def _resolve_fastmcp_dependencies(
                         resolved[parameter] = await stack.enter_async_context(
                             dependency
                         )
+                    except FastMCPError:
+                        # Let FastMCPError subclasses (ToolError, ResourceError, etc.)
+                        # propagate unchanged so they can be handled appropriately
+                        raise
                     except Exception as error:
                         fn_name = getattr(fn, "__name__", repr(fn))
                         raise RuntimeError(