fastmcp 2.14.4__py3-none-any.whl → 3.0.0b1__py3-none-any.whl

fastmcp/server/auth/providers/jwt.py

@@ -11,15 +11,12 @@ from authlib.jose import JsonWebKey, JsonWebToken
 from authlib.jose.errors import JoseError
 from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.primitives.asymmetric import rsa
-from pydantic import AnyHttpUrl, SecretStr, field_validator
-from pydantic_settings import BaseSettings, SettingsConfigDict
+from pydantic import AnyHttpUrl, SecretStr
 from typing_extensions import TypedDict
 
 from fastmcp.server.auth import AccessToken, TokenVerifier
-from fastmcp.settings import ENV_FILE
 from fastmcp.utilities.auth import parse_scopes
 from fastmcp.utilities.logging import get_logger
-from fastmcp.utilities.types import NotSet, NotSetT
 
 logger = get_logger(__name__)
 
@@ -139,29 +136,6 @@ class RSAKeyPair:
         return token_bytes.decode("utf-8")
 
 
-class JWTVerifierSettings(BaseSettings):
-    """Settings for JWT token verification."""
-
-    model_config = SettingsConfigDict(
-        env_prefix="FASTMCP_SERVER_AUTH_JWT_",
-        env_file=ENV_FILE,
-        extra="ignore",
-    )
-
-    public_key: str | None = None
-    jwks_uri: str | None = None
-    issuer: str | list[str] | None = None
-    algorithm: str | None = None
-    audience: str | list[str] | None = None
-    required_scopes: list[str] | None = None
-    base_url: AnyHttpUrl | str | None = None
-
-    @field_validator("required_scopes", mode="before")
-    @classmethod
-    def _parse_scopes(cls, v):
-        return parse_scopes(v)
-
-
 class JWTVerifier(TokenVerifier):
     """
     JWT token verifier supporting both asymmetric (RSA/ECDSA) and symmetric (HMAC) algorithms.
@@ -184,52 +158,36 @@ class JWTVerifier(TokenVerifier):
     def __init__(
         self,
         *,
-        public_key: str | NotSetT | None = NotSet,
-        jwks_uri: str | NotSetT | None = NotSet,
-        issuer: str | list[str] | NotSetT | None = NotSet,
-        audience: str | list[str] | NotSetT | None = NotSet,
-        algorithm: str | NotSetT | None = NotSet,
-        required_scopes: list[str] | NotSetT | None = NotSet,
-        base_url: AnyHttpUrl | str | NotSetT | None = NotSet,
+        public_key: str | None = None,
+        jwks_uri: str | None = None,
+        issuer: str | list[str] | None = None,
+        audience: str | list[str] | None = None,
+        algorithm: str | None = None,
+        required_scopes: list[str] | None = None,
+        base_url: AnyHttpUrl | str | None = None,
     ):
         """
         Initialize a JWTVerifier configured to validate JWTs using either a static key or a JWKS endpoint.
 
         Parameters:
-            public_key (str | NotSetT | None): PEM-encoded public key for asymmetric algorithms or shared secret for symmetric algorithms.
-            jwks_uri (str | NotSetT | None): URI to fetch a JSON Web Key Set; used when verifying tokens with remote JWKS.
-            issuer (str | list[str] | NotSetT | None): Expected issuer claim value or list of allowed issuer values.
-            audience (str | list[str] | NotSetT | None): Expected audience claim value or list of allowed audience values.
-            algorithm (str | NotSetT | None): JWT signing algorithm to accept (default: "RS256"). Supported: HS256/384/512, RS256/384/512, ES256/384/512, PS256/384/512.
-            required_scopes (list[str] | NotSetT | None): Scopes that must be present in validated tokens.
-            base_url (AnyHttpUrl | str | NotSetT | None): Base URL passed to the parent TokenVerifier.
+            public_key: PEM-encoded public key for asymmetric algorithms or shared secret for symmetric algorithms.
+            jwks_uri: URI to fetch a JSON Web Key Set; used when verifying tokens with remote JWKS.
+            issuer: Expected issuer claim value or list of allowed issuer values.
+            audience: Expected audience claim value or list of allowed audience values.
+            algorithm: JWT signing algorithm to accept (default: "RS256"). Supported: HS256/384/512, RS256/384/512, ES256/384/512, PS256/384/512.
+            required_scopes: Scopes that must be present in validated tokens.
+            base_url: Base URL passed to the parent TokenVerifier.
 
         Raises:
             ValueError: If neither or both of `public_key` and `jwks_uri` are provided, or if `algorithm` is unsupported.
         """
-        settings = JWTVerifierSettings.model_validate(
-            {
-                k: v
-                for k, v in {
-                    "public_key": public_key,
-                    "jwks_uri": jwks_uri,
-                    "issuer": issuer,
-                    "audience": audience,
-                    "algorithm": algorithm,
-                    "required_scopes": required_scopes,
-                    "base_url": base_url,
-                }.items()
-                if v is not NotSet
-            }
-        )
-
-        if not settings.public_key and not settings.jwks_uri:
+        if not public_key and not jwks_uri:
             raise ValueError("Either public_key or jwks_uri must be provided")
 
-        if settings.public_key and settings.jwks_uri:
+        if public_key and jwks_uri:
             raise ValueError("Provide either public_key or jwks_uri, not both")
 
-        algorithm = settings.algorithm or "RS256"
+        algorithm = algorithm or "RS256"
         if algorithm not in {
             "HS256",
             "HS384",
@@ -246,17 +204,22 @@ class JWTVerifier(TokenVerifier):
         }:
             raise ValueError(f"Unsupported algorithm: {algorithm}.")
 
+        # Parse scopes if provided as string
+        parsed_required_scopes = (
+            parse_scopes(required_scopes) if required_scopes is not None else None
+        )
+
         # Initialize parent TokenVerifier
         super().__init__(
-            base_url=settings.base_url,
-            required_scopes=settings.required_scopes,
+            base_url=base_url,
+            required_scopes=parsed_required_scopes,
         )
 
         self.algorithm = algorithm
-        self.issuer = settings.issuer
-        self.audience = settings.audience
-        self.public_key = settings.public_key
-        self.jwks_uri = settings.jwks_uri
+        self.issuer = issuer
+        self.audience = audience
+        self.public_key = public_key
+        self.jwks_uri = jwks_uri
         self.jwt = JsonWebToken([self.algorithm])
         self.logger = get_logger(__name__)
 
@@ -312,7 +275,7 @@ class JWTVerifier(TokenVerifier):
             for key_data in jwks_data.get("keys", []):
                 key_kid = key_data.get("kid")
                 jwk = JsonWebKey.import_key(key_data)
-                public_key = jwk.get_public_key()  # type: ignore
+                public_key = jwk.get_public_key()
 
                 if key_kid:
                     self._jwks_cache[key_kid] = public_key

fastmcp/server/auth/providers/oci.py

@@ -19,22 +19,22 @@ Example:
 
     import os
 
-    # Load configuration from environment
-    FASTMCP_SERVER_AUTH_OCI_CONFIG_URL = os.environ["FASTMCP_SERVER_AUTH_OCI_CONFIG_URL"]
-    FASTMCP_SERVER_AUTH_OCI_CLIENT_ID = os.environ["FASTMCP_SERVER_AUTH_OCI_CLIENT_ID"]
-    FASTMCP_SERVER_AUTH_OCI_CLIENT_SECRET = os.environ["FASTMCP_SERVER_AUTH_OCI_CLIENT_SECRET"]
-    FASTMCP_SERVER_AUTH_OCI_IAM_GUID = os.environ["FASTMCP_SERVER_AUTH_OCI_IAM_GUID"]
-
     import oci
     from oci.auth.signers import TokenExchangeSigner
 
     logger = get_logger(__name__)
 
+    # Load configuration from environment
+    config_url = os.environ.get("OCI_CONFIG_URL")  # OCI IAM Domain OIDC discovery URL
+    client_id = os.environ.get("OCI_CLIENT_ID")  # Client ID configured for the OCI IAM Domain Integrated Application
+    client_secret = os.environ.get("OCI_CLIENT_SECRET")  # Client secret configured for the OCI IAM Domain Integrated Application
+    iam_guid = os.environ.get("OCI_IAM_GUID")  # IAM GUID configured for the OCI IAM Domain
+
     # Simple OCI OIDC protection
     auth = OCIProvider(
-        config_url=FASTMCP_SERVER_AUTH_OCI_CONFIG_URL, #config URL is the OCI IAM Domain OIDC discovery URL.
-        client_id=FASTMCP_SERVER_AUTH_OCI_CLIENT_ID, #This is same as the client ID configured for the OCI IAM Domain Integrated Application
-        client_secret=FASTMCP_SERVER_AUTH_OCI_CLIENT_SECRET, #This is same as the client secret configured for the OCI IAM Domain Integrated Application
+        config_url=config_url,  # config URL is the OCI IAM Domain OIDC discovery URL
+        client_id=client_id,  # This is same as the client ID configured for the OCI IAM Domain Integrated Application
+        client_secret=client_secret,  # This is same as the client secret configured for the OCI IAM Domain Integrated Application
         required_scopes=["openid", "profile", "email"],
         redirect_path="/auth/callback",
         base_url="http://localhost:8000",
@@ -42,7 +42,7 @@ Example:
 
     # NOTE: For production use, replace this with a thread-safe cache implementation
     # such as threading.Lock-protected dict or a proper caching library
-    _global_token_cache = {} #In memory cache for OCI session token signer
+    _global_token_cache = {}  # In memory cache for OCI session token signer
 
     def get_oci_signer() -> TokenExchangeSigner:
 
@@ -50,20 +50,20 @@ Example:
         tokenID = authntoken.claims.get("jti")
         token = authntoken.token
 
-        #Check if the signer exists for the token ID in memory cache
+        # Check if the signer exists for the token ID in memory cache
         cached_signer = _global_token_cache.get(tokenID)
         logger.debug(f"Global cached signer: {cached_signer}")
         if cached_signer:
             logger.debug(f"Using globally cached signer for token ID: {tokenID}")
             return cached_signer
 
-        #If the signer is not yet created for the token then create new OCI signer object
+        # If the signer is not yet created for the token then create new OCI signer object
         logger.debug(f"Creating new signer for token ID: {tokenID}")
         signer = TokenExchangeSigner(
             jwt_or_func=token,
-            oci_domain_id=FASTMCP_SERVER_AUTH_OCI_IAM_GUID.split(".")[0],   #This is same as IAM GUID configured for the OCI IAM Domain
-            client_id=FASTMCP_SERVER_AUTH_OCI_CLIENT_ID, #This is same as the client ID configured for the OCI IAM Domain Integrated Application
-            client_secret=FASTMCP_SERVER_AUTH_OCI_CLIENT_SECRET #This is same as the client secret configured for the OCI IAM Domain Integrated Application
+            oci_domain_id=iam_guid.split(".")[0] if iam_guid else None,  # This is same as IAM GUID configured for the OCI IAM Domain
+            client_id=client_id,  # This is same as the client ID configured for the OCI IAM Domain Integrated Application
+            client_secret=client_secret,  # This is same as the client secret configured for the OCI IAM Domain Integrated Application
         )
         logger.debug(f"Signer {signer} created for token ID: {tokenID}")
 
@@ -78,44 +78,15 @@ Example:
 """
 
 from key_value.aio.protocols import AsyncKeyValue
-from pydantic import AnyHttpUrl, SecretStr, field_validator
-from pydantic_settings import BaseSettings, SettingsConfigDict
+from pydantic import AnyHttpUrl
 
 from fastmcp.server.auth.oidc_proxy import OIDCProxy
-from fastmcp.settings import ENV_FILE
 from fastmcp.utilities.auth import parse_scopes
 from fastmcp.utilities.logging import get_logger
-from fastmcp.utilities.types import NotSet, NotSetT
 
 logger = get_logger(__name__)
 
 
-class OCIProviderSettings(BaseSettings):
-    """Settings for OCI IAM domain OIDC provider."""
-
-    model_config = SettingsConfigDict(
-        env_prefix="FASTMCP_SERVER_AUTH_OCI_",
-        env_file=ENV_FILE,
-        extra="ignore",
-    )
-
-    config_url: AnyHttpUrl | None = None
-    client_id: str | None = None
-    client_secret: SecretStr | None = None
-    audience: str | None = None
-    base_url: AnyHttpUrl | None = None
-    issuer_url: AnyHttpUrl | None = None
-    redirect_path: str | None = None
-    required_scopes: list[str] | None = None
-    allowed_client_redirect_uris: list[str] | None = None
-    jwt_signing_key: str | bytes | None = None
-
-    @field_validator("required_scopes", mode="before")
-    @classmethod
-    def _parse_scopes(cls, v):
-        return parse_scopes(v)
-
-
 class OCIProvider(OIDCProxy):
     """An OCI IAM Domain provider implementation for FastMCP.
 
@@ -127,11 +98,13 @@ class OCIProvider(OIDCProxy):
         from fastmcp import FastMCP
         from fastmcp.server.auth.providers.oci import OCIProvider
 
-        # Simple OCI OIDC protection
+        import os
+
+        # Load configuration from environment
         auth = OCIProvider(
-            config_url=FASTMCP_SERVER_AUTH_OCI_CONFIG_URL, #config URL is the OCI IAM Domain OIDC discovery URL.
-            client_id=FASTMCP_SERVER_AUTH_OCI_CLIENT_ID, #This is same as the client ID configured for the OCI IAM Domain Integrated Application
-            client_secret=FASTMCP_SERVER_AUTH_OCI_CLIENT_SECRET, #This is same as the client secret configured for the OCI IAM Domain Integrated Application
+            config_url=os.environ.get("OCI_CONFIG_URL"),  # OCI IAM Domain OIDC discovery URL
+            client_id=os.environ.get("OCI_CLIENT_ID"),  # Client ID configured for the OCI IAM Domain Integrated Application
+            client_secret=os.environ.get("OCI_CLIENT_SECRET"),  # Client secret configured for the OCI IAM Domain Integrated Application
             base_url="http://localhost:8000",
             required_scopes=["openid", "profile", "email"],
             redirect_path="/auth/callback",
@@ -144,17 +117,17 @@ class OCIProvider(OIDCProxy):
     def __init__(
         self,
         *,
-        config_url: AnyHttpUrl | str | NotSetT = NotSet,
-        client_id: str | NotSetT = NotSet,
-        client_secret: str | NotSetT = NotSet,
-        audience: str | NotSetT = NotSet,
-        base_url: AnyHttpUrl | str | NotSetT = NotSet,
-        issuer_url: AnyHttpUrl | str | NotSetT = NotSet,
-        required_scopes: list[str] | NotSetT = NotSet,
-        redirect_path: str | NotSetT = NotSet,
-        allowed_client_redirect_uris: list[str] | NotSetT = NotSet,
+        config_url: AnyHttpUrl | str,
+        client_id: str,
+        client_secret: str,
+        base_url: AnyHttpUrl | str,
+        audience: str | None = None,
+        issuer_url: AnyHttpUrl | str | None = None,
+        required_scopes: list[str] | None = None,
+        redirect_path: str | None = None,
+        allowed_client_redirect_uris: list[str] | None = None,
         client_storage: AsyncKeyValue | None = None,
-        jwt_signing_key: str | bytes | NotSetT = NotSet,
+        jwt_signing_key: str | bytes | None = None,
         require_authorization_consent: bool = True,
     ) -> None:
         """Initialize OCI OIDC provider.
@@ -163,71 +136,35 @@ class OCIProvider(OIDCProxy):
             config_url: OCI OIDC Discovery URL
             client_id: OCI IAM Domain Integrated Application client id
             client_secret: OCI Integrated Application client secret
-            audience: OCI API audience (optional)
             base_url: Public URL where OIDC endpoints will be accessible (includes any mount path)
+            audience: OCI API audience (optional)
             issuer_url: Issuer URL for OCI IAM Domain metadata. This will override issuer URL from the discovery URL.
             required_scopes: Required OCI scopes (defaults to ["openid"])
             redirect_path: Redirect path configured in OCI IAM Domain Integrated Application. The default is "/auth/callback".
             allowed_client_redirect_uris: List of allowed redirect URI patterns for MCP clients.
         """
-
-        overrides: dict[str, object] = {
-            k: v
-            for k, v in {
-                "config_url": config_url,
-                "client_id": client_id,
-                "client_secret": client_secret,
-                "audience": audience,
-                "base_url": base_url,
-                "issuer_url": issuer_url,
-                "required_scopes": required_scopes,
-                "redirect_path": redirect_path,
-                "allowed_client_redirect_uris": allowed_client_redirect_uris,
-                "jwt_signing_key": jwt_signing_key,
-            }.items()
-            if v is not NotSet
-        }
-        settings = OCIProviderSettings(**overrides)  # type: ignore[arg-type]
-
-        if not settings.config_url:
-            raise ValueError(
-                "config_url is required - set via parameter or FASTMCP_SERVER_AUTH_OCI_CONFIG_URL"
-            )
-
-        if not settings.client_id:
-            raise ValueError(
-                "client_id is required - set via parameter or FASTMCP_SERVER_AUTH_OCI_CLIENT_ID"
-            )
-
-        if not settings.client_secret:
-            raise ValueError(
-                "client_secret is required - set via parameter or FASTMCP_SERVER_AUTH_OCI_CLIENT_SECRET"
-            )
-
-        if not settings.base_url:
-            raise ValueError(
-                "base_url is required - set via parameter or FASTMCP_SERVER_AUTH_OCI_BASE_URL"
-            )
-
-        oci_required_scopes = settings.required_scopes or ["openid"]
+        # Parse scopes if provided as string
+        oci_required_scopes = (
+            parse_scopes(required_scopes) if required_scopes is not None else ["openid"]
+        )
 
         super().__init__(
-            config_url=settings.config_url,
-            client_id=settings.client_id,
-            client_secret=settings.client_secret.get_secret_value(),
-            audience=settings.audience,
-            base_url=settings.base_url,
-            issuer_url=settings.issuer_url,
-            redirect_path=settings.redirect_path,
+            config_url=config_url,
+            client_id=client_id,
+            client_secret=client_secret,
+            audience=audience,
+            base_url=base_url,
+            issuer_url=issuer_url,
+            redirect_path=redirect_path,
             required_scopes=oci_required_scopes,
-            allowed_client_redirect_uris=settings.allowed_client_redirect_uris,
+            allowed_client_redirect_uris=allowed_client_redirect_uris,
             client_storage=client_storage,
-            jwt_signing_key=settings.jwt_signing_key,
+            jwt_signing_key=jwt_signing_key,
             require_authorization_consent=require_authorization_consent,
         )
 
         logger.debug(
             "Initialized OCI OAuth provider for client %s with scopes: %s",
-            settings.client_id,
+            client_id,
             oci_required_scopes,
         )

fastmcp/server/auth/providers/scalekit.py

@@ -8,50 +8,18 @@ authentication for seamless MCP client authentication.
 from __future__ import annotations
 
 import httpx
-from pydantic import AnyHttpUrl, field_validator, model_validator
-from pydantic_settings import BaseSettings, SettingsConfigDict
+from pydantic import AnyHttpUrl
 from starlette.responses import JSONResponse
 from starlette.routing import Route
 
 from fastmcp.server.auth import RemoteAuthProvider, TokenVerifier
 from fastmcp.server.auth.providers.jwt import JWTVerifier
-from fastmcp.settings import ENV_FILE
 from fastmcp.utilities.auth import parse_scopes
 from fastmcp.utilities.logging import get_logger
-from fastmcp.utilities.types import NotSet, NotSetT
 
 logger = get_logger(__name__)
 
 
-class ScalekitProviderSettings(BaseSettings):
-    model_config = SettingsConfigDict(
-        env_prefix="FASTMCP_SERVER_AUTH_SCALEKITPROVIDER_",
-        env_file=ENV_FILE,
-        extra="ignore",
-    )
-
-    environment_url: AnyHttpUrl
-    resource_id: str
-    base_url: AnyHttpUrl | None = None
-    mcp_url: AnyHttpUrl | None = None
-    required_scopes: list[str] | None = None
-
-    @field_validator("required_scopes", mode="before")
-    @classmethod
-    def _parse_scopes(cls, value: object):
-        return parse_scopes(value)
-
-    @model_validator(mode="after")
-    def _resolve_base_url(self):
-        resolved = self.base_url or self.mcp_url
-        if resolved is None:
-            msg = "Either base_url or mcp_url must be provided for ScalekitProvider"
-            raise ValueError(msg)
-
-        object.__setattr__(self, "base_url", resolved)
-        return self
-
-
 class ScalekitProvider(RemoteAuthProvider):
     """Scalekit resource server provider for OAuth 2.1 authentication.
 
@@ -95,12 +63,12 @@ class ScalekitProvider(RemoteAuthProvider):
     def __init__(
         self,
         *,
-        environment_url: AnyHttpUrl | str | NotSetT = NotSet,
-        client_id: str | NotSetT = NotSet,
-        resource_id: str | NotSetT = NotSet,
-        base_url: AnyHttpUrl | str | NotSetT = NotSet,
-        mcp_url: AnyHttpUrl | str | NotSetT = NotSet,
-        required_scopes: list[str] | NotSetT = NotSet,
+        environment_url: AnyHttpUrl | str,
+        resource_id: str,
+        base_url: AnyHttpUrl | str | None = None,
+        mcp_url: AnyHttpUrl | str | None = None,
+        client_id: str | None = None,
+        required_scopes: list[str] | None = None,
         token_verifier: TokenVerifier | None = None,
     ):
         """Initialize Scalekit resource server provider.
@@ -108,42 +76,36 @@ class ScalekitProvider(RemoteAuthProvider):
         Args:
             environment_url: Your Scalekit environment URL (e.g., "https://your-env.scalekit.com")
             resource_id: Your Scalekit resource ID
-            base_url: Public URL of this FastMCP server
+            base_url: Public URL of this FastMCP server (or use mcp_url for backwards compatibility)
+            mcp_url: Deprecated alias for base_url. Will be removed in a future release.
+            client_id: Deprecated parameter, no longer required. Will be removed in a future release.
             required_scopes: Optional list of scopes that must be present in tokens
             token_verifier: Optional token verifier. If None, creates JWT verifier for Scalekit
         """
-        legacy_client_id = client_id is not NotSet
-
-        settings = ScalekitProviderSettings.model_validate(
-            {
-                k: v
-                for k, v in {
-                    "environment_url": environment_url,
-                    "resource_id": resource_id,
-                    "base_url": base_url,
-                    "mcp_url": mcp_url,
-                    "required_scopes": required_scopes,
-                }.items()
-                if v is not NotSet
-            }
-        )
+        # Resolve base_url from mcp_url if needed (backwards compatibility)
+        resolved_base_url = base_url or mcp_url
+        if not resolved_base_url:
+            raise ValueError("Either base_url or mcp_url must be provided")
 
-        if settings.mcp_url is not None:
+        if mcp_url is not None:
             logger.warning(
                 "ScalekitProvider parameter 'mcp_url' is deprecated and will be removed in a future release. "
                 "Rename it to 'base_url'."
             )
 
-        if legacy_client_id:
+        if client_id is not None:
             logger.warning(
                 "ScalekitProvider no longer requires 'client_id'. The parameter is accepted only for backward "
                 "compatibility and will be removed in a future release."
             )
 
-        self.environment_url = str(settings.environment_url).rstrip("/")
-        self.resource_id = settings.resource_id
-        self.required_scopes = settings.required_scopes or []
-        base_url_value = str(settings.base_url)
+        self.environment_url = str(environment_url).rstrip("/")
+        self.resource_id = resource_id
+        parsed_scopes = (
+            parse_scopes(required_scopes) if required_scopes is not None else []
+        )
+        self.required_scopes = parsed_scopes
+        base_url_value = str(resolved_base_url)
 
         logger.debug(
             "Initializing ScalekitProvider: environment_url=%s resource_id=%s base_url=%s required_scopes=%s",

fastmcp/server/auth/providers/supabase.py

@@ -10,40 +10,18 @@ from __future__ import annotations
 from typing import Literal
 
 import httpx
-from pydantic import AnyHttpUrl, field_validator
-from pydantic_settings import BaseSettings, SettingsConfigDict
+from pydantic import AnyHttpUrl
 from starlette.responses import JSONResponse
 from starlette.routing import Route
 
 from fastmcp.server.auth import RemoteAuthProvider, TokenVerifier
 from fastmcp.server.auth.providers.jwt import JWTVerifier
-from fastmcp.settings import ENV_FILE
 from fastmcp.utilities.auth import parse_scopes
 from fastmcp.utilities.logging import get_logger
-from fastmcp.utilities.types import NotSet, NotSetT
 
 logger = get_logger(__name__)
 
 
-class SupabaseProviderSettings(BaseSettings):
-    model_config = SettingsConfigDict(
-        env_prefix="FASTMCP_SERVER_AUTH_SUPABASE_",
-        env_file=ENV_FILE,
-        extra="ignore",
-    )
-
-    project_url: AnyHttpUrl
-    base_url: AnyHttpUrl
-    auth_route: str = "/auth/v1"
-    algorithm: Literal["HS256", "RS256", "ES256"] = "ES256"
-    required_scopes: list[str] | None = None
-
-    @field_validator("required_scopes", mode="before")
-    @classmethod
-    def _parse_scopes(cls, v):
-        return parse_scopes(v)
-
-
 class SupabaseProvider(RemoteAuthProvider):
     """Supabase metadata provider for DCR (Dynamic Client Registration).
 
@@ -62,6 +40,7 @@ class SupabaseProvider(RemoteAuthProvider):
     2. JWT Verification:
        - FastMCP verifies JWTs using the JWKS endpoint at {project_url}{auth_route}/.well-known/jwks.json
        - JWTs are issued by {project_url}{auth_route}
+       - Default auth_route is "/auth/v1" (can be customized for self-hosted setups)
        - Tokens are cached for up to 10 minutes by Supabase's edge servers
        - Algorithm must match your Supabase Auth configuration
 
@@ -92,11 +71,11 @@ class SupabaseProvider(RemoteAuthProvider):
     def __init__(
         self,
         *,
-        project_url: AnyHttpUrl | str | NotSetT = NotSet,
-        base_url: AnyHttpUrl | str | NotSetT = NotSet,
-        auth_route: str | NotSetT = NotSet,
-        algorithm: Literal["HS256", "RS256", "ES256"] | NotSetT = NotSet,
-        required_scopes: list[str] | NotSetT | None = NotSet,
+        project_url: AnyHttpUrl | str,
+        base_url: AnyHttpUrl | str,
+        auth_route: str = "/auth/v1",
+        algorithm: Literal["HS256", "RS256", "ES256"] = "ES256",
+        required_scopes: list[str] | None = None,
         token_verifier: TokenVerifier | None = None,
     ):
         """Initialize Supabase metadata provider.
@@ -104,7 +83,8 @@ class SupabaseProvider(RemoteAuthProvider):
         Args:
             project_url: Your Supabase project URL (e.g., "https://abc123.supabase.co")
             base_url: Public URL of this FastMCP server
-            auth_route: Supabase Auth route. Defaults to "/auth/v1".
+            auth_route: Supabase Auth route. Defaults to "/auth/v1". Can be customized
+                for self-hosted Supabase Auth setups using custom routes.
             algorithm: JWT signing algorithm (HS256, RS256, or ES256). Must match your
                 Supabase Auth configuration. Defaults to ES256.
             required_scopes: Optional list of scopes to require for all requests.
@@ -112,31 +92,22 @@ class SupabaseProvider(RemoteAuthProvider):
                 scopes are an upcoming feature.
             token_verifier: Optional token verifier. If None, creates JWT verifier for Supabase
         """
-        settings = SupabaseProviderSettings.model_validate(
-            {
-                k: v
-                for k, v in {
-                    "project_url": project_url,
-                    "base_url": base_url,
-                    "auth_route": auth_route,
-                    "algorithm": algorithm,
-                    "required_scopes": required_scopes,
-                }.items()
-                if v is not NotSet
-            }
-        )
+        self.project_url = str(project_url).rstrip("/")
+        self.base_url = AnyHttpUrl(str(base_url).rstrip("/"))
+        self.auth_route = auth_route.strip("/")
 
-        self.project_url = str(settings.project_url).rstrip("/")
-        self.base_url = AnyHttpUrl(str(settings.base_url).rstrip("/"))
-        self.auth_route = settings.auth_route.strip("/")
+        # Parse scopes if provided as string
+        parsed_scopes = (
+            parse_scopes(required_scopes) if required_scopes is not None else None
+        )
 
         # Create default JWT verifier if none provided
         if token_verifier is None:
             token_verifier = JWTVerifier(
                 jwks_uri=f"{self.project_url}/{self.auth_route}/.well-known/jwks.json",
                 issuer=f"{self.project_url}/{self.auth_route}",
-                algorithm=settings.algorithm,
-                required_scopes=settings.required_scopes,
+                algorithm=algorithm,
+                required_scopes=parsed_scopes,
             )
 
         # Initialize RemoteAuthProvider with Supabase as the authorization server