Most of the fixes in this patch are about auth providers getting audience validation wrong. Cognito token verification was checking the aud JWT claim, but Cognito access tokens don't include one; they use client_id instead. Azure was hardcoding the raw client ID as the expected audience, ignoring the identifier_uri parameter even though Entra v2.0 tokens use the Application ID URI as aud. Both now validate correctly without changing the provider API. Consent cookies also had an unbounded growth problem in high-DCR-client environments, eventually blowing past reverse proxy header limits; they're now capped as an LRU.
On the OpenAPI side, nullable: true fields from 3.0 specs were leaking into tool input schemas as-is instead of being converted to JSON Schema's type: ["string", "null"]. Server variable templates in base URLs (like https://{region}.api.example.com) were also being passed through raw instead of substituted with their defaults.
Smaller fixes: form submissions from Prefab UI now correctly handle unchecked boolean checkboxes, the client no longer crashes on error responses with empty or non-text content from third-party servers, and asyncio.iscoroutinefunction no longer emits deprecation warnings on Python 3.14.
What's Changed
Breaking Changes ⚠️
- fix(google): use sub (user ID) for client_id instead of aud (app ID) by @shigechika in #3722
- fix: remove CSP from tool metadata, keep on resource only by @jlowin in #3754
Enhancements ✨
- [codex] Add FastMCP docs telemetry by @aaazzam in #3727
- chore: split SDK navigation into standalone $ref file by @jlowin in #3773
- fix: bump ty to >=0.0.29 and suppress new false positives by @jlowin in #3790
Fixes 🐞
- fix: use explicit None checks for JWT exp validation by @jlowin in #3724
- Unify background task context forwarding, fix concurrent dependency bugs by @chrisguidry in #3710
- fix: add proxy timeouts and modernize networking in apps dev by @mateeaaa in #3741
- fix: ResponseLimitingMiddleware no longer breaks outputSchema tools by @jlowin in #3756
- fix: substitute server variable defaults when building base URL from OpenAPI spec by @mrishav in #3770
- fix: FastAPI TestClient compatibility and lifespan re-initialization by @kvdhanush06 in #3736
- fix: propagate upstream_claims in load_access_token by @kvdhanush06 in #3750
- Remove deprecated asyncio.iscoroutinefunction fallback by @kaiisfree in #3767
- fix: changeable allowed_client_redirect_uris on OAuthProxy by @fengarix in #3772
- fix: broken link in changelog by @jlowin in #3775
- fix(docs): correct FastMCP tool name in welcome docs by @buyua9 in #3781
- fix: cap consent cookie size to prevent header overflow by @jlowin in #3784
- Fix boolean property schemas in JSON Schema parsing by @jlowin in #3785
- Fix OpenAPI 3.0 nullable fields in tool input schemas by @kvdhanush06 in #3768
- fix: Cognito token verification checks client_id instead of aud by @jlowin in #3786
- fix: use identifier_uri as audience for Azure token validation by @jlowin in #3787
- Harden client tool result error handling by @aimable100 in #3778
Docs 📚
- Github integraiton documentation fix: use result.data otherwise CallToolResult not scriptable by @c4jquick in #3753
- chore: split v2 docs navigation into separate file by @jlowin in #3762
- docs: document forward_resource parameter on OAuthProxy by @jlowin in #3788
Examples & Contrib 💡
Dependencies 📦
- chore(deps): bump fastmcp from 3.1.1 to 3.2.0 in /examples/testing_demo in the uv group across 1 directory by @dependabot[bot] in #3728
- chore(deps): bump anthropic from 0.86.0 to 0.87.0 in the uv group across 1 directory by @dependabot[bot] in #3742
New Contributors
- @c4jquick made their first contribution in #3753
- @mateeaaa made their first contribution in #3741
- @mrishav made their first contribution in #3770
- @kvdhanush06 made their first contribution in #3736
- @kaiisfree made their first contribution in #3767
- @fengarix made their first contribution in #3772
- @buyua9 made their first contribution in #3781
- @aimable100 made their first contribution in #3778
Full Changelog: v3.2.0...v3.2.1