FastMCP 2.13: Storage, Security, and Scale - Mostly Harmless

The massive adoption of the OAuth proxy meant the community immediately started battle-testing our auth implementation in real-world scenarios. We learned our original Azure provider only worked in the narrowest of cases; intrepid users helped us build a far more robust version. Others contributed a variety of new providers, with the result being that FastMCP now supports out-of-the-box authentication with: … More critically, I owe a huge thanks to MCP Core Committee member **Den Delimarsky** for responsibly disclosing two nuanced, MCP-specific vulnerabilities: a confused deputy attack and a related token security boundary issue. The fixes required some novel solutions, including having the proxy issue its own tokens and implementing a new consent screen for explicit client approval. Our OAuth implementation is now hardened, spec-compliant, and thanks to the community’s scrutiny, ready for production. … - **Response Caching:** The new `ResponseCachingMiddleware` provides an instant performance win for expensive, repeated tool and resource calls. - **Server Lifespans:** We fixed a long-standing point of confusion in the MCP SDK. `lifespan` now correctly refers to the *server* lifecycle (for things like DB connections), not the client session. This is a breaking change, but it’s the correct one.