FastMCP

MCP servers announce all available tools and resources to any connected client, and naive implementations expose sensitive tools to all users regardless of role or permissions. This creates major security risks where tools that delete data or trigger sensitive operations become available to anyone, and low-privilege users can instruct agents to use highly sensitive tools.

Authentication headers from the MCP transport layer were being improperly forwarded to downstream OpenAPI APIs, creating security and information disclosure risks.

Tool discovery fails when OpenAPI schemas contain circular references, blocking the ability to properly register and expose tools.

Middleware state set during request processing was not correctly being propagated to tool handler functions, breaking authentication and request context flows in production.

The FastMCP memory:// docket broker accumulates cancelled tasks instead of cleaning them up, causing a memory leak in long-running servers.

MCP's Docker-packaged server model doesn't align with serverless architectures used by 95% of Fortune 500 companies. Cold start delays (up to 5 seconds), missing infrastructure templates, logging mismatches, and testing difficulties increase maintenance overhead and costs.

FastMCP is heavily dependent on the Prefect ecosystem, limiting options for developers who prefer self-hosted or alternative hosting solutions. This tight integration restricts deployment flexibility.

As FastMCP's surface area grows, adding incremental features takes progressively longer due to concerns about breaking existing features or violating spec compliance. The framework architecture makes it harder to introduce new code paths safely.

Earlier FastMCP versions lacked RFC 7662 token introspection support, making it difficult to integrate with enterprise OAuth patterns and requiring workarounds for standard token validation flows.

Despite promises of simplicity, FastMCP's architecture with components, transforms, and providers is overwhelming for newcomers. The depth of the system makes it difficult to understand how pieces fit together.

The `lifespan` parameter in MCP SDK was ambiguous and commonly misunderstood—developers thought it referred to client sessions when it should refer to server lifecycle (e.g., database connections), causing initialization and cleanup logic to run incorrectly.