feat: valkey oauth storage for truly stateless oauth 2.1 proxy

.env.oauth21

@@ -14,3 +14,26 @@ OAUTH2_ENABLE_DEBUG=false
 
 # Legacy Compatibility (recommended during migration)
 OAUTH2_ENABLE_LEGACY_AUTH=true
+
+# ---------------------------------------------------------------------------
+# FastMCP OAuth Proxy storage (OAuth 2.1)
+#
+# By default, FastMCP stores OAuth proxy state on disk under:
+#   ${FASTMCP_HOME}/oauth-proxy
+#
+# To store OAuth proxy state in Valkey instead, configure:
+#
+# WORKSPACE_MCP_OAUTH_PROXY_STORAGE_BACKEND=valkey
+# WORKSPACE_MCP_OAUTH_PROXY_VALKEY_HOST=localhost
+# WORKSPACE_MCP_OAUTH_PROXY_VALKEY_PORT=6379
+# WORKSPACE_MCP_OAUTH_PROXY_VALKEY_USE_TLS=false
+# WORKSPACE_MCP_OAUTH_PROXY_VALKEY_DB=0
+# WORKSPACE_MCP_OAUTH_PROXY_VALKEY_USERNAME=
+# WORKSPACE_MCP_OAUTH_PROXY_VALKEY_PASSWORD=
+# WORKSPACE_MCP_OAUTH_PROXY_VALKEY_REQUEST_TIMEOUT_MS=5000
+# WORKSPACE_MCP_OAUTH_PROXY_VALKEY_CONNECTION_TIMEOUT_MS=10000
+#
+# Encryption:
+# - Values are encrypted with the same Fernet scheme FastMCP uses for its default disk store.
+# - Key material is derived from FASTMCP_SERVER_AUTH_GOOGLE_JWT_SIGNING_KEY if set, otherwise GOOGLE_OAUTH_CLIENT_SECRET.
+# - For stable decryption across client-secret rotations, set FASTMCP_SERVER_AUTH_GOOGLE_JWT_SIGNING_KEY explicitly.