diff --git a/superset/mcp_service/auth.py b/superset/mcp_service/auth.py
index 4298e6f0341..2116f32c306 100644
--- a/superset/mcp_service/auth.py
+++ b/superset/mcp_service/auth.py
@@ -51,6 +51,8 @@ from typing import Any, Callable, TYPE_CHECKING, TypeVar
 from flask import g, has_request_context
 from flask_appbuilder.security.sqla.models import Group, User
 
+from superset.mcp_service.composite_token_verifier import API_KEY_PASSTHROUGH_CLAIM
+
 if TYPE_CHECKING:
     from superset.connectors.sqla.models import SqlaTable
     from superset.mcp_service.chart.chart_utils import DatasetValidationResult
@@ -221,10 +223,6 @@ def _resolve_user_from_jwt_context(app: Any) -> User | None:
     # API key pass-through: CompositeTokenVerifier accepted this token
     # at the transport layer but defers actual validation to
     # _resolve_user_from_api_key() (priority 2 in get_user_from_request).
-    from superset.mcp_service.composite_token_verifier import (
-        API_KEY_PASSTHROUGH_CLAIM,
-    )
-
     claims = getattr(access_token, "claims", None)
     if isinstance(claims, dict) and claims.get(API_KEY_PASSTHROUGH_CLAIM):
         logger.debug("API key pass-through token detected, deferring to API key auth")
@@ -294,10 +292,6 @@ def _resolve_user_from_api_key(app: Any) -> User | None:
     # Only validate tokens that the CompositeTokenVerifier flagged as
     # API key pass-throughs. Plain JWTs were already validated by the JWT
     # verifier and resolved in _resolve_user_from_jwt_context.
-    from superset.mcp_service.composite_token_verifier import (
-        API_KEY_PASSTHROUGH_CLAIM,
-    )
-
     claims = getattr(access_token, "claims", None)
     if not (isinstance(claims, dict) and claims.get(API_KEY_PASSTHROUGH_CLAIM)):
         return None
diff --git a/superset/mcp_service/mcp_config.py b/superset/mcp_service/mcp_config.py
index 9a91157b3b6..34ca8e400a3 100644
--- a/superset/mcp_service/mcp_config.py
+++ b/superset/mcp_service/mcp_config.py
@@ -22,6 +22,7 @@ from typing import Any, Dict, Optional
 
 from flask import Flask
 
+from superset.mcp_service.composite_token_verifier import CompositeTokenVerifier
 from superset.mcp_service.constants import (
     DEFAULT_TOKEN_LIMIT,
     DEFAULT_WARN_THRESHOLD_PCT,
@@ -323,10 +324,6 @@ def create_default_mcp_auth_factory(app: Flask) -> Optional[Any]:
                     return None
 
     if api_key_enabled:
-        from superset.mcp_service.composite_token_verifier import (
-            CompositeTokenVerifier,
-        )
-
         api_key_prefixes = app.config.get("FAB_API_KEY_PREFIXES", ["sst_"])
         logger.info("API key auth enabled for MCP")
         return CompositeTokenVerifier(