Updated README.

2025-08-26 17:53:55 -04:00 · 2025-08-26 17:53:55 -04:00 · 3b1700c367
commit 3b1700c367
parent d3059af8d8
1 changed files with 30 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -126,6 +126,7 @@ Launches a fully functional HTTP server with:
 - In-browser test client UI
 - Multi-connection support
 - Built with lightweight Hono framework
+- Optional pass-through auth headers

 ### StreamableHTTP

@ -138,6 +139,7 @@ Implements the MCP StreamableHTTP transport which offers:
 - Compatibility with MCP StreamableHTTPClientTransport
 - In-browser test client UI
 - Built with lightweight Hono framework
+- Optional pass-through auth headers

 ### Transport Comparison

@ -152,6 +154,7 @@ Implements the MCP StreamableHTTP transport which offers:
 | Load balancing     | No                  | Limited           | Yes                |
 | Status codes       | No                  | Limited           | Full HTTP codes    |
 | Headers            | No                  | Limited           | Full HTTP headers  |
+| Pass-through Auth  | No                  | Optional          | Optional           |
 | Test client        | No                  | Yes               | Yes                |

 ---
@ -169,6 +172,33 @@ Configure auth credentials in your environment:

 ---

+## 🔐 Pass-through Headers for Authentication
+
+Use the CLI option `--passthrough-auth` to have the server pass-through client auth headers to the downstream API. The headers forwarded are for the auth schemes defined in the OpenAPI spec. Scheme types http (bearer or basic), apiKey (header, query param, or cookie), and openIdConnect bearer tokens are supported.
+
+The client should configure the auth credentials to be sent, for example:
+
+```
+"mcpServers": {
+      "my-api": {
+        "transport": "HTTP",
+        "url": "http://localhost:3000/sse",
+        "headers": {
+          "Authorization": "Bearer MY_TOKEN"
+        }
+      },
+      "my-other-api": {
+        "transport": "Streamable-HTTP",
+        "url": "http://localhost:4000/mcp",
+        "headers": {
+          "X-API-Key": "MY_API_KEY"
+        }
+      },
+}
+```
+
+---
+
 ## 🔎 Filtering Endpoints with OpenAPI Extensions

 You can control which operations are exposed as MCP tools using a vendor extension flag `x-mcp`. This extension is supported at the root, path, and operation levels. By default, endpoints are included unless explicitly excluded.